Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
Sara Dickinson <sara@sinodun.com> Tue, 31 October 2017 15:07 UTC
Return-Path: <sara@sinodun.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FBAB13F752 for <dns-privacy@ietfa.amsl.com>; Tue, 31 Oct 2017 08:07:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbiLqzuzvqhs for <dns-privacy@ietfa.amsl.com>; Tue, 31 Oct 2017 08:07:13 -0700 (PDT)
Received: from balrog.mythic-beasts.com (balrog.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ACB313F75B for <dns-privacy@ietf.org>; Tue, 31 Oct 2017 08:06:23 -0700 (PDT)
Received: from [2001:b98:204:102:fffa::14b4] (port=56885) by balrog.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <sara@sinodun.com>) id 1e9Y7Q-0002hx-BD; Tue, 31 Oct 2017 15:06:20 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Sara Dickinson <sara@sinodun.com>
In-Reply-To: <alpine.LRH.2.21.1710301539500.31082@bofh.nohats.ca>
Date: Tue, 31 Oct 2017 15:06:16 +0000
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, dns-privacy@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <7709D3C3-D879-421B-B81A-7908F521B9D5@sinodun.com>
References: <878tfwey8w.fsf@fifthhorseman.net> <73F186C6-1F35-40B0-8C36-D4F011D11344@sinodun.com> <871slkd66k.fsf@fifthhorseman.net> <alpine.LRH.2.21.1710301539500.31082@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3273)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/RWeHHzaBFb8CUdif2a0Wf1l9KYk>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 15:07:15 -0000
So here is an example of how Stubby works today. It has separate settings for Transports(UDP/TCP/TLS), Usage profile and DNSSEC. The relevant DNSSEC options are: - dnssec_return_status - blocks BOGUS answers, returns all others with status information (secure vs insecure vs indeterminate) - dnssec_return_only_secure - does what is says on the tin where ‘dnssec_return_status’ is obviously what we recommend if you want DNSSEC. If I have stubby configured like that then connecting to a DNS server with a BOGUS A record just because I’m in opportunistic privacy mode seems questionable. So maybe “A DNSSEC validating client SHOULD apply the same validation policy to the A/AAAA meta-query lookup as it does to other queries.”? Sara. > On 30 Oct 2017, at 20:04, Paul Wouters <paul@nohats.ca> wrote: > > On Mon, 30 Oct 2017, Daniel Kahn Gillmor wrote: > >> Date: Mon, 30 Oct 2017 11:08:35 >> From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> >> Cc: dns-privacy@ietf.org >> To: Sara Dickinson <sara@sinodun.com> >> Subject: Re: [dns-privacy] review of >> draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC >> validation requirement >> On Mon 2017-10-30 13:11:41 +0000, Sara Dickinson wrote: >>> I really do think a description there of the trade-offs of DNSSEC >>> validation are warranted >> >> I agree that a discussion of the tradeoffs involved in DNSSEC validation >> of the opportunistic meta-query is warranted. I just come to a >> different conclusion than the requirements in draft-11. > > If a client allows multiple type of profiles, then DNSSEC might not be > needed to reach a pre-configured Strict profile with a trust anchor. > Then the decision to be made is, if that Strict profile is unavailable, > does that make the current network hostile enough to not use it? And if > no strict profile is configured, well then anyting is better then > nothing. > >>> if it ends up just being a MAY (although I would like to see SHOULD as >>> a minimum for opportunistic). >> >> SHOULD validate, but with what failure mode? are we really saying that >> opportunistic SHOULD deliver a DoS instead of a loss of privacy? I >> discuss a few optional responses for failures in opportunistic mode >> below. > > If talking about the meta query, see above. If talking about DNSESC > validation for the actual content queries, I think it should be > considered that anything not properly supporting DNSSEC is an active > attack against the user, and I would be okay with a hard fail. > >> The cheapest and simplest implementation in terms of user experience to >> get to verifiable opportunistic profile (that is, a profile that can at >> least report that DNS privacy has been achieved, even if it won't be >> enforced) seems to be: > > I thought "opportunistic" meant "do not report to the user" so as to > guarantee that the user is still thinking they are in the realm of "not > private" even if there is encryption happening, because without a trust > anchor, the user cannot know if this opportunistic party is privacy > preserving? > >> or, converts success to failure in the case of DNSSEC misconfiguration >> (because the connection would otherwise have succeeded) :( > > A dnssec failure is no different then a certificate failure, and > browsers are now doing something really close to hard fail on those now. > >>> I’d disagree that connecting to a server for which the meta-query >>> response failed DNSSEC validation results in _just_ a loss of privacy >>> for Opportunistic in this case. If the answer was BOGUS then it seems >>> reasonable to assume the server is not legitimate and so connecting >>> also results in the clients' entire DNS service being controlled by >>> the attacker. > > I guess I see two different opportunistic cases. One where you find > a DNS server, get to an IP and/or public key, use DNSSEC to confirm the > key/name in the public real DNS (via that server) and protected with > DNSSEC. For instance, a coffeeshop chain could do so, and if it links to > say publicdns.starbucks.com then you have some confidence then the local > instance of the coffeeshop cannot see your traffic. And then there is > the opportunistic case where you simply will never find out the > identity, and where you just assume the provider could be the attaker. > > I feel those two user cases are different. The first one, I could decide > not to use my local starbucks when it starts to fail using the chain's > configured DNS server. The second case I know I'm giving my privacy to > someone who could be malicious, but I still prefer that over not using > their DNS. (although in practise, my guess is as soon as google DNS > supports TLS, everyone will have at least one Strict profile with their > key and never use an opportunistic profile. > >>> Take the case where the DNS server from DHCP really is legitimate. The >>> fact that the meta-query answer _could_ be spoofed provides a vector >>> for an opportunistic client to be directed to an attackers' DNS >>> server. Note that this attack is not possible on a ’normal’ client >>> that directly uses the DHCP provided server, the attacker has to >>> attack each individual query. My concern here is that without DNSSEC >>> validation of the re-direct Opportunistic clients have an additional >>> risk of this kind of attack than ’normal’ ones. >> >> ok, i think i understand. The concern is that a non-network-controlling >> attacker who can spoof DNS responses but can't spoof DHCP responses can >> now take over full DNS resolution of opportunistic clients just by >> racing (and winning) the legitimate metaquery response. > > I think that's really rare now. Most "shared wifi" solutions constrain the > clients and prevent them from talking to each other. In the coffeeshop > the customers cannot see my laptop, but the coffeeshop owner can. > > Paul > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy
- [dns-privacy] review of draft-ietf-dprive-dtls-an… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Ben Schwartz
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephane Bortzmeyer
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos