Re: [dns-privacy] Requirements for authoritative server preferences
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 04 November 2020 09:11 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 081EE3A0DE0 for <dns-privacy@ietfa.amsl.com>; Wed, 4 Nov 2020 01:11:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrqQ_euB_9vb for <dns-privacy@ietfa.amsl.com>; Wed, 4 Nov 2020 01:11:08 -0800 (PST)
Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56A453A0DD5 for <dns-privacy@ietf.org>; Wed, 4 Nov 2020 01:11:08 -0800 (PST)
Received: by mail-ua1-x932.google.com with SMTP id 91so5842594uar.5 for <dns-privacy@ietf.org>; Wed, 04 Nov 2020 01:11:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/AcI+Mu12sMEIs3LFINeQmsbmaBvvoDRYCywbLePk3w=; b=PHHI/hlhY+jaTmOkn/TcPvS/rtk3hsYFfFdq9pXjzHWgHsOA2EB/PFWSDpF/Ly2Vf9 yTTJhb5HK4KsQ27lljfYB1BhQJQnNOoUSjkcTERyxqeqzRdhXIVyX1CFpF38A8g6NZWE PVv2E5I8T9XsB+2XLu4elAHoMW7Y+w6J1Wvt3SCX0vUswrtOQB5fAbI5c8/FjntL/fhk KBCyqBz7NWdJZsvzQUd6FN3WAyiJERY+BXZ6mAO1GkTlLRS/mqYHSNcXK1CFfV9EyNNh wYQVaCcMUcrJZsP1t6OuFPJQSoz5cKDbvsWo1Oj5RbxYT1o27VFgSCJV4nAUXSDJrSrS oYJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/AcI+Mu12sMEIs3LFINeQmsbmaBvvoDRYCywbLePk3w=; b=PRsUWMjk3Z+RnoyC7OspGndYbZdDCON6UxlAhYNGEQye1ow60Kt+wWyxsOrRSEnaUJ j3LJB5zfIPHglNmqhxuu2umTCsgXZ+tQUkwY4Es4iMCBu/z54UJDEb6DRZWRd70tphVH whCC67mZxVg6IXdP63+B8orJpv5Vqaflci92mpDDT0XIkd+Yc0rWOl94g28pjr6lJqyH YPM0FP6qV+YcbWwiIy8MN0HzKDXYSIKKWoNpGyEBvHQONNy5g3/EJyCV5behRd+g/t3t fNFJi4uY+oVsxfa2rHzk9hgQY3tcdqIxz05TWcrpMmbpU1Qq9pKUFNscgaPzWuXx9Jz8 CiVw==
X-Gm-Message-State: AOAM532Soxl/cUAUthyx6LiJPbTpQBI9rkNJQrFD3dkYMKOueJP6cj9W isZULyX7Di7Ni9ei1EALpFif0QmF228rtTtfB1M=
X-Google-Smtp-Source: ABdhPJw2g9SV8KCyPIHaKNuvmuqPs8VlAfEdeP+L4gXnHUkITDPgpyMoUTxiLv2L6fM1C/MZpa3nSFNZUCYpwsG8z40=
X-Received: by 2002:ab0:2606:: with SMTP id c6mr674987uao.62.1604481067255; Wed, 04 Nov 2020 01:11:07 -0800 (PST)
MIME-Version: 1.0
References: <160435765311.18774.16063151114758509438@ietfa.amsl.com> <1E8597EB-C856-4DC9-A42D-8B2142501C7A@icann.org>
In-Reply-To: <1E8597EB-C856-4DC9-A42D-8B2142501C7A@icann.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 04 Nov 2020 01:10:56 -0800
Message-ID: <CAH1iCiqT0NV=YB7zY1tYbVM1W2HcWa8OB-sA=OvBz8qK2MYrkQ@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: DNS Privacy Working Group <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000100d7e05b3445cca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/R_niLChA_oEZnipKKNiauPusLwU>
Subject: Re: [dns-privacy] Requirements for authoritative server preferences
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2020 09:11:11 -0000
On Tue, Nov 3, 2020 at 6:15 PM Paul Hoffman <paul.hoffman@icann.org> wrote: > Greetings again. I really like many of the changes in > draft-ietf-dprive-phase2-requirements-02 and think that it gets closer to > what we want for requirements. One of the requirements seems unnecessary, > however. > > 7. The authoritative domain owner or their administrator MUST have > the option to specify their secure transport preferences (e.g. > what specific protocols are supported). This SHALL include a > method to publish a list of secure transport protocols (e.g. > DoH, DoT and other future protocols not yet developed). > > If the WG does with DoT and/or DoQ, you can discover the server's > capabilities by probing port 853 and TBD-Q, or maybe by finding TLSA > records. There is only a need to "publish" a list of secure protocols if > they include DoH or DoHoQ. No, this is not accurate, and highly misleading. I am not casting aspersions on your intent, merely calling out the correctness of the argument. The prevention of downgrade attacks requires publication of servers capabilities and intents, including prefered or offered protocols. This includes DoT. Counter-argument: an active attacker can force a downgrade by selectively blocking port 853 queries. If the secure transport for DoT is published, this becomes a denial-of-service attack rather than a downgrade attack. Lack of publication converts the blockage to a downgrade attack. There may be multiple authoritative servers in different topological arrangements, so that the attacker is on-path for only some of those servers. In that situation, blocking the port 853 queries to one server would result in the client (resolver) attempting port 853 connections to the other servers (assuming the non-opportunistic client). The existence of clients and servers who both want to do encrypted transport requires that the design accommodate that, notwithstanding the desire for others to be opportunistic in their approach. There is no way to have it both ways. Either strict client-server with no downgrade is supported by the signaling or it is not. The needs of the strict crowd cannot be ignored without failing to reach consensus. The strict requirements do not actually impose any obligation on clients wishing to only do weak opportunistic with no DNSSEC validation or any other non-verification type activity. As you note, there is no way to force a client to validate. I don't believe anyone is saying otherwise. > Also, some folks on this list have already complained about added > complexity of discovery mechanisms. > Please provide pointers or let them speak for themselves. We should be discussing the requirements first, and addressing whether the discovery mechanisms are too complex. Those may in fact be implementation issues that might be addressed without impacting the high level requirements. > > In addition this SHALL include whether a secure transport protocol > MUST always be used (non-downgradable) or whether a secure > transport protocol MAY be used on an opportunistic (not strict) > basis in recognition that some servers for a domain might use a > secure transport protocol and others might not. > > It is impossible for a server to tell whether a resolver is > authenticating, so being able to say "you must authenticate" is kinda just > posturing. The choice of whether or not to connect should always be with > the resolver. Further, if a resolver is using a mechanism that requires > strict authentication, it truly doesn't matter what the authoritative > server has said it wants. > I think you are misreading what this paragraph says. What it really says (or should say) is: A given domain may have multiple authoritative name servers. It may be the case that some of those name servers offer secure transport, and others do not. It may also be the case that some of those name servers do not offer non-secure transport (i.e. regular port 53). The method of publication of availability of secure transport MUST be capable of distinguishing the availability of secure transport on a per-authoritative server basis, and the (un)availability of non-secure transport on a per-authoritative server basis. I.e. ns1.provider-x.net may do DoT only (no port 53), and ns2.provider-y.net may not offer any secure transport (only port 53), and ns3.provider-z.net may offer DoH as well as insecure transport (so port 53 and port 443/DoH). A client may be opportunistic, and choose any of the three, or may choose to only use port 53 (thus only ns2 and ns3). A second client may want to use strict security only, and may support DoT and DoH, and thus use ns1 or ns3. A third client may want to use strict security only, and may only support DoT, and thus use ns1 only. The choice of secure or not is always available to the client. However, any client wishing to use secure-only MUST be able to detect and prevent downgrade attacks. This places more limitations on publication, naturally. The server CAN know that a resolver appears to want to authenticate, if it only offers secure transport and the resolver connects. Not offering port 53 service in both its publication mechanism and in ports that are providing DNS, is an unambiguous way of offering non-downgradable service, should the client want to validate. It matters what the server says it offers, as that is the only way to prevent downgrade attacks from succeeding. > > This whole requirement could be dropped and it would not affect the > security or availability of the desired service. > As Mark A would say, "This is wrong." Well, technically, what the claim should be is regarding privacy, rather than security. But it would still be wrong. The only way to not affect the privacy, is to keep the requirement, and to clarify the positive and negative elements of the publication scheme (i.e. to say yes/no to port 53 in addition to optional yes to other secure transports.). It probably should be more detailed in tying the publication of supported protocols to the name server names (and that the publication point would need to be at or under those names), rather than in any way tied to a zone. It is also worth suggesting that different capabilities can and should require different names, even if the IP address of the server is the same. E.g. ns1-strict-dot.nameserver-zone.example and ns2-insecure.nameserver-zone.example for the same IP, with the former indicating only port 853 should be used, and the latter indicating that only port 53 should be used. Then, the choice could be implemented at a zone level, by using NS records of the former or the latter, as a signal for how that specific zone can be reached by a client (modulo the client's desire to use secure transport if it is available). This is a bit complicated only in that it is multi-dimensional (multiple DNS operators, possibly multiple jurisdictions with restrictions on encryption, plus multiple zones per name server) and has a theoretically large number of possible combinations. However, in practice, any given zone will have a finite (and likely small) number of name servers in its NS set (delegation and/or apex), and tying the signaling on secure transport availability to the name server names is an obvious choice that requires nearly no work or complexity on the resolver. The resolver has a policy that is either "don't want to use any encrypted transport", or "might use it if the first one I check offers it", or "if any secure transports are offered, I won't use anything less than a secure transport". >From that policy, the processing should be extremely deterministic. And, for the most part, by tying the publication to name server names, means that the chances of the information about secure transport not already being cached is inversely proportional to the popularity of the name servers themselves. I.e. the overhead associated this should become noise, based on the log/log relationship on zone/server popularity and query volume. Basically, this isn't difficult at all, IMNSHO. Brian
- [dns-privacy] I-D Action: draft-ietf-dprive-phase… internet-drafts
- [dns-privacy] Requirements for authoritative serv… Paul Hoffman
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Stephane Bortzmeyer
- Re: [dns-privacy] Requirements for authoritative … Stephane Bortzmeyer
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-p… Stephane Bortzmeyer
- Re: [dns-privacy] Requirements for authoritative … Brian Dickson
- Re: [dns-privacy] Requirements for authoritative … Brian Dickson
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] [Ext] Requirements for authorit… Paul Hoffman
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] [Ext] Requirements for authorit… Paul Hoffman
- Re: [dns-privacy] [Ext] Requirements for authorit… Eric Rescorla
- Re: [dns-privacy] [Ext] Requirements for authorit… Paul Hoffman
- Re: [dns-privacy] [Ext] Requirements for authorit… Eric Rescorla
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Peter van Dijk
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Paul Hoffman
- Re: [dns-privacy] [Ext] I-D Action: draft-ietf-dp… Peter van Dijk