Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
Paul Wouters <paul@nohats.ca> Sun, 24 May 2020 17:43 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7AD83A0C47 for <dns-privacy@ietfa.amsl.com>; Sun, 24 May 2020 10:43:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id toWcuHPhNTw4 for <dns-privacy@ietfa.amsl.com>; Sun, 24 May 2020 10:43:34 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECB283A0C4A for <dns-privacy@ietf.org>; Sun, 24 May 2020 10:43:33 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 49VSJ15dRtzLc3; Sun, 24 May 2020 19:43:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1590342209; bh=eWl7wq8zOicdJNDoIKDjKm0DtYCFvddeMTLBhEEx1XA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=NKLcuTWlIs5hA/YvIjYqND/vewvxCAieyeOTtF1MN3MXM4tVMPsTRXAZr630rb78F kAQKuN1GTaSFk7kjtSozatkL7RCHNiBwdjNXcZ1O+oFKMSVaWzS8tVpX6aNYqSzZNp Bj6ChEnbPfzHDZFvePsT6Eibq1rOWHY1NPhHziBc=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 6qks56jI4HiM; Sun, 24 May 2020 19:43:27 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 24 May 2020 19:43:27 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id CA9A06029BA2; Sun, 24 May 2020 13:43:26 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C6D7766B7C; Sun, 24 May 2020 13:43:26 -0400 (EDT)
Date: Sun, 24 May 2020 13:43:26 -0400
From: Paul Wouters <paul@nohats.ca>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
cc: dns-privacy@ietf.org
In-Reply-To: <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com>
Message-ID: <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <a15e2d1df86820f2483516662d3712d8a60161cd.camel@powerdns.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/TudGm4sEl33fZbDSgmleAfD9FVo>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 May 2020 17:43:38 -0000
On Sat, 23 May 2020, Peter van Dijk wrote: > As I remarked in my reply to Jeremy, I spent quite some time thinking > about how to do the signalling&pinning with actual TLSA records, but I > never ended up with a satisfactory solution. But I don't think your current solution is satisfactory either. It is basically the same thing we told djb about dnscurve - you cannot abuse an RRtype for something else. Whether you put a pubkey in the NS record LHS, or a TLS key inside a DNSKEY - you are abusing the RRtype system. But I also don't see the gains of abusing DNSKEY, because you already need to query the DNSKEY of the domain to get the pesudeo-DNSKEY key, and then you already lost your privacy. I think it is worth it to take a step back and consider what we are trying to protect here. If we are trying to prevent someone from seeing I am going to go to nohats.ca, then revealing I'm querying for the DNSKEY RRset for nohats.ca means we already failed. So I'm going to define DNS privacy as "Prevent leaking information that I am going to domain XXXX". It hardly matters what we query of domain XXXX. The content of the A record is not the loss of privacy. The loss of privacy is that we were trying to go to domain XXXX. Let's assume we can connect to the .ca nameservers securely and privately. We query for nohats.ca. If there is no DS, all bets are off as the child cannot signal anything to us securely. If there is a DS, we also got NS records, and possibly A/AAAA glue. In the case of getting A/AAAA glue, we can connect using DoT if we knew this was an option (eg signaled in the DS record). In the case of getting only NS records, we would have to securely and privately look up those records first. Let's say we get ns.example.com and no glue, we go through another iteration of this until we get A/AAAA glue and can connect using DoT if the DS record could have signaled this. If the DS record somehow conveyed "yes you can do DoT", you can now connect to that IP on port 853 and send your query. We still need to authenticate this TLS channel. Conveying that you can do DoT using DS can only really be done by overloading the record type. I don't like it, but the other other choice we have to opportunistically just try port 853, and in 20 years perhaps we can shut down port 53 like we are now getting ready to shut down port 80. The opportunistic part is tricky, because it does allow an attacker to RST/filter your 853 connection and downgrading you to plaintext - where as if we signal this in the DS record, we could prevent downgrade and hard fail if privacy is that important to us that we prefer not to connect over leaking that we are trying to connect. If we don't want to hard fail, then I think we should just drop this draft and use opportunistic. If we want to offer hard fail, then some draft is still useful. I would use the keytag record set to 0 to mean this DS record is not a real DNSKEY but "something else". Whether you need anything else is debatable. You could use the digest field to stuff in a public key. Then you can connect to the nameserver, and presuming that it is a large DNS hoster like godaddy, you could verify the TLS connection before sending your first nohats.ca related query. You can optimize this with False Start, Session Resumption, etc. At the child, you can leave a CDS record of the identical special DS record at the parent, as cryptogrpahic proof that the special DS record for DoT at the parent was actually something the child wanted its parent to publish. Again, this would require another round trip to confirm that the parent wasn't sending you to a rogue nameserver. But at least you are ensured the parent isn't running a global TLS MITM nameserver that logs and forwards all queries. No additional pseudo-DNSKEYs are needed. In your draft, you cannot connect with privacy until you obtain the base64 encoded TLS key embedded in the DNSKEY RRset. I'm saying this is too late - you already revealed the only important bit of information, that you are trying to visit "nohats.ca". There might be exceptions, like subdomain.wordpress.com or subdomain.livejournal.com but in 99% of the cases, the domain name itself is the valuable information to keep private. > Also, as Petr pointed out, our DNSKEY/DS-based proposal does not > involve additional queries and thus roundtrips; as far as I can > imagine, anything using TLSA would need extra queries. I don't believe a working solution cannot be allowed to introduce an extra roundtrip. With the amount of CNAME's splattered all over the world, I think trying to hack around avoiding a roundtrip is not worth it. Especially for DNSKEY/DS records, which should not have TTL=1 and are happilly cached for extended periods of time. As I pointed out above. If you want to protect losing privacy to a rogue parent, a number of additional roundtrips are required anyway. Saving one of them isn't worth creating pseudo-DNSKEY records for. Paul
- [dns-privacy] [Fwd: New Version Notification for … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Mikael Abrahamsson
- Re: [dns-privacy] [Fwd: New Version Notification … Jeremy Harris
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ondřej Surý
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Stephen Farrell
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Shumon Huque
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- [dns-privacy] re-evaluation of the draft, was Re:… Paul Wouters
- Re: [dns-privacy] re-evaluation of the draft, was… Robin Geuze
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … John Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Christian Huitema
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … John R Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John Levine
- Re: [dns-privacy] bootstrapping NS names, was re-… Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John R Levine