IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Warren Kumari <warren@kumari.net> Tue, 05 November 2019 17:21 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03DB01200D8 for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 09:21:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F3XZV2K7Y77m for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 09:21:52 -0800 (PST)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E3C91200C4 for <dns-privacy@ietf.org>; Tue, 5 Nov 2019 09:21:52 -0800 (PST)
Received: by mail-qk1-x733.google.com with SMTP id 71so21899000qkl.0 for <dns-privacy@ietf.org>; Tue, 05 Nov 2019 09:21:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mejlElo/aEDwuHWcS+MX8mO/6hnTuhdJYeg6c9POMd8=; b=rdZB6kkz5FfhBVnEQAo4fSn0KARW4560uRqVKANXokjZ4rFaFIGIeOKobg2YI9q7Jn z6IFd7DoS9baUZRr3mVxwdCTQ49J97XKLoO2aniGuygdJHKJC5vVln91bo92CkP7orVB 1yRvnZ0Kagw0oXKW6fEiqnV/onAO3sJ8EnJUmS18lZi0ngv/cbLgdvUURLTlR/gH6cxX PK7uGg7DB0CfEgUTlMtnIbEC39lvTU4zi9R8ckomKquWt1iIcmzV8bluSsv+sFERl99A e8cpuBPPkuYgJ2+KJT3wCH6WtU9DnPjAvxevT+NuBRdNh6yurwt36FfS7UbroKpG7p4s Rsxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mejlElo/aEDwuHWcS+MX8mO/6hnTuhdJYeg6c9POMd8=; b=lkBIL5jIsZwIQ24jq9tbW3SXovD3JsrOXaAUyM/2zpteMuzjf+9rmFpY6cZFiepubT u7pdtymRa6C+U9RXxkr/ru4Brsb0ytR1rKHBv7NdwUND0S1bh/kf459doSKQgM9bj9Eb xikE7JYxj6UrgXV4vzZzEnCJBib8sEHlENJETcJdhGlH3P3U/5SM8Wcaw+tiQ+fCytFm 8tpKIUt8lpPLgNaKlOnY30pKwBGZaSYqfFbSj8Eg2JJhs/Q6oDGVHfFjOutImkpI4IkG O8bFxSHgnJhNpHxlQ97WyA5BGDwypAtHySof88lMZkCy57sRXudljYfC7yM46jcYdMuX BLkw==
X-Gm-Message-State: APjAAAWMT+km7fS81u8ujxAuUOJGssHfau+IQHLPQ18znpx1d46gfntd jgutFji5b0bB+XmcTdkD0Y4xjXNalI8c/XSCESjBDw==
X-Google-Smtp-Source: APXvYqwqzzEMoqr2iM1Vo8brhZLYP8izd2vUIYaT0HVggaSNsUehTmmBuVdLS7RuYzB0vmTpbVpHgMYm6IYQ11HPOTE=
X-Received: by 2002:a05:620a:149c:: with SMTP id w28mr12198595qkj.37.1572974508509; Tue, 05 Nov 2019 09:21:48 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <CABcZeBPAtvf3RU2gKWzyTaNwd6NBGsBuxq+n6r0W6-2RCnivSA@mail.gmail.com> <17189d1a-7689-f68d-6fe3-8d704af614a3@icann.org> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 05 Nov 2019 12:21:37 -0500
Message-ID: <CAHw9_i+MxMCd7dDO7N0-hc1SDjvBeoLoUvbg4JWDzXyjR0u4xQ@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d2200b05969caa35"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/UM95Ha1UKrWQxIVxn2P4PopLkYI>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 17:21:55 -0000

On Tue, Nov 5, 2019 at 9:47 AM Paul Wouters <paul@nohats.ca> wrote:

> On Tue, 5 Nov 2019, Warren Kumari wrote:
>
> > $ dig ns a.example.com
> > ;; ANSWER SECTION:
> > a.example.com. 42923 IN NS ns1-dot.nameservers.example.
> > a.example.com. 42923 IN NS ns2.nameservers.example.
> >
> > Now, if you cannot reach ns1-dot.nameservers.example, whether you fall
> > back to ns2.nameservers.example is a matter of client policy /
> > paranoia. As this is an *opportunistic* / better than nothing solution
> > I'd think that falling back makes sense. This really really isn't a
> > replacement for a more secure, downgrade resistant solution (like
> > Paul's), but it *is* an incrementally deployable, opportunistic
> > convention based solution. We could do it while figuring out a better,
> > more secure system...
>
> I guess you need to use ns1-dot and not a TLSA record for
> _853._tcp.ns1-dot.nameservers.example.  because no sane implementation
> of anything would trust unsigned TLSA records. That also says
> something. Opportunistic does not have to mean soft fail.
>
> If you are going to accept a downgrade when under attack, why even
> bother with any signaling using name hacks and just try port 853 on
> all nameservers, and remember the ones that failed and succeeded for a
> little while? Then you truly do not need any coordination between your
> nameserver operators at all, for those who depend on secondaries that
> they do not control the software of.


Because then I need to probe them on 853 and wait N before trying on port
53, or I will only get any sort of protection for name-servers which I’ve
spoken to recently enough that I have them in cache — that works for e.g:
ns1.google.com, but not ns0.nohats.ca

W



>
> Paul
>
-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf

v2.23.0 | Report a Bug | By Email