IETF Logo Mail Archive

Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq

Paul Wouters <paul@nohats.ca> Mon, 15 February 2021 23:23 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58D9B3A12E3 for <dns-privacy@ietfa.amsl.com>; Mon, 15 Feb 2021 15:23:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7hDRywHmBy4 for <dns-privacy@ietfa.amsl.com>; Mon, 15 Feb 2021 15:23:31 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C8BC3A12E1 for <dprive@ietf.org>; Mon, 15 Feb 2021 15:23:31 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4DfgC53GN1zD6Q; Tue, 16 Feb 2021 00:23:29 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1613431409; bh=cKs0+7Fsf0e7m3vaP2XbIiQR53nlb8pfUw8JuEhOJG4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=jnfVPzozZ3FTXXHfjGlJYomd/bFPubqdHOxYfbd+T/MchIQyErQSGBBON1DqfQi4d h2DwTtj+AGVPfoQlEpPyvCB9XTbCLuigmvRBp/h4lg2rNKbAbkUe/M5rqawGwYYaXN rQrqgns0apkZedWA0Ua3h57vKKBZb+HWquxIL0gE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id qbM0ob24g7_i; Tue, 16 Feb 2021 00:23:28 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 16 Feb 2021 00:23:28 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id E72246029AF9; Mon, 15 Feb 2021 18:23:26 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id DE14866B1E; Mon, 15 Feb 2021 18:23:26 -0500 (EST)
Date: Mon, 15 Feb 2021 18:23:26 -0500
From: Paul Wouters <paul@nohats.ca>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
cc: Eric Rescorla <ekr@rtfm.com>, Paul Hoffman <paul.hoffman@icann.org>, "dprive@ietf.org" <dprive@ietf.org>
In-Reply-To: <fd132f9d-630e-112d-d777-0e6a7a767e84@cs.tcd.ie>
Message-ID: <ff1e6d9-6e66-dadf-2847-3e071b34618@nohats.ca>
References: <230F580F-BA87-4921-B45B-2909ACE385B1@icann.org> <CABcZeBPcBT0UY-ghaMm_nN+qZ+B0ozmCfK30XX-R05z+PLtqmQ@mail.gmail.com> <137b74ff-887f-056a-74e3-7a80358b5156@cs.tcd.ie> <CABcZeBMyULUznkCVzxb6ufCx1XaT1zKx0jLLwxXhL7hRwMkv+A@mail.gmail.com> <fd132f9d-630e-112d-d777-0e6a7a767e84@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/UiqtGstHv4g5MH2qNrmEpsTBsBg>
Subject: Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 23:23:33 -0000

On Mon, 15 Feb 2021, Stephen Farrell wrote:

>>  - We invent some mechanism that allows you to specify in an NS record that
>>  the server takes TLS (as a hacky example, "servers have to be named
>>  <some-sentinel>.example.com").
>
> Wasn't exactly that proposed but shot down already (for
> DNS, not crypto, reasons)? Maybe I'm recalling wrong. I did
> kinda like it mind - the hackiness appeals a bit to me:-)

I think it was shot for many reasons. One of them being that a signal
for encrypted transport is not a per-domain property but a per-ns
property.

Here is a different sentinel:

_53._dns.ns0.example.com. IN TLSA x y z <base64ofCert>

Then do (D)TLS

Now you can choose:

1) Use DNS(SEC) for validation
2) Use WebPKI[*] for validation
3) TOFU
4) Take at face value

Of course, this runs into issues we talked about before. Revealing a
query for ns0.nohats.ca already loses privacy unless you are centralized
at godaddy. But even if you didn't leak anything, doing encrypted "stuff"
to the IP of ns0.nohats.ca itself already gives all of that away too.

Then we also talked about untrustworthy parents, which are an even bigger
concern for unauthenticated connections.

Then we also talked about TTLs needed for verification of parental glue
at the child and facilitating dnssec transparency on the DS record.

The key point I want to make here is that you need to faciliate
authenticated encryption even if you want to say "but since that is
too difficult/hard/slow for now, you could skip the authentication".

This means you _first_ need to specify how to do the authenticated
version before you start specifying the un-authenticated version. If you
don't do this, what you end up with is a resolver with two independent
mechanisms. It is then forced to first initiate the authenticated attempt,
upon some kind of failure, tries to do the unauthenticated (but completely
different) approach. And it cannot even do this in parallel because then
the authenticated method is downgraded from a privacy loss point of view
to the unauthenticated method - since once you send the DNS query
through the channel, you have given away all the information you were
protecting to begin with.

Paul W
[*] well, it's really trusting only LetsEncrypt CA[**]
[**] Which depends on insecure DNS records for authentication, so
      in reality you need DNSSEC or WebPKI is just reduced to TOFU

v2.23.0 | Report a Bug | By Email