IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Hugo Connery <hmco@env.dtu.dk> Wed, 06 November 2019 13:03 UTC

Return-Path: <hmco@env.dtu.dk>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C4E5120890 for <dns-privacy@ietfa.amsl.com>; Wed, 6 Nov 2019 05:03:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=env.dtu.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7umJlMfYO9pU for <dns-privacy@ietfa.amsl.com>; Wed, 6 Nov 2019 05:03:26 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00069.outbound.protection.outlook.com [40.107.0.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB694120874 for <dns-privacy@ietf.org>; Wed, 6 Nov 2019 05:03:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WOkAG+b0P5AB/lZOS4teAg613UO6dLUNaxyA/fy5KhenNmB7HtpmFB6wIDGja5xkWeGZqo3ZuufFyNq0RQNSYT6und9sTNdErSIMeG8V88C0BxjQpak64xuIjbtzD7q+OJmIQxecYar0U7ylxrMGq2KAeuhvCBDGwit7Oku/OoLxRaFOh4Vt33oXoq4g/ycZHBI5+b3YSf4pMVQp1XJWFbk06/JjMWxFrUNvZiTXflaGRhTVk2d2W3AYWPZweZViKVCHpZBJom4FRTZ7sVK5R9Vfwz/BroGEjpO2iSgcUOA+o5dpRwxc4BHJht1d/unru8+sMagpogFvEwRMw1c7CA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zS6rgFhJnAkt51lVY5vi1PhOsOY9u9Icmv41UKtLC40=; b=dfQFxdwx9ZiOfi8xEl3jfOwM9eiugI4NZwqqJLZ7Qk5cKCaZtj6tikYS7zVtqRa8fEr/DhJ59YioYB17NAy6Df5jKSyT+LVmziNIPAyA+WEWkCAxMlsBBS6sW1zeClXLjfu8YmPaxRxb6Ar/W5MwqjvwZGDA+UFWqpTOUmR6dRMQomyrpsQenG9mQE5fVaubrXQk/qHYNaZih2Rrb5+CzGfdiogqqLxz/fnIcEJk5O+DfnWPSXg1DfRaF5Z/v5dzo2cDgTlYKyRJaoW0QgUqU5uxXKmQwl7You2Y35T/m4N+wnLHQE7mEjCwrVMVwbRHIchntT0gf5zT4LNTBqZRBw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.38.82.194) smtp.rcpttodomain=nohats.ca smtp.mailfrom=env.dtu.dk; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=env.dtu.dk; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=env.dtu.dk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zS6rgFhJnAkt51lVY5vi1PhOsOY9u9Icmv41UKtLC40=; b=OWwi7rkHP0ERnP52SEgVS35rd6aS6tz/eNcW+Tu42XaTlu5LG9ISnxGoJRWgoyfIVIGZVLlJdvG6ITr5lSh22S6CwhMGsQhijoe53Evo2AjAY5NLx5xLX2jvOKCRoUL9AEKfPhokWoQbEYRDYJ7Ljna5LmBm6Cf1jy7+1um/dq4=
Received: from AM6P192CA0052.EURP192.PROD.OUTLOOK.COM (2603:10a6:209:82::29) by DB6P192MB0054.EURP192.PROD.OUTLOOK.COM (2603:10a6:4:bc::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.24; Wed, 6 Nov 2019 13:03:22 +0000
Received: from HE1EUR01FT064.eop-EUR01.prod.protection.outlook.com (2a01:111:f400:7e1f::202) by AM6P192CA0052.outlook.office365.com (2603:10a6:209:82::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.20 via Frontend Transport; Wed, 6 Nov 2019 13:03:22 +0000
Authentication-Results: spf=pass (sender IP is 192.38.82.194) smtp.mailfrom=env.dtu.dk; nohats.ca; dkim=none (message not signed) header.d=none;nohats.ca; dmarc=pass action=none header.from=env.dtu.dk;
Received-SPF: Pass (protection.outlook.com: domain of env.dtu.dk designates 192.38.82.194 as permitted sender) receiver=protection.outlook.com; client-ip=192.38.82.194; helo=mail.win.dtu.dk;
Received: from mail.win.dtu.dk (192.38.82.194) by HE1EUR01FT064.mail.protection.outlook.com (10.152.1.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2387.20 via Frontend Transport; Wed, 6 Nov 2019 13:03:22 +0000
Received: from ait-pexsrv02.win.dtu.dk (192.38.82.195) by ait-pexsrv01.win.dtu.dk (192.38.82.194) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1779.2; Wed, 6 Nov 2019 14:02:50 +0100
Received: from 0x525.env.dtu.dk (192.38.82.8) by ait-pexsrv02.win.dtu.dk (192.38.82.195) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1779.2; Wed, 6 Nov 2019 14:02:50 +0100
Message-ID: <e79cc53927453430af6a095d305e6640b557a8d4.camel@env.dtu.dk>
From: Hugo Connery <hmco@env.dtu.dk>
To: Paul Wouters <paul@nohats.ca>, Warren Kumari <warren@kumari.net>
CC: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Date: Wed, 06 Nov 2019 14:02:45 +0100
In-Reply-To: <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca>
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <CABcZeBPAtvf3RU2gKWzyTaNwd6NBGsBuxq+n6r0W6-2RCnivSA@mail.gmail.com> <17189d1a-7689-f68d-6fe3-8d704af614a3@icann.org> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.30.5 (3.30.5-1.fc29)
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Originating-IP: [192.38.82.8]
X-ClientProxiedBy: ait-pexsrv04.win.dtu.dk (192.38.82.197) To ait-pexsrv02.win.dtu.dk (192.38.82.195)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:192.38.82.194; IPV:CAL; SCL:-1; CTRY:DK; EFV:NLI; SFV:NSPM; SFS:(10009020)(376002)(136003)(396003)(346002)(39860400002)(189003)(199004)(2906002)(58126008)(486006)(5660300002)(956004)(446003)(186003)(786003)(16526019)(110136005)(966005)(26005)(126002)(229853002)(36756003)(26826003)(47776003)(70206006)(7696005)(4326008)(246002)(336012)(53416004)(6666004)(356004)(23676004)(76176011)(11346002)(66066001)(476003)(6306002)(50466002)(70586007)(5820100001)(386003)(2616005)(478600001)(118296001)(7736002)(305945005)(6116002)(8676002)(106002)(3846002)(8936002)(230700001)(6246003)(76130400001)(86362001)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6P192MB0054; H:mail.win.dtu.dk; FPR:; SPF:Pass; LANG:en; PTR:ait-pexsrv01.win.dtu.dk; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0c277374-1354-4f35-96db-08d762b9b3f9
X-MS-TrafficTypeDiagnostic: DB6P192MB0054:
X-MS-Exchange-PUrlCount: 1
X-Microsoft-Antispam-PRVS: <DB6P192MB0054C6F6AAA7BE81CBEE6044E4790@DB6P192MB0054.EURP192.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-Forefront-PRVS: 02135EB356
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +8nT8T3Vgl4h3zaAi7uB0+nh5yWsRqOTsSQrihE6YE4u1arrMmqwA9CN0fyaJKgw2/DuKsMowrj5EOlmH81skWR2RCwNsUWWFg81zh/OM2fRPDxZ1w9ouGGhjcwmG+tHBgDb89ogfV+ERRFVM7ULvSeqtQYCqmXz17S6MNAgr0VlFlgbKEVd8Gxr1rnKHaFlXU630P3yurAPdp9wv8nmM4BmeyePEIlLXRvf8doHZ/eWivmYlxC5wefqPan7ZGgxnozSKwqc9FoSfyZQmJcpOv9xUToFZ5o+ArBE4uDm1MoHbCENgxFJHG0i1zhPBbVc1MR2tjm0EKZ9TdyPThUNraCQJy3ZMeHMKWVtBmIdml4eCxHNCBW1BOAVMINMrQRcrDlerNE8A5CiEAa8utyCk+Qsy8YsgOIs70p9d6nLsCWpv1KPW5d2omJNH3jQFy3PuOQUJIznS9UaaZOBMUoXLh3HMGTOSRf2oo1JI2IQsS8=
X-OriginatorOrg: env.dtu.dk
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Nov 2019 13:03:22.3644 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0c277374-1354-4f35-96db-08d762b9b3f9
X-MS-Exchange-CrossTenant-Id: f251f123-c9ce-448e-9277-34bb285911d9
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f251f123-c9ce-448e-9277-34bb285911d9; Ip=[192.38.82.194]; Helo=[mail.win.dtu.dk]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P192MB0054
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/XRUsl-MJhusGxs8q3DZMRFKQ7kY>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 13:03:29 -0000

On Tue, 2019-11-05 at 09:47 -0500, Paul Wouters wrote:
> On Tue, 5 Nov 2019, Warren Kumari wrote:
> 
> > $ dig ns a.example.com
> > ;; ANSWER SECTION:
> > a.example.com. 42923 IN NS ns1-dot.nameservers.example.
> > a.example.com. 42923 IN NS ns2.nameservers.example.
> > 
> > Now, if you cannot reach ns1-dot.nameservers.example, whether you
> > fall
> > back to ns2.nameservers.example is a matter of client policy /
> > paranoia. As this is an *opportunistic* / better than nothing
> > solution
> > I'd think that falling back makes sense. This really really isn't a
> > replacement for a more secure, downgrade resistant solution (like
> > Paul's), but it *is* an incrementally deployable, opportunistic
> > convention based solution. We could do it while figuring out a
> > better,
> > more secure system...
> 
> I guess you need to use ns1-dot and not a TLSA record for
> _853._tcp.ns1-dot.nameservers.example.  because no sane
> implementation
> of anything would trust unsigned TLSA records. That also says
> something. Opportunistic does not have to mean soft fail.
> 
> If you are going to accept a downgrade when under attack, why even
> bother with any signaling using name hacks and just try port 853 on
> all nameservers, and remember the ones that failed and succeeded for
> a
> little while? Then you truly do not need any coordination between
> your
> nameserver operators at all, for those who depend on secondaries that
> they do not control the software of.
> 
> Paul

If the initial goal, as suggested by Stephen, is to deploy an 
opportunitistic DoT to encourage deployment, then Paul's suggestion
above which de-couples the recursive and authoritative seems wise.

This gets "the ball further down the road" while deciding about a
more rigorous solution in which recursive resolvers attempt to honour
client policy (do fallback, dont fallback, etc.) and how authoritatives
advertise their DoT service is developed.

Regards,
-- 
Hugo Connery, Head of IT, Dept. Environmental Engineering
Technical University of Denmark, http://www.env.dtu.dk

v2.23.0 | Report a Bug | By Email