Re: [dns-privacy] I-D Action: draft-ietf-dprive-unilateral-probing-00.txt
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 12 April 2022 01:39 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F322F3A1227 for <dns-privacy@ietfa.amsl.com>; Mon, 11 Apr 2022 18:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.316
X-Spam-Level:
X-Spam-Status: No, score=-1.316 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=3szwyAh2; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=Mzl3INHO
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wHIj1gVW8OyG for <dns-privacy@ietfa.amsl.com>; Mon, 11 Apr 2022 18:39:14 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A0BB3A121C for <dns-privacy@ietf.org>; Mon, 11 Apr 2022 18:39:14 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1649727549; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=OX2NYoizhaZNW7+xWb/6mJJhGSvlIVsejLG2ddSFO8A=; b=3szwyAh2EfP48YjWXVoQo4subsZj4SR6+6Ue7kmcqTTbPt3g+9HUQl1L1W54DeLTZsmwN +YWe4zmHR57QkfcDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1649727549; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=OX2NYoizhaZNW7+xWb/6mJJhGSvlIVsejLG2ddSFO8A=; b=Mzl3INHOcbgnTQyFWAcQx87bWrdUTQcKY5/NEc1DrndM0TLmvdhWJ9bCjAYwBwHw7qgfi 2B7HkryjpdSUIUMfodJyoosZYFVg0Au+eL6wM1SdXnwYpt7sOHDWjGlUlfGxc5wGNhRmieP OhEFjQ0VqznJVh0z4PS9vFuBPX5Kb9Yt4I9LYlunYp3Tvz4W2nnyXo9xsSa4yoEUKoyav9c V9rtz4X84qGQhka+smimkgLJmIHaSsYCcDsi9Pmv55hRN0w/NuO+5YYqdu+a5q13xZ7wICj 1buYU/443cAl774Ac7IHEIK3cR8xRhIr8uPOcqAi9f8RZfrpwtQyPYUm77XA==
Received: from fifthhorseman.net (cpe-76-167-129-203.san.res.rr.com [76.167.129.203]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id 6F5A2F9AF; Mon, 11 Apr 2022 21:39:09 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 7694520564; Mon, 11 Apr 2022 18:39:05 -0700 (PDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Christian Huitema <huitema@huitema.net>, Sara Dickinson <sara@sinodun.com>, dns-privacy@ietf.org
In-Reply-To: <2d72d482-5bcf-6dfc-9117-d4e1171f8d9e@huitema.net>
References: <164667566033.16942.15407079409764144071@ietfa.amsl.com> <F923A397-81EA-4C6B-87C9-571168FBE6E1@sinodun.com> <87ilrgkjjs.fsf@fifthhorseman.net> <743bea81-873a-7099-3a6b-e894103a4a85@huitema.net> <87zgksmwf0.fsf@fifthhorseman.net> <2d72d482-5bcf-6dfc-9117-d4e1171f8d9e@huitema.net>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Mon, 11 Apr 2022 18:39:04 -0700
Message-ID: <87ilrfm66f.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Xa1zO0_JfHM_OWVxMDFv3zbpYYE>
Subject: Re: [dns-privacy] I-D Action: draft-ietf-dprive-unilateral-probing-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2022 01:39:19 -0000
Hi Christian--
On Mon 2022-04-11 15:21:26 -0700, Christian Huitema wrote:
> True. But this is easy to spoof.
right, but it's even easier to spoof an ICMP Port Unreachable, which
will undoubtably have the same effect on an opportunistic recursive
resolver.
> That could work. It would be similar to "ALPN negotiation failed". But I
> am not sure that's easy to implement, giving different TLS answers to
> different clients. It is essentially a layer violation. Architecture
> considerations aside, that requires a pretty tight coupling between TLS
> and Application implementation. Not always possible. Also, not
> authenticated. The bad guys recipe book is going to say, "spoof this
> message if you want to force a client to stop unilateral probing for 24
> hours."
I really don't think "not authenticated" or "spoofable" is a valid
objection in this particular use case, but i hear you about the
difficulties for an implementation based on different layers of the
stack that are typically accessible to the DNS server implementer.
I'm just wondering what the motivation is for the authoritative server
to emit this response if it can *only* be done at the DNS layer. Aren't
all the resources you're worried about already being consumed at that
point?
If we define semantics for some future signalled protocol that depends
on proper authentication, and those semantics could tell the recursive
resolver to limit itself somehow (and for some particular reason?), then
that'd definitely be interesting. But any response from the server that
requires the server to be properly authenticated doesn't seem like it
belongs in this draft, regardless of its semantics.
I'd be happy to include a definition/declaration of a "please back off"
response at the DNS layer into this draft, if we can be clear about:
- What specifically is the server expecting the client to do -- does it
differ from the client's response to, for example, an ICMP Port
Unreachable message? (no difference is fine, but we should be clear)
In particular, i'd be reluctant to imply or encourage that such a
signal would cause the recursive resolver to back off even more
strongly than it would back off if it received any other error,
includng ICMP Port Unreachable, a TLS handshake negotiation failure,
etc. Given that this signal is guaranteed to be just as spoofable as
these other network-inflicted failure modes, it would be unfortunate
if an interfering network attacker could cause *more* cleartext to
flow over time just because of the layer at which the response
appeared.
- What does the authoritative server gain from such a response? When
should a reasonable authoritative server deploy this response?
Would you be up for taking a crack at suggesting some text?
Thanks for talking this over!
--dkg
- [dns-privacy] I-D Action: draft-ietf-dprive-unila… internet-drafts
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Sara Dickinson
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Daniel Kahn Gillmor
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Ilari Liusvaara
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Christian Huitema
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Daniel Kahn Gillmor
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Daniel Kahn Gillmor
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Christian Huitema
- Re: [dns-privacy] I-D Action: draft-ietf-dprive-u… Daniel Kahn Gillmor