IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Paul Wouters <paul@nohats.ca> Sat, 09 November 2019 02:17 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92E3F12011F for <dns-privacy@ietfa.amsl.com>; Fri, 8 Nov 2019 18:17:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00hCvZThCOme for <dns-privacy@ietfa.amsl.com>; Fri, 8 Nov 2019 18:17:03 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10D8E120108 for <dns-privacy@ietf.org>; Fri, 8 Nov 2019 18:17:03 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 47913t1488zFmj; Sat, 9 Nov 2019 03:16:58 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1573265818; bh=nXpN/HQdlUZ4d2WvfYSCk/1osRzvNwPVuLsgU5JNr0g=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=L76QqtnD9sU38AQcjiV8vxOUESnCMjFwSabGkUpiXeVETsb5u7ScZQPNf/BtHguMi sEqsbTkTFU9BjCLf0U+jNrBiueOMNuTHyuoAaGSnK9Ib2TvTMEomaGF4/GTgNmkDy8 k5rhQAXrGAorqQWU6kXSfSw5ivdRsuK0plKwqNVg=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id z7oRqDuyzYDP; Sat, 9 Nov 2019 03:16:56 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sat, 9 Nov 2019 03:16:56 +0100 (CET)
Received: from [193.111.228.74] (unknown [193.111.228.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id 12735607C99F; Fri, 8 Nov 2019 21:16:55 -0500 (EST)
Content-Type: multipart/alternative; boundary="Apple-Mail-E160E53F-1D81-451B-A769-17250CD7C791"
Mime-Version: 1.0 (1.0)
From: Paul Wouters <paul@nohats.ca>
X-Mailer: iPhone Mail (16G102)
In-Reply-To: <CAH1iCipTO4ui6ntMq=dg6oi32mWgS9_+=C5_Z2E7aEddxYj1Ww@mail.gmail.com>
Date: Fri, 08 Nov 2019 21:16:38 -0500
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Bob Harold <rharolde@umich.edu>, Paul Hoffman <paul.hoffman@icann.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <35A3B700-329D-4141-912E-875412A39C71@nohats.ca>
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca> <CAHw9_i+MxMCd7dDO7N0-hc1SDjvBeoLoUvbg4JWDzXyjR0u4xQ@mail.gmail.com> <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com> <FC51D8EC-5ADC-4415-82EB-C6C6E4E8D84A@fl1ger.de> <F0DD4028-2404-4232-90F8-E9937877C261@nohats.ca> <b7108cff-0e50-d168-aa49-2626eb83ee22@cs.tcd.ie> <d465d9e5-5a9f-8968-8f73-1493ec5f2c36@icann.org> <alpine.LRH.2.21.1911081633490.9092@bofh.nohats.ca> <B969DDFB-1680-4D76-80F1-1EC04DC8926A@nohats.ca> <59bdad3f-8b92-c8f5-5e85-a062957227a2@cs.tcd.ie> <CAH1iCipTO4ui6ntMq=dg6oi32mWgS9_+=C5_Z2E7aEddxYj1Ww@mail.gmail. com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/YNCT78bE1GriVXqDCNAo7hT5aM8>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Nov 2019 02:17:06 -0000

> On Nov 8, 2019, at 20:13, Brian Dickson <brian.peter.dickson@gmail.com> wrote:
> 
> 
> 
> 
> More anecdotal stuff is at https://ianix.com/pub/dnssec-outages.html which lumps together information about TLD failures (now very rare), sites with failures (becoming increasingly uncommon and having smaller impact), and durations (typically a week or less on average, but again, this is anecdotal not statistical.)

I have on a few occasions explained to the people running this site that they were wrong to blame dnssec. Some listed events were generic outages wrongly blamed on dnssec. No corrections were ever made. The side is extremely subjectively anti-dnssec. 

> 
> 
> YMMV, of course. But, fear of rampant validation failures is entirely misplaced at this point. Enough validation is being done, that such failures need to be considered the responsibility of the signers, not the validators.

Exactly, and why I quoted 8.8.8.8, 1.1.1.1 and 9.9.9.9. So many people are behind dnssec validators that validation failure would lead to a quick outage notification by tools or humans.

Paul

v2.23.0 | Report a Bug | By Email