Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
Daniel Migault <mglt.ietf@gmail.com> Tue, 16 February 2021 03:14 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D711A3A0BF8 for <dns-privacy@ietfa.amsl.com>; Mon, 15 Feb 2021 19:14:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxAZ0wUONX29 for <dns-privacy@ietfa.amsl.com>; Mon, 15 Feb 2021 19:14:26 -0800 (PST)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFEF13A0BF5 for <dprive@ietf.org>; Mon, 15 Feb 2021 19:14:25 -0800 (PST)
Received: by mail-vs1-xe2e.google.com with SMTP id y24so2353203vsq.3 for <dprive@ietf.org>; Mon, 15 Feb 2021 19:14:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dUY0eVlHEMEJoGl5lZ9P0TF2fb30MQKlNF+5nEO1u4A=; b=PW+8Q40FH4rHEjL4FuAr0d9jIOGoPJ5uYsaCECgwKydWb+UjCmXoLFNp6+hSzFiM0Y YLXxHGHAOGqpx4/IxxQE4yBfMxvQbSLBvYy+pEGvyrTdUepFjs+BcPLWmSpWANuI/OJb gYxbevooYVofeQCvOs4T7ghft6DrSEglIQYQ11SRkRLNklNo5CQBPsjZ2v54r0bPCuje +CPNMhRDq+VT40b2sQ9tb5oItVa+zVD4/92x150Ete97/IvQlUCCTRwr6Hw6/osN7ocQ n6ybxWknN1dacp03I1JpM/Ojv40VyC94VrO0ZkYi+fC+vdQkX1DldOi7PSRFFjHttVe8 EoUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dUY0eVlHEMEJoGl5lZ9P0TF2fb30MQKlNF+5nEO1u4A=; b=psGkbYD8oExo9wMCstVWWxwq+jfm2TywcZHQdSWrIiEkCbUMVXQx6eo/ZuMDiCNKlR 93+XAzR9vUNBYQbNXn9M8yr36SdhrGidpSHENl4FAnY3mxTTrgMwzXS24X04v+fD+OEI qIBkthCWwtrzzuFo40zIt2HCDuvERHJxXfhxZw01YLwEcZOJeDcFeuH1s0gqoUV4LrKd LcfJ60OJ95cx8V87TZgU0Hgg5NqeykYAupUhJ5oxv7rRzZ9i3tXCYxCjDX/CMNRSsfIs GADQ7rsnlSjPZ1UI3n6ah3INU+DWYNeKxb0J1XJs3+Bs+0IHa/HV+BvWDT9Fjlxh5fzA fTOA==
X-Gm-Message-State: AOAM530bt3nsveBqoFd9jghtVSFXf/tWPxAUStNxGlZi8xpvcBiAud2R s4CnH/WVAEGP/kRF+LiC8kkaefl4DCe1U3kBYR8=
X-Google-Smtp-Source: ABdhPJxzqtyxA+0R7q1qKIIRCkcEUn9/hSwh+JVJMQIIiidbchxkELNAudTMGEdoceS9eeVk8/tQGUTlPLfzdlI4+AM=
X-Received: by 2002:a67:eecc:: with SMTP id o12mr10387961vsp.40.1613445264822; Mon, 15 Feb 2021 19:14:24 -0800 (PST)
MIME-Version: 1.0
References: <230F580F-BA87-4921-B45B-2909ACE385B1@icann.org> <CABcZeBPcBT0UY-ghaMm_nN+qZ+B0ozmCfK30XX-R05z+PLtqmQ@mail.gmail.com> <137b74ff-887f-056a-74e3-7a80358b5156@cs.tcd.ie> <CABcZeBMyULUznkCVzxb6ufCx1XaT1zKx0jLLwxXhL7hRwMkv+A@mail.gmail.com> <fd132f9d-630e-112d-d777-0e6a7a767e84@cs.tcd.ie> <ff1e6d9-6e66-dadf-2847-3e071b34618@nohats.ca> <CABcZeBPO8kaNM_pPeA-GJX767Ti-uoqvb5nqT0k3YfHFapMFgw@mail.gmail.com>
In-Reply-To: <CABcZeBPO8kaNM_pPeA-GJX767Ti-uoqvb5nqT0k3YfHFapMFgw@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 15 Feb 2021 22:14:13 -0500
Message-ID: <CADZyTkmf_tpRUq=0eMprL_tkjmuaJ27jG6wWo4R_gso1=JS_0g@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Wouters <paul@nohats.ca>, Paul Hoffman <paul.hoffman@icann.org>, "dprive@ietf.org" <dprive@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="000000000000dfd9d505bb6b7f02"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/Yd3Caxod8kU2AB5bM54ZlUAmMcY>
Subject: Re: [dns-privacy] Authentication in draft-ietf-dprive-opportunistic-adotq
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 03:14:28 -0000
I do agree that given the structure of the DNS and the existing mechanisms in place - Paul W mentioned the DNS is a PKI - the WG should authenticate the DNS server. It is unclear to me what advantages opportunistic security provides as well as how it presents a starting point to a fully secured solution. Resolvers are already providing part of the privacy and the remaining privacy is not provided - as mentioned by Eric. The level of confidence provided by opportunistic security seems even lower given that the DNS server is point of convergence as opposed to a random node for example. It seems to me, that more thoughts are need to evaluate how a more robust solution could leverage from an opportunistic solution. I would propose the other way around: the WG first focuses on a full solution, and then see if any intermediary steps may be helpful to reach its deployment. Something - as suggested by Paul W - based on the DNS service "_dns" seems a good starting point. Yours, Daniel On Mon, Feb 15, 2021 at 6:40 PM Eric Rescorla <ekr@rtfm.com> wrote: > > > On Mon, Feb 15, 2021 at 3:23 PM Paul Wouters <paul@nohats.ca> wrote: > >> On Mon, 15 Feb 2021, Stephen Farrell wrote: >> >> >> - We invent some mechanism that allows you to specify in an NS record >> that >> >> the server takes TLS (as a hacky example, "servers have to be named >> >> <some-sentinel>.example.com"). >> > >> > Wasn't exactly that proposed but shot down already (for >> > DNS, not crypto, reasons)? Maybe I'm recalling wrong. I did >> > kinda like it mind - the hackiness appeals a bit to me:-) >> >> I think it was shot for many reasons. One of them being that a signal >> for encrypted transport is not a per-domain property but a per-ns >> property. >> > > I agree that in principle this is true, but ISTM that one could make the > same argument about Web servers, but as a practical matter we've > gotten pretty far with the reference containing the security indicator. > In any case, one could imagine using some HSTS-like mechanism > once you have connected, right? > > > > >> Here is a different sentinel: >> >> _53._dns.ns0.example.com. IN TLSA x y z <base64ofCert> >> >> Then do (D)TLS >> >> Now you can choose: >> >> 1) Use DNS(SEC) for validation >> 2) Use WebPKI[*] for validation >> 3) TOFU >> 4) Take at face value >> >> Of course, this runs into issues we talked about before. Revealing a >> query for ns0.nohats.ca already loses privacy unless you are centralized >> at godaddy. But even if you didn't leak anything, doing encrypted "stuff" >> to the IP of ns0.nohats.ca itself already gives all of that away too. >> > > Right. This seems like an inherent property, no? I.e., if an authoritative > only serves example.com, then encryption doesn't help much here. > The thing to avoid seems to be where ns.atlanta.example, > ns.biloxi.example, and ns.charlottesville.example all point to the same > server. > > -Ekr > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy > -- Daniel Migault Ericsson
- [dns-privacy] Authentication in draft-ietf-dprive… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] [Ext] Authentication in draft-i… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Daniel Migault
- Re: [dns-privacy] Authentication in draft-ietf-dp… Ben Schwartz
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman
- Re: [dns-privacy] Authentication in draft-ietf-dp… Vittorio Bertola
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] [Ext] Authentication in draft-i… Stephen Farrell
- Re: [dns-privacy] Authentication in draft-ietf-dp… Andrew Campling
- Re: [dns-privacy] Authentication in draft-ietf-dp… Ben Schwartz
- Re: [dns-privacy] Authentication in draft-ietf-dp… Hollenbeck, Scott
- Re: [dns-privacy] Authentication in draft-ietf-dp… Eric Rescorla
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] Authentication in draft-ietf-dp… Paul Wouters
- Re: [dns-privacy] [Ext] Authentication in draft-i… Paul Hoffman