IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Bob Harold <rharolde@umich.edu> Mon, 11 November 2019 16:03 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1413120128 for <dns-privacy@ietfa.amsl.com>; Mon, 11 Nov 2019 08:03:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FVHr11rEmwlq for <dns-privacy@ietfa.amsl.com>; Mon, 11 Nov 2019 08:03:25 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6015E12008B for <dns-privacy@ietf.org>; Mon, 11 Nov 2019 08:03:25 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id e9so14357355ljp.13 for <dns-privacy@ietf.org>; Mon, 11 Nov 2019 08:03:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NYn07x4Q5Uh+VlUoMxQULF+CUYwmFwdqNAZbZsfL9P4=; b=M92sn7fWCnHgCY2XtMl0aDYgJKzNtZfb9OKxO/pOF6gM3wO7Oj5Y+2Q2NMMXpTWYyH qgEV8wv/00gg8SA4Rqz1AgmuoPqAO69sVLqCqFVGPYG2kd1ZlAUeHx0x6oO3J4JIPA1u /jdIkKmfLWGr4eZnV6z4WQp1jX1+Kf/HuBA/ycmRKBHAaG2EK616n7P993wSreGmrmFB RK6iC6jdKd2iYqmJFK5sBFNyJIitY0Xk/o3rzAwDfassvM6K9mx7HL8P1OPgOXXXmxP0 tQDlwx8Oa7UZN8nsmnse+G/ANwTz8vAMivX6L/zVYLmupmxhkE5UsbmmPZ52Txoe+km1 mxoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NYn07x4Q5Uh+VlUoMxQULF+CUYwmFwdqNAZbZsfL9P4=; b=kygHwoLoBOOTnMcOMAhXQIVS2QVlTZoK4+WWBjr5pisaqgIn5h/cz4mpQQ78QLB49P GwmvcJOmjTiGKHM8oMvFS4n0MAluYYrsWDfYNVpGftgkDeZO1SoMBXlNceSrwpQysUHL Yek8uZgGLLPhYxFBuAqaJJrK6DqchTMwnilDTJOc9atkseq0kOg63T7ZyxVabZVrFX8O c0ijhvk7ZOpCtOC+JnWbBHMk0gysfUDDLRAzTQPUxkprd5LJDYsvI+aDeYzo7aNC7RWo kT1BR899AEewSYLLsrcBty2xClSLnfJgqZjHHg9JR/rGj9LyHonLQHGreJbLQnwUTNAU x4ug==
X-Gm-Message-State: APjAAAXG24Mrl4WR8/BZjumk38Gy+Yq/PhqFcNLWFU9seiZZebpciW7r W2K5SLzTnYFl4m+uD3HoZja1XusKFJlH0DB4KAW0Vg==
X-Google-Smtp-Source: APXvYqxYCBmon1+uN7sh0IOp+Ow6MEjzi1HoIpoaCf6EkWnhon4sWJZtGiszk3LN4AvhOGG2uCEMPy6UpaXBejz9kZU=
X-Received: by 2002:a2e:b0e3:: with SMTP id h3mr3056418ljl.193.1573488203382; Mon, 11 Nov 2019 08:03:23 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca> <CAHw9_i+MxMCd7dDO7N0-hc1SDjvBeoLoUvbg4JWDzXyjR0u4xQ@mail.gmail.com> <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com> <FC51D8EC-5ADC-4415-82EB-C6C6E4E8D84A@fl1ger.de> <F0DD4028-2404-4232-90F8-E9937877C261@nohats.ca> <b7108cff-0e50-d168-aa49-2626eb83ee22@cs.tcd.ie> <d465d9e5-5a9f-8968-8f73-1493ec5f2c36@icann.org> <alpine.LRH.2.21.1911081633490.9092@bofh.nohats.ca> <B969DDFB-1680-4D76-80F1-1EC04DC8926A@nohats.ca> <59bdad3f-8b92-c8f5-5e85-a062957227a2@cs.tcd.ie> <CAH1iCipTO4ui6ntMq=dg6oi32mWgS9_+=C5_Z2E7aEddxYj1Ww@mail.gmail.com> <35A3B700-329D-4141-912E-875412A39C71@nohats.ca>
In-Reply-To: <35A3B700-329D-4141-912E-875412A39C71@nohats.ca>
From: Bob Harold <rharolde@umich.edu>
Date: Mon, 11 Nov 2019 11:03:11 -0500
Message-ID: <CA+nkc8C+ygXtJS+QhHjBbJy1RVP8YYK3AUJNYLZ0FgdiXhJTnA@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Brian Dickson <brian.peter.dickson@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Paul Hoffman <paul.hoffman@icann.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006bdbc305971445e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ZU3oQKvp2yR46sLr1d6zY_QcE6Y>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Nov 2019 16:03:28 -0000

On Fri, Nov 8, 2019 at 9:17 PM Paul Wouters <paul@nohats.ca> wrote:

>
> On Nov 8, 2019, at 20:13, Brian Dickson <brian.peter.dickson@gmail.com>
> wrote:
>
>
>
>
> More anecdotal stuff is at https://ianix.com/pub/dnssec-outages.html which
> lumps together information about TLD failures (now very rare), sites with
> failures (becoming increasingly uncommon and having smaller impact), and
> durations (typically a week or less on average, but again, this is
> anecdotal not statistical.)
>
>
> I have on a few occasions explained to the people running this site that
> they were wrong to blame dnssec. Some listed events were generic outages
> wrongly blamed on dnssec. No corrections were ever made. The side is
> extremely subjectively anti-dnssec.
>
>
>
> YMMV, of course. But, fear of rampant validation failures is entirely
> misplaced at this point. Enough validation is being done, that such
> failures need to be considered the responsibility of the signers, not the
> validators.
>
>
> Exactly, and why I quoted 8.8.8.8, 1.1.1.1 and 9.9.9.9. So many people are
> behind dnssec validators that validation failure would lead to a quick
> outage notification by tools or humans.
>
> Paul
>


Thanks to everyone for the info and recommendations.  I need to figure out
how to alert on validation failures, and then enable validation.

-- 
Bob Harold

v2.23.0 | Report a Bug | By Email