IETF Logo Mail Archive

Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

Paul Wouters <paul@nohats.ca> Mon, 30 October 2017 11:17 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7094913F7A8 for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 04:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LR8aMMDDv_LG for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 04:17:28 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AC4C13F655 for <dns-privacy@ietf.org>; Mon, 30 Oct 2017 04:17:28 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3yQX506HhFz1L5; Mon, 30 Oct 2017 12:17:24 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1509362244; bh=rI5xFl2NkVL5V3NjOe+QLbBGjwKxb+LlJ30EjL29P1s=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=hxhS8ItRuPotsechQrxVI/mH2Gk3UQ/aaDT/3xqDnMMs7lOtPC8D9+S/Q5RaMg4rU ZRldZ/bmwLSbFFvwVIQt+FYWuqWo08401OahcH1+ms40nX7BWDVdOhkk6i2qSpmZqg LvcLvKsuGn0IeWQtndGS5s6PNcfNg6Voe8UvudAo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Z6FSttItHgOT; Mon, 30 Oct 2017 12:17:21 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 30 Oct 2017 12:17:20 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id B063862D29; Mon, 30 Oct 2017 07:17:19 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca B063862D29
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 97E1040D35AF; Mon, 30 Oct 2017 07:17:19 -0400 (EDT)
Date: Mon, 30 Oct 2017 07:17:19 -0400
From: Paul Wouters <paul@nohats.ca>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
cc: Ben Schwartz <bemasc@google.com>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-Reply-To: <DM5PR16MB1788C0A59EDED66095D2F52BEA590@DM5PR16MB1788.namprd16.prod.outlook.com>
Message-ID: <alpine.LRH.2.21.1710300713260.22012@bofh.nohats.ca>
References: <878tfwey8w.fsf@fifthhorseman.net> <CAHbrMsAQ-9z_5Nicf=RMDCgYf5vS92H9CeRRWUTj-UOYrB-_Mw@mail.gmail.com> <DM5PR16MB1788102A02C9B188B915258EEA590@DM5PR16MB1788.namprd16.prod.outlook.com> <4C03CDB2-C7CD-429A-A810-0CA44CA35BF8@nohats.ca> <DM5PR16MB1788C0A59EDED66095D2F52BEA590@DM5PR16MB1788.namprd16.prod.outlook.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/aECKSw5dO085r-Mj1a9WO18gHQM>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 11:17:30 -0000

On Mon, 30 Oct 2017, Konda, Tirumaleswar Reddy wrote:

> An active attacker can drop DNS messages with DNSSEC records

The same attacker can block TLS to 8.8.8.8

> set the CD bit in the DNS query, AD bit in the DNS response

That will do nothing to validating DNS servers, as they don't use those
bits for anything.

> clear the DNSSEC OK bit in the DNS query

That will return a BOGUS answer and will be detected as DoS attack.

> or strip the DNSSEC data from the DNS response to disable DNSSEC (Section https://tools.ietf.org/html/rfc3225).

That will return a BOGUS or INDETERMINATE answer and will be detected as
DoS attack.


You have not shown any actual active attack against DNSSEC. You have
only shown denial of service attaks by packet mangling/dropping. All
of that applies equally to TLS.

Paul

v2.23.0 | Report a Bug | By Email