Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt
Phillip Hallam-Baker <ietf@hallambaker.com> Sat, 30 August 2014 05:08 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ACB61A874C for <dns-privacy@ietfa.amsl.com>; Fri, 29 Aug 2014 22:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wb4entpNNptm for <dns-privacy@ietfa.amsl.com>; Fri, 29 Aug 2014 22:08:58 -0700 (PDT)
Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com [IPv6:2a00:1450:4010:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E67061A8747 for <dns-privacy@ietf.org>; Fri, 29 Aug 2014 22:08:57 -0700 (PDT)
Received: by mail-la0-f44.google.com with SMTP id hz20so3777543lab.3 for <dns-privacy@ietf.org>; Fri, 29 Aug 2014 22:08:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=82JouRyXHVJxDNv55Jzg8i/gOIkCXp8GJl27ME+R1jI=; b=idJvWsK56UE6S7uvXDzbBugJgBO56+dyKTSZrL1rE/QgO/oLRdSZvjxbLZcRdpQ320 oLo1O+F9Et0jLBY262lgYTedGM6jYTNTa0woCUvP4I93KE3Np10zWx1ssMRNdZ62bjU7 LLm23oUQsyNtPy/M2NV70eiiHSU906Q9hB3qfn9/pO8XQUoJdW++rF5Acv4TamTFYhio IEYTcJmF19oiHadE+tjDisvJFtgB856iwMJcLHJ/Gnz7jUczR8LjzOtHgXnbqVWmiGm7 5tNTX6+ESRhp0rf4aREdDGS4kJmTCt5ItcYVBSt3oqokusPqvpkBLNERKxEQKsH+Pv1E 00SQ==
MIME-Version: 1.0
X-Received: by 10.112.148.133 with SMTP id ts5mr14573529lbb.45.1409375336065; Fri, 29 Aug 2014 22:08:56 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.122.50 with HTTP; Fri, 29 Aug 2014 22:08:55 -0700 (PDT)
In-Reply-To: <16946.1409374615@dash.isi.edu>
References: <20140818175701.12317.96810.idtracker@ietfa.amsl.com> <FF99C324-2959-48EB-A187-18007F7AA364@vpnc.org> <814D0BFB77D95844A01CA29B44CBF8A7A27F3E@lhreml513-mbb.china.huawei.com> <alpine.LFD.2.10.1408191033210.19423@bofh.nohats.ca> <814D0BFB77D95844A01CA29B44CBF8A7A27FBE@lhreml513-mbb.china.huawei.com> <alpine.LFD.2.10.1408191159190.19423@bofh.nohats.ca> <814D0BFB77D95844A01CA29B44CBF8A7A280CF@lhreml513-mbb.china.huawei.com> <86mwb0e5pd.fsf@strotmann.de> <0l61hdogv2.fsf@wjh.hardakers.net> <16946.1409374615@dash.isi.edu>
Date: Sat, 30 Aug 2014 01:08:55 -0400
X-Google-Sender-Auth: tLBtnXatn72fvZvr3sEAH3ct24A
Message-ID: <CAMm+LwhJYBkaEr3swa+Es60+Z3Cmo0LEHHX-MXb5hnNqn-NhiA@mail.gmail.com>
From: Phillip Hallam-Baker <ietf@hallambaker.com>
To: John Heidemann <johnh@isi.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/dns-privacy/iNRw9MPcXRVNcMMnoP9WpLr4DaI
Cc: Carsten Strotmann <cas@strotmann.de>, Hosnieh Rafiee <hosnieh.rafiee@huawei.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>, Paul Wouters <paul@nohats.ca>, Wes Hardaker <wjhns1@hardakers.net>
Subject: Re: [dns-privacy] New draft on encrypting the stub-to-resolver link: draft-hoffman-dns-tls-stub-00.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Aug 2014 05:08:59 -0000
On Sat, Aug 30, 2014 at 12:56 AM, John Heidemann <johnh@isi.edu> wrote: > On Wed, 27 Aug 2014 12:46:41 -0700, Wes Hardaker wrote: >>Carsten Strotmann <cas@strotmann.de> writes: >>But then, stepping back, you have to ask yourself: what's the likely >>threat model of everyone in 100 feet trying to attack you? If we really >>... >> >>But what's the solution? How do we authenticate that resolver? PKIX >>won't help us, as there is no name. DNSSEC won't help us, as half the >>time you're behind a nat so the reverse tree can't be used [ipv6 >>actually might help here]. Leap of faith is probably better than >>nothing if you frequent that coffee shop. I don't think secure dhcp has >>gotten that far, but I'm admittedly out of touch. >> >>We simply keep moving this chicken/egg problem of secure bootstrapping >>from one protocol to the next. It's like one egg that keeps changing >>chickens. > > I want to take a step back to consider a different case. > > The complaint here is that it is tough to authenticate some arbitrary > resolver handed to you from DHCP because of person-in-the-middle. Yes, > that's a hard problem. > > "Doctor, it hurts when I do this." "Don't *do* that." Exactly. Step one to better DNS security is NEVER EVER USE THE DHCP DNS SERVER The only exception being finding a path to your intended DNS server. People keep trying to fix DNS security by applying the security that fits a broken 30 year old model designed at a time when absolutely nobody knew what they were doing. > If you aren't willing to trust a resolver from DHCP, one could use a > public DNS resolver, acquire its certificate out-of-band, and check it. > I.e., do certificate pinning on the TLS certificate you plan to use for > DNS. Hang on, the machine could do that but lets keep the user out of this please? Any time people suggest complicated configuration then its a protocol nobody will ever use. The machine can do those steps but not the human. It has to be frictionless or it will never get used. > I'm told there are IP addresses of a public resolver spraypainted on > walls in Turkey you could try. (If that or some other provider > supported TLS for DNS.) Well the spray-painted one got blocked so we need to do a little more than that. In my Private-DNS scheme the user binds their account to a security provider that potentially provides a raft of security services. This is a one time event per user until they change providers. They then bind each of their machines to their account using a simple, easy to use mechanism. This is not doing TLS pinning, but thats because I didn't find TLS provides much leverage except for initial configuration.
- [dns-privacy] New draft on encrypting the stub-to… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Joe Abley
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Carsten Strotmann
- Re: [dns-privacy] New draft on encrypting the stu… 神明達哉
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Paul Wouters
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Carsten Strotmann
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Stephane Bortzmeyer
- Re: [dns-privacy] New draft on encrypting the stu… 神明達哉
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Jacob Appelbaum
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Paul Wouters
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Jacob Appelbaum
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Paul Hoffman
- [dns-privacy] draft-hoffman-dns-tls-stub-01 posted Paul Hoffman
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… David Ulevitch
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Andrew Sullivan
- Re: [dns-privacy] [SPAM] Re: New draft on encrypt… Hosnieh Rafiee
- Re: [dns-privacy] New draft on encrypting the stu… Wes Hardaker
- [dns-privacy] Authenticating the resolver Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… Mark Andrews
- Re: [dns-privacy] New draft on encrypting the stu… Wes Hardaker
- Re: [dns-privacy] Authenticating the resolver Wes Hardaker
- Re: [dns-privacy] Authenticating the resolver Paul Hoffman
- Re: [dns-privacy] New draft on encrypting the stu… John Heidemann
- Re: [dns-privacy] New draft on encrypting the stu… Phillip Hallam-Baker