IETF Logo Mail Archive

Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 30 October 2017 12:49 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F043713F5A3 for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 05:49:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ObFURIqCV0hL for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 05:49:37 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id B28EE139680 for <dns-privacy@ietf.org>; Mon, 30 Oct 2017 05:49:37 -0700 (PDT)
Received: from fifthhorseman.net (p578E653F.dip0.t-ipconnect.de [87.142.101.63]) by che.mayfirst.org (Postfix) with ESMTPSA id D8D58F99A; Mon, 30 Oct 2017 08:49:35 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 769C320650; Mon, 30 Oct 2017 13:31:07 +0100 (CET)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Paul Wouters <paul@nohats.ca>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
Cc: Ben Schwartz <bemasc@google.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-Reply-To: <alpine.LRH.2.21.1710300718030.22012@bofh.nohats.ca>
References: <878tfwey8w.fsf@fifthhorseman.net> <CAHbrMsAQ-9z_5Nicf=RMDCgYf5vS92H9CeRRWUTj-UOYrB-_Mw@mail.gmail.com> <DM5PR16MB1788102A02C9B188B915258EEA590@DM5PR16MB1788.namprd16.prod.outlook.com> <4C03CDB2-C7CD-429A-A810-0CA44CA35BF8@nohats.ca> <DM5PR16MB1788C0A59EDED66095D2F52BEA590@DM5PR16MB1788.namprd16.prod.outlook.com> <alpine.LRH.2.21.1710300718030.22012@bofh.nohats.ca>
Date: Mon, 30 Oct 2017 13:31:04 +0100
Message-ID: <87fua0ddh3.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/jwRMuDhHzveaheqbMYJBh0hJ7tM>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 12:49:40 -0000

On Mon 2017-10-30 07:19:36 -0400, Paul Wouters wrote:
> Just to be clear. DNSSEC provides authentication of data. TLS provides
> privacy of data. Both are needed so I am against this proposed change
> to remove DNSSEC validation as a requirement. DNSSEC is part of the
> core DNS. It's not a cherry.

I'm not claiming that no clients should implement DNSSEC validation.  I
would be happy if every client did so.  Please don't mistake this as a
generic judgement on DNSSEC.  It's about one particular situation where
hard-fail is a bad idea.

In particular, the situation under discussion is what clients should do
in the event of a DNSSEC validation failure of an opportunistic
"meta-query".  As a reminder, the "opportunistic meta-query" is the
best-effort lookup of the IP address(es) of the preferred DNS privacy
resolver, under either Strict or Opportunistic profiles.

In either profile, the meta-query itself is opportunistic -- it's an
attempt to find some channel to the preferred resolver.  But let's look
at the two profiles separately:

 a) under the opportunistic profile, dropping the response to an
    opportunistic meta-query in the event of a DNSSEC validation failure
    transforms a loss of privacy into a DoS.  This does not meet the
    stated goal of the opportunistic profile, "maximum chance of DNS
    service".

 b) under the strict profile, dropping the response to an opportunistic
    meta-query in the event of a DNSSEC validation failure will result
    in the same outcome (DoS) where the response to the meta-query comes
    from an attacker, because the attacker couldn't have provided a
    valid TLS endpoint in the first place.  But in the scenario where
    DNSSEC either isn't available, or is misconfigured, it converts a
    successful connection attempt into a DoS.  This is a net loss for
    the user.

Put more simply:

    Opportunistic meta-queries are opportunistic.

Encouraging or requiring hard-fail to DNSSEC validation of an
opportunistic meta-query just amounts to a reduction of service, and
provides no security or privacy improvements that i can see.

If the goal is to enforce corroborative authentication of the DNS
privacy server (e.g. via both DNSSEC and the X.509 cartel), i welcome a
writeup of a "Extra Strict" profile that adds a DNSSEC validation
requirement to the Strict profile.  But that's not this draft.

         --dkg

v2.23.0 | Report a Bug | By Email