Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 30 October 2017 12:49 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F043713F5A3 for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 05:49:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ObFURIqCV0hL for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 05:49:37 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by ietfa.amsl.com (Postfix) with ESMTP id B28EE139680 for <dns-privacy@ietf.org>; Mon, 30 Oct 2017 05:49:37 -0700 (PDT)
Received: from fifthhorseman.net (p578E653F.dip0.t-ipconnect.de [87.142.101.63]) by che.mayfirst.org (Postfix) with ESMTPSA id D8D58F99A; Mon, 30 Oct 2017 08:49:35 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 769C320650; Mon, 30 Oct 2017 13:31:07 +0100 (CET)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Paul Wouters <paul@nohats.ca>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
Cc: Ben Schwartz <bemasc@google.com>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-Reply-To: <alpine.LRH.2.21.1710300718030.22012@bofh.nohats.ca>
References: <878tfwey8w.fsf@fifthhorseman.net> <CAHbrMsAQ-9z_5Nicf=RMDCgYf5vS92H9CeRRWUTj-UOYrB-_Mw@mail.gmail.com> <DM5PR16MB1788102A02C9B188B915258EEA590@DM5PR16MB1788.namprd16.prod.outlook.com> <4C03CDB2-C7CD-429A-A810-0CA44CA35BF8@nohats.ca> <DM5PR16MB1788C0A59EDED66095D2F52BEA590@DM5PR16MB1788.namprd16.prod.outlook.com> <alpine.LRH.2.21.1710300718030.22012@bofh.nohats.ca>
Date: Mon, 30 Oct 2017 13:31:04 +0100
Message-ID: <87fua0ddh3.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/jwRMuDhHzveaheqbMYJBh0hJ7tM>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 12:49:40 -0000
On Mon 2017-10-30 07:19:36 -0400, Paul Wouters wrote: > Just to be clear. DNSSEC provides authentication of data. TLS provides > privacy of data. Both are needed so I am against this proposed change > to remove DNSSEC validation as a requirement. DNSSEC is part of the > core DNS. It's not a cherry. I'm not claiming that no clients should implement DNSSEC validation. I would be happy if every client did so. Please don't mistake this as a generic judgement on DNSSEC. It's about one particular situation where hard-fail is a bad idea. In particular, the situation under discussion is what clients should do in the event of a DNSSEC validation failure of an opportunistic "meta-query". As a reminder, the "opportunistic meta-query" is the best-effort lookup of the IP address(es) of the preferred DNS privacy resolver, under either Strict or Opportunistic profiles. In either profile, the meta-query itself is opportunistic -- it's an attempt to find some channel to the preferred resolver. But let's look at the two profiles separately: a) under the opportunistic profile, dropping the response to an opportunistic meta-query in the event of a DNSSEC validation failure transforms a loss of privacy into a DoS. This does not meet the stated goal of the opportunistic profile, "maximum chance of DNS service". b) under the strict profile, dropping the response to an opportunistic meta-query in the event of a DNSSEC validation failure will result in the same outcome (DoS) where the response to the meta-query comes from an attacker, because the attacker couldn't have provided a valid TLS endpoint in the first place. But in the scenario where DNSSEC either isn't available, or is misconfigured, it converts a successful connection attempt into a DoS. This is a net loss for the user. Put more simply: Opportunistic meta-queries are opportunistic. Encouraging or requiring hard-fail to DNSSEC validation of an opportunistic meta-query just amounts to a reduction of service, and provides no security or privacy improvements that i can see. If the goal is to enforce corroborative authentication of the DNS privacy server (e.g. via both DNSSEC and the X.509 cartel), i welcome a writeup of a "Extra Strict" profile that adds a DNSSEC validation requirement to the Strict profile. But that's not this draft. --dkg
- [dns-privacy] review of draft-ietf-dprive-dtls-an… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Ben Schwartz
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephane Bortzmeyer
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos