IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Paul Wouters <paul@nohats.ca> Mon, 04 November 2019 21:15 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC6A812021C for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 13:15:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcLwqEl2NXdp for <dns-privacy@ietfa.amsl.com>; Mon, 4 Nov 2019 13:15:50 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5153412011F for <dns-privacy@ietf.org>; Mon, 4 Nov 2019 13:15:50 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 476QZD2PjSzFfj; Mon, 4 Nov 2019 22:15:48 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1572902148; bh=xtfrKjBXyKRHkaQEtucJnNnYtJiTL5zYpS8cpMG0x7M=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=u3pao6DYXIVzvjglMEpK86kHXXGj+PVS/n9w8MNyVO2ktMMgkqNAVkBHzr+PlDVXb Tr3LOSq+FRNiF1rJkc9+D9zYdXaaCiKDMIWpExyYy8kL9XQYE7KztGwfp+jY/6TfY1 SuycF6kzwYFkVi8n8g2/kiLFiOUrKqs4n4dKPUiA=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 43drwgFm7byp; Mon, 4 Nov 2019 22:15:47 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 4 Nov 2019 22:15:46 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id B68686007C4D; Mon, 4 Nov 2019 16:15:45 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B2E7423D131; Mon, 4 Nov 2019 16:15:45 -0500 (EST)
Date: Mon, 04 Nov 2019 16:15:45 -0500
From: Paul Wouters <paul@nohats.ca>
To: Tony Finch <dot@dotat.at>
cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
In-Reply-To: <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk>
Message-ID: <alpine.LRH.2.21.1911041611360.5093@bofh.nohats.ca>
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <1a70035e-edef-a3f4-ea91-52409ba37828@icann.org> <CABcZeBPAtvf3RU2gKWzyTaNwd6NBGsBuxq+n6r0W6-2RCnivSA@mail.gmail.com> <17189d1a-7689-f68d-6fe3-8d704af614a3@icann.org> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/kDKqlnCNtij1tY7ExGvFv7Uf1Vw>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 21:15:58 -0000

On Mon, 4 Nov 2019, Tony Finch wrote:

> Subject: Re: [dns-privacy] [Ext] Threat Model
> 
> Paul Wouters <paul@nohats.ca> wrote:
>>
>> The right way to do this is a DNSKEY flag, which is protected by the
>> signed DS at the parent. Similar to draft-powerbind for the
>> delegation-only domain.
>
> That's per-zone, though, whereas DoT support is per-server.

Maybe that's ideal, but one would expect that a zone only rolls this
out once all their nameservers support it. Otherwise, whether or not
resolvers do DoT to authoritative servers would be an odd game of
russian roulette depending on which NS record was followed, something
that could even be tweaked by an attacker, like by stripping glue from
the ones that did support it.

> DS records that somehow encode NS target names in their rdata might
> work...

That still leaves too much control at the parent to change it against
the child's wishes. A DNSKEY flag commits the child zone using publication
at its parent without giving the parent a veto.

Paul

v2.23.0 | Report a Bug | By Email