IETF Logo Mail Archive

[dns-privacy] scope of authoritative signalling [Was: Re: [Ext] Intermediate proposal (what I was saying at the mic)]

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 24 August 2021 18:37 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E6913A0B40 for <dns-privacy@ietfa.amsl.com>; Tue, 24 Aug 2021 11:37:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.306
X-Spam-Level:
X-Spam-Status: No, score=-1.306 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=MK3eqPAb; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=pqY72xLV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GPrVLClGO63m for <dns-privacy@ietfa.amsl.com>; Tue, 24 Aug 2021 11:37:41 -0700 (PDT)
Received: from che.mayfirst.org (unknown [162.247.75.117]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AC673A0B32 for <dns-privacy@ietf.org>; Tue, 24 Aug 2021 11:37:41 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1629830259; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=ah4sF5N1/ANDQqHNG7xvTG+wPLZI4Iych3d2ColXOa4=; b=MK3eqPAb/xOWkZJM8vwHy1FdXyVDAY5+0bji0zSOCaVhUhremczp0WiZ6InxjIxkaTy00 loubY0xyA2qgOzOCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1629830259; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=ah4sF5N1/ANDQqHNG7xvTG+wPLZI4Iych3d2ColXOa4=; b=pqY72xLVlkUU4L/o+1yTc2jGF2QeHUFqgnJj/zhce5vCgfA2fxqBF05EsOICwuaVGTV7q uovTmCyjzprHdttSGNJxTryE4D+Gb7R+zS9+CTy5P8xoLl/H+Wr7Qwo8sQE1ZoqjBs8WdQK HyWoaHcBbhkN/ifpwCK8bejxFkUY4GiK9p97pDzx9nunS3h0+PrVrZ3ujA/XtRL3ovx2TlB cZBtt/JB0cjIWdTku3ByFtqeZEf+q7CcOoBiKTG+8YEUEx/+1kKOWo21Bf5ZyxYLydP98/B 3x9RZCS4524HLyv3PUur0oihGS08H5J8TMMDeBTg2OuyzX/Pk8vJIbKtEA3A==
Received: from fifthhorseman.net (lair.fifthhorseman.net [108.58.6.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id E54FFF9A6 for <dns-privacy@ietf.org>; Tue, 24 Aug 2021 14:37:39 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 31CBE20387; Tue, 24 Aug 2021 14:23:48 -0400 (EDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: DNS Privacy Working Group <dns-privacy@ietf.org>
In-Reply-To: <CAH1iCio6Jvi0_iQ7CFi8cny4poeOSJc1zcCHzwOP_4HWwHJYtg@mail.gmail.com>
References: <CABcZeBNRZsyjd-M_hKOwxdqY=Y7oZs5-d4waqPHb9gO-GJNV+Q@mail.gmail.com> <8b2ac283-614e-40d2-b6bf-5e67d5324aaa@www.fastmail.com> <CABcZeBM+rBLgUs+xzyhTOjCFuPdjUDPDMeFL6CAXanDaicC+Pg@mail.gmail.com> <CAHbrMsA3ROoeeDXm_HpXP73uFjVrEQUycQ0OR0e6JE0hCoS1sw@mail.gmail.com> <5EEBC284-71B3-4308-B5C6-AF3847A6ED36@icann.org> <CAH1iCio6Jvi0_iQ7CFi8cny4poeOSJc1zcCHzwOP_4HWwHJYtg@mail.gmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Tue, 24 Aug 2021 14:23:47 -0400
Message-ID: <87wnoaln0s.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/kNDGNdN4xIJznwtFuH91UxCGCzM>
Subject: [dns-privacy] scope of authoritative signalling [Was: Re: [Ext] Intermediate proposal (what I was saying at the mic)]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Aug 2021 18:37:47 -0000

On Thu 2021-08-05 11:06:12 -0700, Brian Dickson wrote:
>    - SVCB in the name server name's zone is where the signalling belongs
>    (on what transports are supported, per NS name, as well as authenticated or
>    not, etc)

I'm agnostic about the mechanism specifically, but i am curious as to
the rationale for the signalling being per-nameserver name.

The plausible options for where to signal, as i see it, are:

 a) signal per authoritative zone ("per zone") [excluding delegated subzones?]
 b) signal per authoritative nameserver name ("per NS name")
 c) signal per authoritative namserver IP address ("per IP")

I think the *information* we're looking to signal, however we do it,
consists of:

 0) what forms of encrypted transport are available
 1) what forms of authentication are available (including what
    public keys to expect?)
 2) when and how to report problems with encrypted+authenticated
    transport
 3) whether a recursor should hard-fail if the signalled
    authenticated+encrypted transport is not accessible (or, viewed
    as the inverse, whether fallback to port 53 is acceptable)

It's possible that these four different pieces of data belong to
different scopes.

For example, it's possible that 0 and 1 should be signaled "per NS name"
but 2 and 3 should be signaled "per zone".

Consider the situation where the zone administrator is different from
the NS operator.

Semantically, as a zone administrator, i think i would *want* (2) and
(3) to be "per zone", *not* "per NS name": i would want hardfail to be a
choice *I* make, not the NS operator, and if it's going to be a choice I
make, it needs to be a choice I can choose to gather data about, which
means i need to be able to control reporting.  I can see why (0) and (1)
might make more sense as "per NS name" operationally -- the NS operator
knows what services they can deploy and what authentication mechanisms
they can provide.

Some scenarios for the group to consider:

  I. Consider the case where NS record N1 for zone Z1 points to the same
     IP address X as NS record N2 for zone Z2.  A recursor knows that it
     has had a recent successful encrypted+authenticated connection to X
     as N1 (resolving a name in Z1), but is now looking up a name in
     zone Z2 via N2, and no signalling is available for Z2 or N2.  What
     should the recursor do?  In particular, should it go ahead and use
     the known-good enc+auth connection to X as N1, ignoring the fact
     that it's supposed to be accessed as N2?  should it try an
     encrypted connection to X as N2 but accept if the authentication as
     N2 fails?  Should it just make a cleartext connection to port 53
     instead?

 II. Consider the same circumstance as (I), but where signalling is
     available for N2 that says "DoQ with DANE authentication is
     available; do not fall back to cleartext transport (that is,
     hardfail)".  If authentication fails for N2, what should the
     recursor do?

III. Consider the same circumstance as (II), but where the signalling is
     available for Z2 instead of N2.  If authentication fails for N2,
     what should the recursor do?

 IV. What if the signalling does not indicate hardfail?

  V. What if the signal for Z2 or N2 says DoQ is indicated, but the
     recursor knows (by probing, or by experience) that DoT actually
     works?  What if it knows that DoT works for N1, but it fails to
     complete a DoQ connection to N2?

 VI. What if N2 itself resolves to multiple IP addresses, not merely X?
     Should the resolver treat those different addresses differently
     (e.g., should it prefer X where it knows some form of encrypted
     transport is available)?

There are a *lot* of moving parts here in terms of potential fallback
strategies and risks.  At a minimum, we have a multidimensional space
of:

 - types of transport
 - types of authentication
 - NS names
 - NS IP addresses
 - zones
 - whether to hardfail or not

and we haven't even touched the semantics or mechanics of reporting
problems (i.e., following a model like TLSRPT).

I'm worried that this complexity makes it nearly impossible to analyze
fallback behavior in any reliable way. (not from a security
perspective -- fallback isn't going to offer many guarantees -- but from
an availability/efficiency perspective, how do we evaluate it and figure
out whether there are edge cases that will break nameservice resolution?)

Can we cut this problem into more managable pieces than our current
breakdown?  In particular, can we drop all mention of signalling from
draft-ietf-dprive-unauth-to-authoritative?  Or maybe we need a separate
draft to specify probing-specific, opportunistic behavior for the
recursor without worrying about signalling at all.  If we could do that,
that would be a baseline behavior, and we could specify rules for
signal-handling as a deviation from that baseline.

Note that if opportunistic probing is done to provide maximal protection
against a passive monitor with a minimum risk of breakage/delay, it
would be neither "per NS name" nor "per zone" but rather it would be
"per IP address".

                --dkg

v2.23.0 | Report a Bug | By Email