IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Brian Dickson <brian.peter.dickson@gmail.com> Wed, 06 November 2019 17:04 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45F1E120072 for <dns-privacy@ietfa.amsl.com>; Wed, 6 Nov 2019 09:04:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TKUPV0jxY3a3 for <dns-privacy@ietfa.amsl.com>; Wed, 6 Nov 2019 09:04:56 -0800 (PST)
Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7356D120071 for <dns-privacy@ietf.org>; Wed, 6 Nov 2019 09:04:56 -0800 (PST)
Received: by mail-vs1-xe34.google.com with SMTP id y129so16447660vsc.6 for <dns-privacy@ietf.org>; Wed, 06 Nov 2019 09:04:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zpAfWuLqay5pKNw2nlLp7c6Q0JaxGk53Opv7ySzMCSo=; b=jyhaGTCgDwdpEyukkUYN5cKuueVNxf/RxlmhNSkZQ3HHV8Cujb0QM5u/ZZf5VTBMj2 COuNd7GmTJEnbfO3Brebsarp3XEkkWzEIBzFnczVMNqRa8fnJ/Q/kZ+yGLVfLlY+MCsh j9jS1wDRJl0UnPXaNQr8j0EkrPj3aEFXMXKjFZW4dDh8tVx6wzfphatdbquiiLWa0RQL bFMRZK0q6UNW99b4wDMHhgfCe9YgaKohjQGojYZh2W6MXYpM9Qm8Obm3jHYpfBIoqSbg i2juffovzFD0rp5GaM/8Zip1uG1e2UP/VN2MMUeMEBfvOXSt5fgTafFizMgTAogs0jwv h6SA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zpAfWuLqay5pKNw2nlLp7c6Q0JaxGk53Opv7ySzMCSo=; b=RafifYREZ1lELw1bDgehe00fiUG1IZyRj6dFFxLW83M6iSlmq9wneKe4wmO5aBWw1N IZ8WVlaGvX+awhMqxbeGTUzXzF7XWcls9UawRVbIAJAuee9mHP6IDwVXgVVW+REQqeR3 pb6ApYL95PgDwjMTY4h+yyI+si9eJ95dkiJNf+uIuffUl5e/E00C7Va2g4asiIFjVZZU 9OMZCHADnGVpL/xOeMNneXbfCPJ9iUlP5pB9vCN1CghzJZs9bhzhCCQfEBcuRXWcLwI/ 9M6DFzpbI7EcB30v5/UWQhgrQNTJ0JloK4WzxIj2P6TU2fK2SsBfWW8F6LtdI5ixUr3K LIjg==
X-Gm-Message-State: APjAAAUNSdew0OanQ9ZMfH6YfKj1BpZftEP5sQqO6bVULAb72FAdTOsU 4V2pa7qE8EiOo1tS3T3413ze1dEsCuisuNrFXsI=
X-Google-Smtp-Source: APXvYqzAlR67GlYzkzf6IZ418qcy7AEKMBGFlqDyWr69WZ7QLIs4JQ5KBnq22LJYg9gd0Jgy5MdWNMLKm5E/skrrusc=
X-Received: by 2002:a67:fb50:: with SMTP id e16mr1788582vsr.75.1573059895436; Wed, 06 Nov 2019 09:04:55 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca> <CAHw9_i+MxMCd7dDO7N0-hc1SDjvBeoLoUvbg4JWDzXyjR0u4xQ@mail.gmail.com> <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com> <FC51D8EC-5ADC-4415-82EB-C6C6E4E8D84A@fl1ger.de> <F0DD4028-2404-4232-90F8-E9937877C261@nohats.ca> <b7108cff-0e50-d168-aa49-2626eb83ee22@cs.tcd.ie> <d465d9e5-5a9f-8968-8f73-1493ec5f2c36@icann.org>
In-Reply-To: <d465d9e5-5a9f-8968-8f73-1493ec5f2c36@icann.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 06 Nov 2019 09:04:44 -0800
Message-ID: <CAH1iCioO6NBpYkjzCX+vBTXVTFK9zH0KZULt3tQsA3ov8UBpiA@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000472e490596b08cbe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ko4-PkvkLvqaXiZb0W0q9Qosg5g>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 17:04:58 -0000

On Wed, Nov 6, 2019 at 8:21 AM Paul Hoffman <paul.hoffman@icann.org> wrote:

> Given that we are (still supposedly) talking about requirements and not
> solutions, I would be unhappy with a requirement that prevents a resolver
> that is not validating from being able to use encrypted transport to
> authoritative servers. Any protocol we develop for ADoT capability
> discovery should prevent downgrade attacks but should also work fine for
> resolvers that do not validate.
>

Why?

Or rather, let me put together a straw-man to attack.

Suppose the requirement (for the protocol for establishing the encrypted
transport for actual ADoT or for discovery of ADoT parameters) was that
*for this record* the record must be signed and must be validated, but that
it placed no broader requirement on validation.

I.e. TSLA for cert validation for the TLS connections used, which would
require DNSSEC validation (mandatory per DANE RFCs).

That would mean resolvers that don't validate *generally*, but do follow
the protocol (and validate very specific records) would would fine. Would
that be an unhappy-making requirement, or would you be okay with that
hair-splitting on validation?

Given that presumably *some* changes would need to be made to resolvers for
ADoT, IMHO the particulars of *what* changes should all be open to
discussion.

Brian

v2.23.0 | Report a Bug | By Email