IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Bob Harold <rharolde@umich.edu> Fri, 08 November 2019 22:06 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9FE51200FE for <dns-privacy@ietfa.amsl.com>; Fri, 8 Nov 2019 14:06:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGICAlcBotk1 for <dns-privacy@ietfa.amsl.com>; Fri, 8 Nov 2019 14:06:36 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B660120025 for <dns-privacy@ietf.org>; Fri, 8 Nov 2019 14:06:36 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id g3so7736945ljl.11 for <dns-privacy@ietf.org>; Fri, 08 Nov 2019 14:06:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U0GOqRafU8cNf6XqMPAvTO/uNYllwmKt8qL5w6/s80o=; b=JNyhaY5mb7L3piauP63Ldlq2DGWIJ1MtbMdJG0dcjvrbgUNkJf1gqhSoji3DUgSmUR mBQZsdRcqSSexPqsoj9YoJJRPtzs54d8WFTYPbYrQG52SjSuePlrUm7Mzlg7F04di9EJ IXeFE9rkkz8C3LiQ7BPpgzTLa8qhBv2zzgxN1YIJocHMwuDmYp6qlZWtpn+4gHn/FyTc blllmeCsOyjgjlQZH2bN3PQeoHnKY3jY57PBZDk2sp1V5x407K25/IwH4bsYnF3l7C50 9nOs4VmydTNLbeAUKAd4s7bAuWaYk8CTdBGEzBIgsR0/p3nPD0w4xOoiG+t9q04T8ooL nWeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U0GOqRafU8cNf6XqMPAvTO/uNYllwmKt8qL5w6/s80o=; b=L/eed/Ezi5d7VzpV15/VQfC7RcstUbNi8SAPbUeENPLkN5wUKcpdDTWEa4tvwSUEMF 6N9KTnHE3Z6Sy7NHww3pW7ePbKfdyC4KSNyW3itiGaohCaOkNQOUq2s3JSVHQjzYgJLP VK9Icv0rBCXunN33YnZk8iT0tqAqbqOePHgyu1BulaVxTX2QEJvsdyQtWz4n0POyRNaf HYt8rODDaSKilFe5KGERzq3PgKNajvIgpf+WsDRWv9wBx/Bd//Syyum0Q10y8RRlGKP/ odOQkY/b5FPV0NM1L/uQ0dpRVhhCdAa8BGc7g07GIGax6ZZ11Wx6O+GSWE9A6Mxt+xYU T2tg==
X-Gm-Message-State: APjAAAW8ZjhAIUR8Zcb31ZxIg6Hk2YsizRYgUq1GSy5rR8F/sdIOh7pS 0C0mTWk34B+8C1Mh+Id4r6ZYtyqhQz0ru4P+PHK05SyP
X-Google-Smtp-Source: APXvYqyXb3xtWFUigwJnkmCHEaftMHb6EiTXqEzwNAj+3UIzbXaM7HmaE/5GGv/mN1GETrq2kVSj5lD9jNSzwXm8f/Y=
X-Received: by 2002:a2e:9802:: with SMTP id a2mr8404323ljj.254.1573250793958; Fri, 08 Nov 2019 14:06:33 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca> <CAHw9_i+MxMCd7dDO7N0-hc1SDjvBeoLoUvbg4JWDzXyjR0u4xQ@mail.gmail.com> <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com> <FC51D8EC-5ADC-4415-82EB-C6C6E4E8D84A@fl1ger.de> <F0DD4028-2404-4232-90F8-E9937877C261@nohats.ca> <b7108cff-0e50-d168-aa49-2626eb83ee22@cs.tcd.ie> <d465d9e5-5a9f-8968-8f73-1493ec5f2c36@icann.org> <alpine.LRH.2.21.1911081633490.9092@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1911081633490.9092@bofh.nohats.ca>
From: Bob Harold <rharolde@umich.edu>
Date: Fri, 08 Nov 2019 17:06:22 -0500
Message-ID: <CA+nkc8D1uvc9+TRcyOY=jg3MmC33QjtVNPkLyo1bnE_syVp=2A@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: Paul Hoffman <paul.hoffman@icann.org>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b7865a0596dcfe44"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/nKZtW2TOXJ3k67m_v26q1Rez-XY>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2019 22:06:39 -0000

On Fri, Nov 8, 2019 at 4:37 PM Paul Wouters <paul@nohats.ca> wrote:

> On Wed, 6 Nov 2019, Paul Hoffman wrote:
>
> > Given that we are (still supposedly) talking about requirements and not
> solutions, I would be unhappy with a requirement that prevents a resolver
> that is not validating
>
> Why would a _resolver_ not be validating ?
>
> I understand the reasons for web applications that do not want to do
> validating, though I disagree with those. But for actual DNS resolvers,
> running as DNS caching server on either laptop or in an enterprise, I
> see no valid reason why it should not be validating at this point.
>
> > Any protocol we develop for ADoT capability discovery should prevent
> downgrade attacks but should also work fine for resolvers that do not
> validate.
>
> I strongly disagree. Resolvers towards Authoritative servers are core
> infrastructure, and that core should have no problems using the latest
> DNS RFC's.
>
> Paul
>

I hate to admit it, and this is a little off topic, but my resolvers are
not (yet) validating.
Is there a setting that will attempt to validate, and log if it fails, but
still answer the users?
I hear that there are occasional sites that fail validation, and would like
to know what will break if and when I begin to validate.
I will also need to monitor the added load on the servers, although I don't
expect it to be a problem.
I realize that not everyone agrees with this level of
caution/fear/lack-of-backbone (I am sure there are other descriptions
people would prefer).

-- 
Bob Harold

v2.23.0 | Report a Bug | By Email