Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?

Eric Rescorla <ekr@rtfm.com> Fri, 01 November 2019 15:34 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B117412018B for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 08:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dbw5eQCzlVcZ for <dns-privacy@ietfa.amsl.com>; Fri, 1 Nov 2019 08:34:40 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 623A912010C for <dns-privacy@ietf.org>; Fri, 1 Nov 2019 08:34:40 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id s4so10631094ljj.10 for <dns-privacy@ietf.org>; Fri, 01 Nov 2019 08:34:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XmPdEp3nPkzGFT6d3yjluxHxfr9kN1ZMso7ISsG7bTU=; b=PfNu4RWNVkye/McCdAoqRTFy6qhRbo67/suqqUQDKoOVV8B5KjrtmzVqqZ2zXiFojc Px3AIG4Sg37SDVDxJW5iGeTuqAXher527rgytnmR1GfRUVC42Wcjfcq33cBFRm0BsyPY mOWdDTHKvK1YIoSapomsFeklhFlsPqWIKhv/EocnWOkvrLJSab4t5bQaop7kwr4j3+YE 0rQGhSSqR2z4LWiqWdY+ElSMq5Bw0+NPQHD67N9oz4EYRaPSJz7sTTNOYid/8XZh2bUr OdBDJ7wahhb3OO54V30OL5MaIM7uyW7zZkMKTX7ba8/5Pq5BYEDqziBcn9v13Ir1QEBK ACIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XmPdEp3nPkzGFT6d3yjluxHxfr9kN1ZMso7ISsG7bTU=; b=I1ABx1IRkOEMtuHxMF+emM0odKrfw3FGD285aicCpYdIQttSGR/ucp1VelXp0LWo62 c72jLQSAxVLfr7Yj8RQp07E5NIyTadyaFf5PDfW90fK/jVaNIStlcEIxEjPhv95d5DEP GTxzI9a+GAVbkJjz60/mx5rJ7wMkDghoKMKN1QMAvXhncm2CWCPYB+PYa5zIDCOXhuw7 w39Ck956klR/ODkhhhOMyKmg/nifG/JAKeMbT7J3PLDRmy7tdnVePBJsjofKwMbr9/+v WRe8trFd+KC1HLtL4rhSvm6ten5OOxJjT/xeB7JZDTaHGDIgRE4DHz+U68zUBYGYlUqA ISHA==
X-Gm-Message-State: APjAAAUYIZwa4GxwF9A3dE6uTBtWzJccdjR3Ag/7eNL3zpkG1xBImQOQ z/mA6z6jQlpI/1/887fUqfuEVI42bxGMyS/aGMqMyA==
X-Google-Smtp-Source: APXvYqwOgfYB9EU4MMNtlO9RKPy82z0gym2rs8iTro6je1t88e1MZoF/TPRjovKPPj9WUXQ23hF7fYaf/5HsFZpDV/Y=
X-Received: by 2002:a05:651c:10c:: with SMTP id a12mr8648552ljb.93.1572622478697; Fri, 01 Nov 2019 08:34:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsDwDoTQN8Y5Zk7rSVepjwwyatEyAA6f0oJ9DESmAfHfXg@mail.gmail.com> <20191031211222.A6422DBC1C7@ary.qy> <CAH1iCiqYoXMZ0U3yt8AjUXyZVRdDnmHzSpHvYmg++ACZ-U6=zA@mail.gmail.com> <CABcZeBP-k23ZY=f6Lv5A+B+Z_4ar_9ea=G7O+KRriXNLUzKGqw@mail.gmail.com> <CAH1iCiq_HtErNkeq4hWQJnsDJPn1Zxv0uCLX+HK3QcsSzdxRww@mail.gmail.com>
In-Reply-To: <CAH1iCiq_HtErNkeq4hWQJnsDJPn1Zxv0uCLX+HK3QcsSzdxRww@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 01 Nov 2019 08:34:02 -0700
Message-ID: <CABcZeBOPWrqCcYWx+ei-O+QC_npfVhj1fG_kVFGFXhWkjyu28g@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: John Levine <johnl@taugh.com>, Ben Schwartz <bemasc@google.com>, dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="00000000000035722805964ab417"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/oZFkiPWvazEZYlLN98ubEvCO6DY>
Subject: Re: [dns-privacy] [Ext] Re: ADoT requirements for authentication?
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2019 15:34:43 -0000

On Fri, Nov 1, 2019 at 8:16 AM Brian Dickson <brian.peter.dickson@gmail.com>
wrote:

>
>
> On Thu, Oct 31, 2019 at 7:38 PM Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Thu, Oct 31, 2019 at 2:41 PM Brian Dickson <
>> brian.peter.dickson@gmail.com> wrote:
>>
>>> IMNSHO, ADoT at the leaf + QNAME minimization is all that is required
>>> for privacy.
>>> I.e. No need for ADoT anywhere other than at the leaf zone's name server
>>> (whose NS name might not be in-bailiwick, FYI).
>>>
>>
>> Hmm.... I think that's only true if you are assuming that the NS record
>> for the leaf is DNSSEC secured, but that doesn't seem like a safe
>> assumption.
>>
>
> Let me re-emphasize this from the original statement: "FOR PRIVACY".
>
> DNSSEC security is orthogonal to privacy, and is not a requirement FOR
> PRIVACY.
>

I don't believe that that's correct in this case. The issue here is that in
order to provide confidentiality for the queries (in this case to the
authoritative) you need to authenticate the resolver. And that means
authentically learning the name of the resolver. So, for instance, if I go
the learn the NS for .com and the attacker gives me www.attacker.com, then
he can learn my queries. The name of the resolver can be authenticated by
DNSSEC or (less strongly) by having each query protected via secure
transport.

-Ekr