Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
"Paul Hoffman" <paul.hoffman@vpnc.org> Mon, 30 October 2017 15:51 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 460E54A2B for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 08:51:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MMP6TO7oNExS for <dns-privacy@ietfa.amsl.com>; Mon, 30 Oct 2017 08:51:32 -0700 (PDT)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D1714A99 for <dns-privacy@ietf.org>; Mon, 30 Oct 2017 08:42:22 -0700 (PDT)
Received: from [169.254.173.149] (50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id v9UFeu1K070219 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 30 Oct 2017 08:40:57 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-141.dsl.dynamic.fusionbroadband.com [50.1.51.141] claimed to be [169.254.173.149]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: dns-privacy@ietf.org
Date: Mon, 30 Oct 2017 08:42:18 -0700
Message-ID: <1B2537D5-DFD7-407A-A84E-925C85EF9268@vpnc.org>
In-Reply-To: <871slkd66k.fsf@fifthhorseman.net>
References: <878tfwey8w.fsf@fifthhorseman.net> <73F186C6-1F35-40B0-8C36-D4F011D11344@sinodun.com> <871slkd66k.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.7r5425)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/pQv8xlgjrftVGlhKydmhT1-0nA0>
Subject: Re: [dns-privacy] review of draft-ietf-dprive-dtls-and-tls-profiles-11: we should revert DNSSEC validation requirement
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 15:51:33 -0000
On 30 Oct 2017, at 8:08, Daniel Kahn Gillmor wrote: > On Mon 2017-10-30 13:11:41 +0000, Sara Dickinson wrote: >> if it ends up just being a MAY (although I would like to see SHOULD >> as >> a minimum for opportunistic). > > SHOULD validate, but with what failure mode? +1 to the question: we're talking about Opportunistic mode here. > are we really saying that > opportunistic SHOULD deliver a DoS instead of a loss of privacy? Some of us are most emphatically not saying that. . . . > sure, but this is the case for non-private DNS as well, right? So the > mitigation in this case is with respect to the features that "private > DNS" is supposed to offer. Whatever those features are, they are > absent > given an attacker-controlled DNS resolver. So if the DNS-over-TLS > server is intended to also provide integrity protection, yes, that > would > also be lost. I think we're agreeing here, right? I apologize if > "loss > of privacy" is a misleading shorthand. > >> Take the case where the DNS server from DHCP really is legitimate. >> The >> fact that the meta-query answer _could_ be spoofed provides a vector >> for an opportunistic client to be directed to an attackers' DNS >> server. Note that this attack is not possible on a ’normal’ >> client >> that directly uses the DHCP provided server, the attacker has to >> attack each individual query. My concern here is that without DNSSEC >> validation of the re-direct Opportunistic clients have an additional >> risk of this kind of attack than ’normal’ ones. > > ok, i think i understand. The concern is that a > non-network-controlling > attacker who can spoof DNS responses but can't spoof DHCP responses > can > now take over full DNS resolution of opportunistic clients just by > racing (and winning) the legitimate metaquery response. > > This is true, but the threat model we're worrying now include all of > the > following characteristics: > > * attacker does not control the client's network (otherwise, they > could > redirect the port 853 queries anyway) > > * attacker cannot (or has failed to) race the client's DHCP > connection > (otherwise, they'd point to a different DNS server anyway) > > * attacker *can* race the legitimate response to the client's > opportunistic metaquery. > > * client is in opportunistic mode. > > So the question is, in this particular corner case, what is the right > mitigation to the scenario where "if DNSSEC validation of the > opportunistic metaquery fails…" ? > > if the answer is "…proceed as though it had not failed (trying to > connect to the preferred server's proposed address), but continue > listening for another response to the metaquery; prefer subsequent > metaquery responses that do have DNSSEC validation over those > responses > that are not DNSSEC validated." Then i'd be ok with it, but it's not > specified in the draft. > > If the answer is "…hard-fail and deny DNS service", then i think > that's > incorrect given the goals of opportunistic mode. Agree. And fully agree that an attacker who can do the third bullet *but not the second* is a very obscure corner case. Having this document say, in essence, "you don't get opportunistic encryption unless you add a DNSSEC validation stack" feels like a regression to the original goals of this WG. --Paul Hoffman
- [dns-privacy] review of draft-ietf-dprive-dtls-an… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Ben Schwartz
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephane Bortzmeyer
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Wouters
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Paul Hoffman
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Stephen Farrell
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Sara Dickinson
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Konda, Tirumaleswar Reddy
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Daniel Kahn Gillmor
- Re: [dns-privacy] review of draft-ietf-dprive-dtl… Antoine Germanos