IETF Logo Mail Archive

Re: [dns-privacy] Intermediate proposal (what I was saying at the mic)

Christian Huitema <huitema@huitema.net> Mon, 02 August 2021 06:22 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A626F3A0C3C for <dns-privacy@ietfa.amsl.com>; Sun, 1 Aug 2021 23:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level:
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9nnSnf_PP0Dp for <dns-privacy@ietfa.amsl.com>; Sun, 1 Aug 2021 23:22:25 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D17483A0C3B for <dns-privacy@ietf.org>; Sun, 1 Aug 2021 23:22:25 -0700 (PDT)
Received: from xse216.mail2web.com ([66.113.196.216] helo=xse.mail2web.com) by mx134.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1mARLA-0006Za-9v for dns-privacy@ietf.org; Mon, 02 Aug 2021 08:22:22 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 4GdSbF0bHMz5Rx for <dns-privacy@ietf.org>; Sun, 1 Aug 2021 23:22:17 -0700 (PDT)
Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1mARL6-0003Eh-UW for dns-privacy@ietf.org; Sun, 01 Aug 2021 23:22:16 -0700
Received: (qmail 28779 invoked from network); 2 Aug 2021 06:22:16 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.253]) (envelope-sender <huitema@huitema.net>) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for <dns-privacy@ietf.org>; 2 Aug 2021 06:22:16 -0000
To: Martin Thomson <mt@lowentropy.net>, dns-privacy@ietf.org
References: <CABcZeBNRZsyjd-M_hKOwxdqY=Y7oZs5-d4waqPHb9gO-GJNV+Q@mail.gmail.com> <8b2ac283-614e-40d2-b6bf-5e67d5324aaa@www.fastmail.com>
From: Christian Huitema <huitema@huitema.net>
Message-ID: <a283b0f0-69ec-5e18-1c8b-85637293e06d@huitema.net>
Date: Sun, 01 Aug 2021 23:22:15 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
In-Reply-To: <8b2ac283-614e-40d2-b6bf-5e67d5324aaa@www.fastmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.196.216
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.14)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT+ObLa7JmPeCZV86S8QEGB+PUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zh2yKlFwkOJL4c32G0KduLVjVx0XVkNnHJMw/amoreOU4Q l39q9y39/nXw4TZvOnNwGYjbvhzWX8Co+5c+eruaSxIRXVMlFuiz/acFNeeXtxN2fFxZWB9eYgpR BRu3UlDHMLIJYRi1cXH9Dbm+IxLV0XgtlP1veEWDxFjeo42e2HGFd932lfz+R/06O3Iy4amLIlhV wP2HQYvX8wxRXZtkkVWClPVvbW5lVyQanRxw5hTHswbbB/ha+ZWrSAi8SkwqWAikMcSxTAWn8RCv ieGEqjG/gXZAaRh1X6LVetRf2ZYIiHqfCgG4wrA3w4/kQTYKxDHA9JN9J4k4XZq11JQkMemT4rxn nByU11Ftkqf3f/PF3GUV+KdBBqrnCX8j0Gi8Ksk+aedMfNWSnJswrtlNtZo3HPHi5Q+jjsF5dcBx ehWYzrkgsp4/Fysgb2cPV4IH0+lPwKr4i5mAANUcVraZYOaeuiH/yEdZH8S1+TgcJBOjh0vPxcQO jKKOrYIQYpwamUdylUIKhf3z2GAHxH7Iiihnln5nLwsYugixy853dlAMC5uyzWopS9Dc1M1eiea6 waGfcpP29mpmtOMHbuFlb3UQT3xbkHqpqmyCe4PiKWIgJ2XxgK7Je5b0uU+cZFhDVPQ6fMev1BMP vQ9qu4cW0z6bhalFEM/pjPCQA+BAlpwGZrzb+VftcMDBHXh8G8q3h1ESmlc3/lS5x7qxkdlaRajE ZzGnC5NuPGKfx5G9k/2EL9W49nom27Q+YxiVKWBRXxKF5tPxTxfD0dMN+t5ZjAS4aCKbpuSkpIzD OHcdT3jZjh2PRg3GRvi3cJu32dKN9/YGRrhMRGhIOTxMW00yF8F1u0YDQf8cLP9taeSLFY0fPBnF 89BphpBNlUg+TzHwBTL1+6vDOMemz/4I88NDcmnEJ4r7C+SwLRamrhQTd3PrpJpP5ewAjeqkzRNl ucyd+NO2McmveAr4ch9F7rE89jihx+Za/cV70jOJzN2r4A==
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/qvTUmVgbc1y5zJAlm2z1j-uKDbE>
Subject: Re: [dns-privacy] Intermediate proposal (what I was saying at the mic)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 06:22:28 -0000

On 8/1/2021 9:21 PM, Martin Thomson wrote:
> On Fri, Jul 30, 2021, at 06:08, Eric Rescorla wrote:
>> - Recursives can attempt to connect to any authoritative by probing
>>    with DoT/DoQ [0]. In this case, they should cleanly fall back to
>>    Do53 on connect failure and not validate the credential (whether
>>    WebPKI or DANE) This allows authoritatives to just turn on TLS
>>    without risk.
> I assume that your MUST NOT validate here only exists because of the combination of:
>
> 1.  Us not being able to decide between Web PKI and DANE; and
>
> 2.  The potential for an unauthenticated mode.
>
> If we decided on a single answer for the first and in the negative for the second, would that make authentication viable?  Or is the opportunism a feature?

I am torn on the PKI vs DANE issue. I understand the simplicity of using 
Let's encrypt or similar and getting an X.509 certificate backed by 
proof of ownership of the domain name. But I am also very concerned that 
this introduces a circular dependency. Allowing for DANE breaks that 
dependency when DNSSEC is available, which is why I would like 
authentication to allow both. If the server can prove its identity using 
either DANE or PKI, the client is probably fine.

And given the simplicity of getting PKI, I don't quite see the point of 
an unauthenticated mode. It does not ease the deployment much, and it 
paints a thick MITM target. I would rather fall back to Do53 than to 
unauthenticated DoT or DoQ.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email