Re: [dns-privacy] [Ext] Threat Model
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 06 November 2019 00:36 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18EC51200C3 for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 16:36:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id trKVVn7uSN3N for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 16:36:03 -0800 (PST)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E01D8120154 for <dns-privacy@ietf.org>; Tue, 5 Nov 2019 16:36:02 -0800 (PST)
Received: by mail-vs1-xe35.google.com with SMTP id w25so14807600vso.4 for <dns-privacy@ietf.org>; Tue, 05 Nov 2019 16:36:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nqGVlgJhVM6ZhbsMk379kSLN9rxtZnQNMrHeuEo5kcU=; b=sAwBjiiv1xNn/p7HJOaeCDWtjujkdrod16SnnKQMuwsqpK2gbXkW5GHWUJtdlw6+4t WjVsI2SdySFgN1sWL76UNiH80h8OpQkqG6+lf/dHrhBlm3GgsUARQvr8QE3YPDV4TmZA U9BbDpWNh2Mhn05TifFm6FGnkbO0UypIK2Ci7bz0H9fN1INyUvZCzPIDCefmZqk0DcaB nSOSSEwVCrVIzoONyIBhdH61X4uz33dgajrfM3rMVfwPdhgKiP7Hn8HnLZGUV57CGetJ hTBBN7KYEncQ/sJOyY4LyzkQYfj8662/0xrqux6/sckfJejyb2KUg9LyfM4jlqrd2sOe MaDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nqGVlgJhVM6ZhbsMk379kSLN9rxtZnQNMrHeuEo5kcU=; b=iOhZ+iKPVTaxOpGGvT1Dx9q7D4TEhGT9KwCJHyjbBCaUCt0QvwZAAM5Y1SmMfYFYQk MjZeKwTVw3ydbtTiX14F+v8LqnfCjrjOz+zzElIuc155zmeJIRgrFdMXmlPg3iCCqYEj 0Dd38401h3YzQ0OUv8r9Vxf4qfh7ArEDx/sBni94LAzH8bMIbJ30UoruzgFPukZaMmRg cahUgrZY7AaoHidtlXJNTfty9BhCYgh04/Pea9PsgO59QxSqcUBiczbPJSPosxKT3Q24 +efbKXxKMyVOCj4QwawGveZXXGWHU8RIGL9SStnTGNSWZXTmhYBQY6KVdAez5MszmDQF EGwg==
X-Gm-Message-State: APjAAAUK3LmkTJ7ZWQhjnqKyHyyP4RjMxsoe4U2eNeuLXTfSktX4ua4u 7M7pwyT0H0EKMHLw1HUPk7dNKAKH88xGrpZLqhyvSw==
X-Google-Smtp-Source: APXvYqz/f5AywjjFONu6ll/c4b9zQFV6dG97Ow+BaugnpN4hGfi6aaIlV3gdydieJK7+apPW2pRmIScUIxpOVGkk5o0=
X-Received: by 2002:a67:e451:: with SMTP id n17mr6010862vsm.199.1573000561701; Tue, 05 Nov 2019 16:36:01 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca> <CAHw9_i+MxMCd7dDO7N0-hc1SDjvBeoLoUvbg4JWDzXyjR0u4xQ@mail.gmail.com> <alpine.LRH.2.21.1911051437000.11602@bofh.nohats.ca> <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com>
In-Reply-To: <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 05 Nov 2019 16:35:49 -0800
Message-ID: <CAH1iCioUiSW7POYmEs5Uz3kmOfa5n_4k6dMisAnp97OrJ44qLQ@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: Paul Wouters <paul@nohats.ca>, "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b637ad0596a2bb33"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/sZ37F1AlsoNrmgVOKZIOUXBj9b8>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 00:36:06 -0000
On Tue, Nov 5, 2019 at 3:14 PM Warren Kumari <warren@kumari.net> wrote: > On Tue, Nov 5, 2019 at 2:40 PM Paul Wouters <paul@nohats.ca> wrote: > > > > On Tue, 5 Nov 2019, Warren Kumari wrote: > > > > > Because then I need to probe them on 853 and wait N before trying on > port 53, or I will > > > only get any sort of protection for name-servers which I’ve spoken to > recently enough that > > > I have them in cache — that works for e.g: ns1.google.com, but not > ns0.nohats.ca > > > > Well, that's how we do things when remembering per-server > > characteristics, which we need to do anyway in case of outages. > > > > Like EDNS0 support and DNS COOKIES support is remembered and cached, > > why wouldn't resolvers do the same for this property. We didn't put > > "ns-edns" out there in name hacks either. Why start now? > > For things like COOKIES I don't need knowledge of the server *before* > I contact it -- when I want to lookup www.nothat.ca, and get back a > cookie, I've learnt something useful for future connections. > > For privacy, I really don't want to have to leak the fact that I'm > looking up secret.nohats.ca because I happen to be the first user who > is (recently) asking for a name on ns0.nohats.ca. > a.ns.facebook.com is popular and so in basically all caches, all the > time - and so users looking that up would get privacy most of the > time. > ns01.kumari.net is (obviously) less popular, and so basically never in > caches -- and so anyone looking up kink.kumari.net will be exposed. > > Now, I really don't think it is fair and right that people looking up > Facebook (or Google) get privacy simply because those sites are > popular, and people reaching my personal site don't. > I could get privacy back by moving my DNS to a large commercial DNS > hoster (ns59.domaincontrol.com is in many caches, much of the time), > but this seems like an even worse push. > > I'd like some system where I can signal that I support DoT: > 1: without my parent having to do anything (like be upgraded to support > DoT) > > 2: without having people to probe and wait for a timeout > > 3: with my users first connection protected, so they don't have to > lookup safe.kumari.net (to make sure that the resolver knows that > ns01.kumari.net supports DoT), or something like _dot.kumari.net > before looking up secret.kumari.net. > > 4: without expecting everyone to support DNSSEC. > > I'd like to see something less stupid than ns01-dot.kumari.net, but I > don't really see what else the child controls at the parent (without > having a separate set of info / RR type / encoding stuff in DS, etc) > So, I'm going to rephrase some stuff, in an attempt to capture what I believe are either (a) requirements, or (b) changes to DNS, in what you describe. Then, I'll ask some leading questions, and make some assertions, and see where that goes. :-) So, currently, there is no recursive-to-authoritative privacy standardized, per se, even if there might be some early implementations (DoT in OTE at godaddy for example). The first question is, since no standard yet exists, why NOT include a requirement for DNSSEC in order to do privacy to the authoritative, even if only in the secure bootstrap process? It's all green-field, right? I.e. excluding DNSSEC a priori seems overly restrictive. (But let's leave that for now. But please answer this question, it's something I'm interested in.) Second, there seems to be an inherent leakage of information caused by an association between the NS name of your domain and the domain and its children. Suppose the name server name, was decoupled from the domain you care about, and all the information about that name server were in a different domain, where the name of the name server was served from another name server whose name was an in-bailiwick name for that other domain, and the query for the name server for the domain you care about was only ever done over an encrypted connection. (Whew.) E.g. kumari.net NS ns-ku.secret-nameserver-12345.net secret-nameserver-12345.net NS ns1.secret-nameserver-12345.net ns1.secret-nameserver-12345.net A <ipv4> ns1.secret-nameserver-12345.net AAAA <ipv6> Then have records for the DOT bits for both ns-ku and ns1 inside the secret-nameserver-12345.net zone. (Pick your poison on what those records would look like, anything from TLSA records to A/AAAA records to some new RR type, or even SRV records.) The privacy stuff would be a two-phase privacy bootstrap. First, do the query to get the needed privacy stuff for ns1.secret-nameserver-12345.net over a non-private connection. Then, do the query to get the needed privacy stuff for ns-ku.secret-nameserver-12345.net over a newly-established DoT connection based on the previous step. Third, do the query toward ns-ku.secret-nameserver-12345.net over another DoT connection based on the previous step, to obtain any records within kumari.net in a private fashion. To know that any given query towards secret-nameserver-12345.net was intended to get the stuff for kumari.net, would require more deductive reasoning than in your original examples. Also important is that the only information that would need to be stored on secret-nameserver-12345.net would be an (arbitrary) nameserver name, plus A/AAAA glue data, plus whatever other parameters are needed for DoT signaling. Thus, it would be very feasible for someone to offer a privacy-enabling service like secret-nameserver-12345.net, that would provide a stegonographic cover for all its clients, and those clients would not need to identify their domains per se, and would eliminate the information leakage of using a single domain with in-bailiwick name for the name server. I.e. you would not need to operate secret-nameserver-12345 yourself (but you could), and if you didn't, you would get a lot more privacy than is otherwise possible (I think). Additionally, the bigger and more popular secret-nameserver-12345 is, the more likely it is in cache, allowing very private bootstrapping of the privacy-protected DNS for kink.kumari.net. I think this does #1 and #2, probably does #3, and #4 is open for discussion. Thoughts? Answers? Brian
- [dns-privacy] Threat Model Eric Rescorla
- Re: [dns-privacy] Threat Model Christian Huitema
- Re: [dns-privacy] Threat Model Brian Dickson
- Re: [dns-privacy] Threat Model Ted Hardie
- Re: [dns-privacy] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] what's good enough, or Threat M… John Levine
- Re: [dns-privacy] what's good enough, or Threat M… Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] what's good enough, or Threat M… John R Levine
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model David Conrad
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] Threat Model Livingood, Jason
- Re: [dns-privacy] [Ext] Threat Model Tony Finch
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Eric Rescorla
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model John Levine
- Re: [dns-privacy] [Ext] Threat Model John Levine
- Re: [dns-privacy] [Ext] Threat Model Tony Finch
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Warren Kumari
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Dan Wing
- Re: [dns-privacy] [Ext] Threat Model Mark Andrews
- Re: [dns-privacy] [Ext] Threat Model Ralf Weber
- Re: [dns-privacy] [Ext] Threat Model Hugo Connery
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Paul Hoffman
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Ted Hardie
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Bob Harold
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Stephen Farrell
- Re: [dns-privacy] [Ext] Threat Model Brian Dickson
- Re: [dns-privacy] [Ext] Threat Model Paul Ebersman
- Re: [dns-privacy] [Ext] Threat Model Paul Wouters
- Re: [dns-privacy] [Ext] Threat Model Bob Harold
- Re: [dns-privacy] [Ext] Threat Model sthaug