Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 18 August 2020 21:38 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C816A3A0D07 for <dns-privacy@ietfa.amsl.com>; Tue, 18 Aug 2020 14:38:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JX3gIFt61Vhw for <dns-privacy@ietfa.amsl.com>; Tue, 18 Aug 2020 14:38:48 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D2E33A0CFC for <dns-privacy@ietf.org>; Tue, 18 Aug 2020 14:38:48 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 7B3F82C191A; Tue, 18 Aug 2020 17:38:47 -0400 (EDT)
Date: Tue, 18 Aug 2020 17:38:47 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dns-privacy@ietf.org
Message-ID: <20200818213847.GB86346@straasha.imrryr.org>
Reply-To: dns-privacy@ietf.org
References: <3BA75997-3DE4-4DF5-B1F5-C57DBC423288@icann.org> <CAHbrMsAEUFT7GOTm5Dbq9PCMEA+4maJQ32t_R-SbYVyztqVBDA@mail.gmail.com> <alpine.LRH.2.23.451.2008062244030.618007@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.23.451.2008062244030.618007@bofh.nohats.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/sbR4a-OkcFs2Km54OOOxPnielvI>
Subject: Re: [dns-privacy] Possible use case: Opportunistic encryption for recursive to authoritative
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 21:38:50 -0000
On Thu, Aug 06, 2020 at 11:04:39PM -0400, Paul Wouters wrote: > > Opportunistic encryption is defined in RFC 7535. Minor correction, for the record, 7435. > The "opportunistic" part really means, "we will try encryption, but if > for whatever reason it does not work, we will fallback to > unauthenticated or even cleartext". In 7435 it means "when it is discovered to be possible", as opposed to (e.g. https) simply mandatory. Now what "discovered to be possible" can mean different things in different protocols: - Some protocols, like basic STARTTLS in SMTP, are vulnerable to active attacks, but do a decent job of protecting most conent against passive wiretap. (Traffic analysis can still reveal a great deal about communication flows, even absent the clearttext payload). - Other protocols, like opportunistic DANE TLS (RFC7672), are resistant to downgrade attacks, but still "opportunistic" because the use of DANE TLS is not an a priori requirement, rather support for the protocol by the server is discovered in real time, and the protocol is applied to servers with signed TLSA records, and otherwise ordinary STARTTLS (and perhaps even cleartext if STARTTLS appears to be absent or broken) is used. > In this case though, for auth servers, I see no reason to do > unauthenticated encryption. There are usually two reasons for > unauthenticated encryption. The first is that the party wants to > remain anonymous (eg most HTTPS clients). The second is that it is > too hard for entities to get a veriable ID in a trustworth PKI. If the signalling channel that indicates support for resolver to auth TLS is authenticated and downgrade resistant, then it indeed makes sense to consider opportunistically (i.e. based on real-time discovery) enforcing authentication. A bit more caution may however be appropriate in the case of DNS than with SMTP. Some early adopters of DANE for SMTP (a small, but not entirely negligible minority, around 4% by SMTP server count, but only ~500 out of >2 million DANE-enabled domains) are having a bit of trouble keeping the TLSA records accurate, but given the asynchronous nature of email, are doing mostly OK, provided they fix the records in a few hours to even a day or two. A similar transient outage in DNS would not generally be acceptable. However, the very problem that they are having of keeping the certs on the SMTP server matching the keys on the DNS server, is far easier to solve on the DNS servers, provided they are authoritative for the zone(s) with their own names, in which case including the correct TLSA RRs can be largely automated, in much the same way that the RRSIG and NSEC chain generation is automated. The primary server just needs a secure channel to retrieve new public keys for the secondaries. So before standardising opportunistic DANE for DNS, I look for a draft that covers the key management lifecycle. If there's a solid way to automate key rollover after initial enrollment, then we can expect to see DANE authentication to "just work" in DNS. Otherwise, the "opportunistic" protocol would be more modest in its goals and would only achieve unauthenticated TLS when it appears to be possible, without downgrade protection. > Opportunistic for _this case_ is just too weak. We have a PKI system > with DNSSEC that is core to these DNS servers already. We basically > get the PKI for free, so just do it authenticated. Right, but we should also do it *well*, which means that key lifecycle automation should be part of the design from day one. -- Viktor.
- [dns-privacy] Possible use case: Opportunistic en… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… Ben Schwartz
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… John R. Levine
- Re: [dns-privacy] Possible use case: Opportunisti… Tim Wicinski
- Re: [dns-privacy] Possible use case: Opportunisti… Puneet Sood
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Puneet Sood
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Manu Bretelle
- Re: [dns-privacy] Possible use case: Opportunisti… John Levine
- Re: [dns-privacy] Possible use case: Opportunisti… Rob Sayre
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Wouters
- Re: [dns-privacy] Possible use case: Opportunisti… Brian Haberman
- Re: [dns-privacy] Possible use case: Opportunisti… Ask Bjørn Hansen
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Ebersman
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] Possible use case: Opportunisti… Peter van Dijk
- Re: [dns-privacy] Possible use case: Opportunisti… Peter van Dijk
- Re: [dns-privacy] [Ext] Possible use case: Opport… Brian Haberman
- Re: [dns-privacy] Possible use case: Opportunisti… Tony Finch
- Re: [dns-privacy] Possible use case: Opportunisti… Paul Wouters
- [dns-privacy] TLSA for secure resolver-auth trans… Peter van Dijk
- Re: [dns-privacy] Possible use case: Opportunisti… Vladimír Čunát
- Re: [dns-privacy] [Ext] Possible use case: Opport… Paul Hoffman
- Re: [dns-privacy] TLSA for secure resolver-auth t… Ilari Liusvaara
- Re: [dns-privacy] TLSA for secure resolver-auth t… Paul Wouters
- Re: [dns-privacy] [Ext] TLSA for secure resolver-… Paul Hoffman
- Re: [dns-privacy] TLSA for secure resolver-auth t… Vladimír Čunát
- Re: [dns-privacy] TLSA for secure resolver-auth t… Paul Wouters
- Re: [dns-privacy] Possible use case: Opportunisti… Viktor Dukhovni
- Re: [dns-privacy] TLSA for secure resolver-auth t… Peter van Dijk