Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
Paul Wouters <paul@nohats.ca> Fri, 29 May 2020 20:59 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF5EE3A107E for <dns-privacy@ietfa.amsl.com>; Fri, 29 May 2020 13:59:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GiEwFbwRXwkQ for <dns-privacy@ietfa.amsl.com>; Fri, 29 May 2020 13:59:22 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D5143A107A for <dns-privacy@ietf.org>; Fri, 29 May 2020 13:59:22 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 49YcPh1JbRzFPq; Fri, 29 May 2020 22:59:20 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1590785960; bh=oOZSnM/qYYFFtvcyltPFOYdExGqNykzfcd4AugsVxbE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=kU/t9YqNo+PNnjk5E8Z+EoALUyeaZX8yXwzHlcD5OsU5JbEVA8rbiKSoPWTZ2LcIz Obr6trOvIzlqt8ml1+3lP4x8DpPKOzobBxhyoMazTI6ugZt0FLLB5iUjx/DCtSfVec 8haHW62zymvDj0CjZHhlkrzCYsW+6NKa9n2GJ7Tk=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id OM-pqkvqK1qV; Fri, 29 May 2020 22:59:18 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 29 May 2020 22:59:18 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 671796020EE7; Fri, 29 May 2020 16:59:17 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 635C766B7C; Fri, 29 May 2020 16:59:17 -0400 (EDT)
Date: Fri, 29 May 2020 16:59:17 -0400
From: Paul Wouters <paul@nohats.ca>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
cc: dns-privacy@ietf.org
In-Reply-To: <a98818c2b2387a498883a48261ddafd21d9e40a0.camel@powerdns.com>
Message-ID: <alpine.LRH.2.22.394.2005291636050.28776@bofh.nohats.ca>
References: <158987990316.29446.4343920282978207647@ietfa.amsl.com> <alpine.LRH.2.21.2005191134560.13722@bofh.nohats.ca> <ec6bc9248179a9ab56ea490f82b14c7e90ffe819.camel@powerdns.com> <alpine.LRH.2.21.2005241222410.4172@bofh.nohats.ca> <77f7a9c38c6bd0a059679a7ab3027b4da9005512.camel@powerdns.com> <alpine.LRH.2.21.2005241710490.10453@bofh.nohats.ca> <5653e4dd2ab6daa648387808a3ac04e088bbc89b.camel@powerdns.com> <CAHbrMsDKQqfnoty+cRa5bJ=zVkONYTbFf-=8hzAj0E7pWeFXug@mail.gmail.com> <a8f44365b9b3a079753f8286cc19fbb241996bf5.camel@powerdns.com> <CAHbrMsAhKB9=nPfnmYzT-tu8-XMYNwyyuYM3T9106iWNzPpDAQ@mail.gmail.com> <alpine.LRH.2.21.2005272118320.18445@bofh.nohats.ca> <10319d748a2ecc2c4e8cad7b8fb545a1f65ff925.camel@powerdns.com> <alpine.LRH.2.21.2005291115060.31882@bofh.nohats.ca> <79c8d207a1215ed0a34d05236ca5dda228ac09a6.camel@powerdns.com> <alpine.LRH.2.21.2005291152560.31882@bofh.nohats.ca> <a98818c2b2387a498883a48261ddafd21d9e40a0.camel@powerdns.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/v8qUTMNVW_9W25GUXVStr2_Jk-A>
Subject: Re: [dns-privacy] [Fwd: New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-00.txt]
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 May 2020 20:59:25 -0000
On Fri, 29 May 2020, Peter van Dijk wrote: > I'm not even sure what my question is, so let's try this: if a > malicious parent has the ability to publish a malicious DS record, why > wouldn't that parent also change the NS records in some subtle way? > Then the real client side CDS becomes invisible. I have trouble seeing > a specific combination of attacker choices that makes sense here. If a parent is coerced to publish a DoT DS record pointing to a government run server, the child has no way to defend itself against this, unless it can confirm in the child zone that the DoT DS is in fact the child zone policy. I wouldn't want .ca to start publishing national mandatory DoT servers. Requiring confirmation of the child zone prevents this, as .ca cannot put CDS records into my zone signed by my DNSKEY. For a parent to be co-erced with requiring child zone confirmation, it basically has to take over the entire child because it needs the childzone to confirm its roque DS. Which is quite different from just "publishing an additional DS record in their legally owned zone". Asking the .ca people to publish a DS record is one thing. Asking them to take over all .ca zones is quite another. Yes, a targeted victim with an empty cache is going to lose from any malicious parent willing to confiscate its child zone. If you have some cache already, this is a little harder for targetted attacks, and would have to be done publicly for everyone to see (and audit log) We can also log the authentication chain of the DoT records. When did the child pusblish CDS records to be picked up by the parent for DS. When did the parent change DS records pointing to different DNSKEY records (whether DNSKEY for resolving or DNSKEY for DoT) See also the DELEGATION_ONLY and DNSSEC Transparency efforts we are working on. A new (DoT) DS and CDS would be an auditable event similar to the Certificate Transparency of seeing a new EE-cert. Cooperating clients can log these somewhere public as to guarantee that any malicious DS/CDS record created by the parent for a targetted attack would very likely be caught by the child owner and become public knowledge, to be resolved by layer 8. >> See my other email about DNSKEY algo 253 and 254. Since that's in the RFC, >> you will have a better case arguing they have to support those. > > Assuming we (our draft, or some loosely related variant like the couple > of other proposals in this thread) get to RFC, IANA will assign a > number (or perhaps even before that). I'm not worried about getting the > algo number on the registries' allowlist.. eventually. > > (see my reply to the other email, that I had missed before, for why I > think 253/254 are not appropriate) The fact that current software is not properly ignoring these algorithms is not the best argument for not using them. I do think it is interesting to use these because they already come with pre-buildin concepts of FQDN's before putting in "arbitrary data based on who is using it for what". It would arguably be less of a squatting on the DNSKEY record than the current proposal. But I'm okay to try to use a new algorithm number first, and if squatting becomes an issue moving forward, we can always pick one of these two. It is much more important that we agree on the MUST vs MAY of client side confirmation of DoT servers at the parent. Paul
- [dns-privacy] [Fwd: New Version Notification for … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Mikael Abrahamsson
- Re: [dns-privacy] [Fwd: New Version Notification … Jeremy Harris
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ondřej Surý
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Stephen Farrell
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Shumon Huque
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Eric Rescorla
- Re: [dns-privacy] [Fwd: New Version Notification … Ben Schwartz
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Petr Špaček
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Tony Finch
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Paul Wouters
- Re: [dns-privacy] [Fwd: New Version Notification … Christian Huitema
- Re: [dns-privacy] [Fwd: New Version Notification … Peter van Dijk
- [dns-privacy] re-evaluation of the draft, was Re:… Paul Wouters
- Re: [dns-privacy] re-evaluation of the draft, was… Robin Geuze
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] re-evaluation of the draft, was… Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … John Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] re-evaluation of the draft, was… Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Christian Huitema
- Re: [dns-privacy] re-evaluation of the draft, was… Peter van Dijk
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Paul Wouters
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … Shumon Huque
- Re: [dns-privacy] NS names, was re-evaluation of … Bill Woodcock
- Re: [dns-privacy] NS names, was re-evaluation of … John R Levine
- Re: [dns-privacy] NS names, was re-evaluation of … Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John Levine
- Re: [dns-privacy] bootstrapping NS names, was re-… Brian Dickson
- Re: [dns-privacy] bootstrapping NS names, was re-… John R Levine