IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Threat Model

Warren Kumari <warren@kumari.net> Tue, 05 November 2019 23:14 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B03C1200C3 for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 15:14:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sJYdKjavE1tX for <dns-privacy@ietfa.amsl.com>; Tue, 5 Nov 2019 15:14:23 -0800 (PST)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21106120072 for <dns-privacy@ietf.org>; Tue, 5 Nov 2019 15:14:23 -0800 (PST)
Received: by mail-qk1-x72a.google.com with SMTP id 15so22894020qkh.6 for <dns-privacy@ietf.org>; Tue, 05 Nov 2019 15:14:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=IkRSZ8xwDOYJfetDgHu2uJ0hAtUU5yw7oWN/Fx1r3q0=; b=PF/Bq8SjGS2bBllWJq6r/Csx0Hh+zzkDalVw0/rd0lI0JI8Kd4jcUubb5EQrk3Ylrg eimBkeC23GemccKllZNMpPEwRLMzts5I5N0Dst0B8avVRsSgjo3/ztqDql/2scxY5sMj fImYJH1tUQAUplXdj1kA0nDvORj8jsXxOe4mdramC6pTLgZa2f0UwyAbFwQj07Wh0nSJ CEKfMbsHGgC//FI3bGmAimBI69EMFL7WI1+jM/UbIRn5iMMrMaLJ+tRZZCDtm4aTWn9X hhZ6Zc8AG+xQyt/d+UQlOqDMk2wcSXVYzfaNgpDHg025RI6p5j8i/qz62yipqSsa0jB0 2ifA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=IkRSZ8xwDOYJfetDgHu2uJ0hAtUU5yw7oWN/Fx1r3q0=; b=fK2Di7+KHlGmdbddO3v/KJm1Y7Itf/4bBLAgrAUj7QKXYIiR5uvGFMKff5f3fnEqX7 +wUFlQ8PnhcUxH7rK6MD+X1vKNUjombGUow1HCjYGCa33wwAsUR1Lk/X2/Vyov9s7pn3 GAHZ+oRGSbI74Ik2AnEkdHQzND39v8PxFvYmP5FDIIGv3msDVNX4yQTcUyBGurBSqu/O K05kb/V7zVJhZwITtLnjxft3lNXyn6AxaPShyz1nyACpFZPsYsbj855qRSYbarXHZyti lFqZ/Yg0Erxf0D45MuASyTfyE6JHd5Dumf51Kfw6OJFSic9Fu76zSfcRf8QgBJnr5SDf wRlg==
X-Gm-Message-State: APjAAAXEm99EKWXm77zrlGfR1oalo0du04GDbfjauNL7INuDbIT383IA kziQ9SzSMt/tnECV1tpYkSVd9l2cFe3zZkAMzANFwT1+P8WJKA==
X-Google-Smtp-Source: APXvYqxh8u4EEwK3FlrR5J9IJMEKEBmWrHxslhQuWjeRHNrsHCkFxWfWW+9Dzuhx2ZefwATby4kFeJF4BEzP23lD9dE=
X-Received: by 2002:ae9:d801:: with SMTP id u1mr25948957qkf.245.1572995661575; Tue, 05 Nov 2019 15:14:21 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBMQEJ=LE8ATQYnJj59srsK47hf4HT3BMMg3X2crVfSUXQ@mail.gmail.com> <CABcZeBOhSYvqPyDcm9zbMYRc03DmPcCKYTYE-uC54=Mm9HMcnQ@mail.gmail.com> <99ee8cd4-9418-2d64-57fd-487b4f2c3a1a@cs.tcd.ie> <CABcZeBOBFFi=dA_XEzhkYvRU6kzvND5CMQcMoyriYusDH0RbKQ@mail.gmail.com> <CAHw9_iLz5No-SKa74To03ida3DHfeKY58CrJFJpLph8FsvzNQQ@mail.gmail.com> <CABcZeBMFDbATVRvJvvs5b4giQ=0B82i76ahv-ffDgWJOzqZccw@mail.gmail.com> <CAHw9_i+e8veeAz+KYXjvchmjKJz6OZHX1pEYx_Tvs8n5xnfBnQ@mail.gmail.com> <6D6233DC-4D7C-45BC-9D4E-08E6E882C1A5@nohats.ca> <alpine.DEB.2.20.1911042035571.29247@grey.csi.cam.ac.uk> <CAH1iCioH86q1CX7A+F8ON4uzpGqipUy8m3iczyNqSKirAsYBQg@mail.gmail.com> <alpine.LRH.2.21.1911041652450.5093@bofh.nohats.ca> <CABcZeBOtY3saJe5DWTu=Jqy5guqdoKPKSR+XYddbvxwxKsxmig@mail.gmail.com> <CAHw9_iKaeT0VEjZfoCi9Nddc+VBBj0JHWDHv+=g3xzvb6L+Nvg@mail.gmail.com> <alpine.LRH.2.21.1911050941090.30046@bofh.nohats.ca> <CAHw9_i+MxMCd7dDO7N0-hc1SDjvBeoLoUvbg4JWDzXyjR0u4xQ@mail.gmail.com> <alpine.LRH.2.21.1911051437000.11602@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.1911051437000.11602@bofh.nohats.ca>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 05 Nov 2019 18:13:45 -0500
Message-ID: <CAHw9_iKhaA9Nb+eH92YfzdepU90_DgLyS-ZDaMAehKOFO0ksEA@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/xKzVlXh6QUeexK6NZGP8qYypq70>
Subject: Re: [dns-privacy] [Ext] Threat Model
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 23:14:25 -0000

On Tue, Nov 5, 2019 at 2:40 PM Paul Wouters <paul@nohats.ca> wrote:
>
> On Tue, 5 Nov 2019, Warren Kumari wrote:
>
> > Because then I need to probe them on 853 and wait N before trying on port 53, or I will
> > only get any sort of protection for name-servers which I’ve spoken to recently enough that
> > I have them in cache — that works for e.g: ns1.google.com, but not ns0.nohats.ca
>
> Well, that's how we do things when remembering per-server
> characteristics, which we need to do anyway in case of outages.
>
> Like EDNS0 support and DNS COOKIES support is remembered and cached,
> why wouldn't resolvers do the same for this property. We didn't put
> "ns-edns" out there in name hacks either. Why start now?

For things like COOKIES I don't need knowledge of the server *before*
I contact it -- when I want to lookup www.nothat.ca, and get back a
cookie, I've learnt something useful for future connections.

For privacy, I really don't want to have to leak the fact that I'm
looking up secret.nohats.ca because I happen to be the first user who
is (recently) asking for a name on ns0.nohats.ca.
a.ns.facebook.com is popular and so in basically all caches, all the
time - and so users looking that up would get privacy most of the
time.
ns01.kumari.net is (obviously) less popular, and so basically never in
caches -- and so anyone looking up kink.kumari.net will be exposed.

Now, I really don't think it is fair and right that people looking up
Facebook (or Google) get privacy simply because those sites are
popular, and people reaching my personal site don't.
I could get privacy back by moving my DNS to a large commercial DNS
hoster (ns59.domaincontrol.com is in many caches, much of the time),
but this seems like an even worse push.

I'd like some system where I can signal that I support DoT:
1: without my parent having to do anything (like be upgraded to support DoT)

2:  without having people to probe and wait for a timeout

3: with my users first connection protected, so they don't have to
lookup safe.kumari.net (to make sure that the resolver knows that
ns01.kumari.net supports DoT), or something like _dot.kumari.net
before looking up secret.kumari.net.

4: without expecting everyone to support DNSSEC.

I'd like to see something less stupid than ns01-dot.kumari.net, but I
don't really see what else the child controls at the parent (without
having a separate set of info / RR type / encoding stuff in DS, etc)

W



>
> Paul



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email