IETF Logo Mail Archive

Re: [dns-privacy] [Ext] Revised opportunistic encryption draft

Paul Hoffman <paul.hoffman@icann.org> Fri, 30 October 2020 20:46 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A91D3A122D for <dns-privacy@ietfa.amsl.com>; Fri, 30 Oct 2020 13:46:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZDIx0u8jC-dy for <dns-privacy@ietfa.amsl.com>; Fri, 30 Oct 2020 13:46:19 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3CF23A122C for <dprive@ietf.org>; Fri, 30 Oct 2020 13:46:18 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa3.lax.icann.org (8.16.0.42/8.16.0.42) with ESMTPS id 09UKkIkm025737 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 30 Oct 2020 20:46:18 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.659.4; Fri, 30 Oct 2020 13:46:17 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.0659.006; Fri, 30 Oct 2020 13:46:17 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Eric Rescorla <ekr@rtfm.com>
CC: "dprive@ietf.org" <dprive@ietf.org>
Thread-Topic: [dns-privacy] [Ext] Revised opportunistic encryption draft
Thread-Index: AQHWrvOHypDT5C5tA0ei42VBeA1bgqmxEt0A
Date: Fri, 30 Oct 2020 20:46:17 +0000
Message-ID: <2D07CBD0-30CE-418E-AD05-02E0A5EDB79F@icann.org>
References: <C0CBEBC5-D28A-46C0-AE50-078710015466@icann.org> <alpine.LRH.2.23.451.2010301202350.2587497@bofh.nohats.ca> <2444B21B-9465-4A5B-97CC-AF809309300A@icann.org> <CABcZeBPZFY9aQ5Nb0q_4uTMFRbY3-S2rus4vaeLaUmvU+h_ftg@mail.gmail.com>
In-Reply-To: <CABcZeBPZFY9aQ5Nb0q_4uTMFRbY3-S2rus4vaeLaUmvU+h_ftg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_21B4D859-6DB0-43D0-AAEF-7D585F21F45D"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.312, 18.0.737 definitions=2020-10-30_10:2020-10-30, 2020-10-30 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/ygBYV5iuh9UcLDWSpXWPwb5dPdg>
Subject: Re: [dns-privacy] [Ext] Revised opportunistic encryption draft
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Oct 2020 20:46:20 -0000

On Oct 30, 2020, at 12:32 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Fri, Oct 30, 2020 at 10:03 AM Paul Hoffman <paul.hoffman@icann.org> wrote:
> On Oct 30, 2020, at 9:11 AM, Paul Wouters <paul@nohats.ca> wrote:
>> > I still believe the cost of authenticating a DNS(SEC) server is so low
>> > these days (with ACME available at no cost and with full automation)
>> > that this draft is better not done.
>> 
>> The cost in terms of CPU cycles is indeed low. That is not the cost that is being considered when choosing opportunistic encryption. There is a real cost to the system if entire zones get server failures due to authentication mistakes made by the authoritative servers (not renewing certificates, errors in TLSA records, upstream validation problems that cause TLSA records not to validate, ...) or resolvers (dropping trust anchors that are in use, bad validation logic for TLSA, ...).
>> 
> How is this different from the transition of the Web to HTTPS?

The DNS data is already authenticated if they are using DNSSEC. Also, because the DNS is hierarchical, even a short-lived authentication failure at a particular server will take out the ability to get data for all zones beneath that one; this is not an issue in the web.

> Sure, there can be misconfigurations of various kinds, but good operational practices can minimize these, and in return you get strong security.

What extra value is the "strong security"? Is that value worth the risk of inability to get data from a zone? In the web world, the decision that the value was greater than the risk was based heavily on being able to authenticate the data using TLS. We don't have that same balance in the DNS.

Again, some folks might want to take the risk of a hierarchical failure in order to get additional authentication of data beyond what DNSSEC gives you. If so, a document stating that use case and a protocol to go with it would help find who else wants that.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email