IETF Logo Mail Archive

Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)

Eric Rescorla <ekr@rtfm.com> Thu, 06 February 2020 19:22 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B0FA1200FF for <dns-privacy@ietfa.amsl.com>; Thu, 6 Feb 2020 11:22:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDtf1d6gcQuv for <dns-privacy@ietfa.amsl.com>; Thu, 6 Feb 2020 11:22:54 -0800 (PST)
Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5736F120103 for <dns-privacy@ietf.org>; Thu, 6 Feb 2020 11:22:53 -0800 (PST)
Received: by mail-lj1-x244.google.com with SMTP id h23so7327886ljc.8 for <dns-privacy@ietf.org>; Thu, 06 Feb 2020 11:22:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HuXcFfRGDfFo7I+3J+bOiIeC+Q9myljQsZydN72gqEg=; b=SJ3AnFGgKYuOhW0lL7BA9+g+n5u4eE1gaIiNwzAoDdanxlh3KoyVMQvd0LxTBfl37y SV2GYCYheUiDOOVrVul8g+EVoQBoZXpFgAOIsn7mxTGm0zDdHIWLiAcVt/L5tZRnpIBE vYIZrQhfXxCzxCrTQj/f8/BzxyfiiFtJeqjgFaXgPILmoOaHM1a4SEthVqJWLw2cTR+C E1TcPVAOxMPsfDl4TmPLfDW/Mz9ip8P3Qag4QFtA/DctYqd0zMqNG6mmujr3bCPs9T0i UP6lBDTHyLicVMq/TxHrp4T/jZv4VrQ37fnY9aoYSaBAJJ9lfVJ6UzEqU+KMt4iCxIAl sDbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HuXcFfRGDfFo7I+3J+bOiIeC+Q9myljQsZydN72gqEg=; b=YytjFt497k1wAqrixXjgOz+cRZKUVdP01+A+FNwP7tNBEGhWZ1uQ7RB/ZdbkRztHSR PAmpXZhmX1NCN3NNqy4czCoIgC9uOFuv76oIqwVE5XHSLhzwbpkgS9dwXRtGXXrr0fB3 KlZnrMP/CtOJJQvk5mIe0zmiuYznEr2dj/mdt1QrXGeTMHqrprYdla2iaqXvBoPciJS9 9VsnOqoObdIJVURX11JqmaUSs278OtBg5dM+b6prZj0oTvJpV8xFigzLzSPQoEh+69s4 LpX0bTxo1U8c13qjIxr6/w6rBClCUW3XgMarpJIKX5dIGkpqVMLvqwg0u0VmqNPrzZue GiBg==
X-Gm-Message-State: APjAAAVUABCEADOhufcEYheE8zGGzHKReUQ5rp3lazI4DH7r6ffi3Le2 tLD9pNJKavYUzi2Q0G0BGPAtUwU+JhnEgxO6q9TnWg==
X-Google-Smtp-Source: APXvYqzhtfmsQ/XB3OqZOOJvTkPYKQKdLc0EN/yDXsO2veGftXbugecIQTBaRDib9JgYDl1WvhWAou9nB2muuHAax6k=
X-Received: by 2002:a2e:b0c4:: with SMTP id g4mr3048832ljl.83.1581016971508; Thu, 06 Feb 2020 11:22:51 -0800 (PST)
MIME-Version: 1.0
References: <158096547226.30514.2103023305468871108.idtracker@ietfa.amsl.com> <CAH1iCiqLwP8UOJe_vWQAr7iu8j7LF2Y4+386XNimM+3wJ-2RzQ@mail.gmail.com> <9fe99917-347b-ab79-7a9c-3e8da67a5246@nostrum.com> <364cf548-9114-fcb3-52b6-a73be08b55c4@nostrum.com> <CAH1iCirzvzQUAcbctzC4Bete_mDicT7MYJL5vnaSFZnVNAUbPg@mail.gmail.com> <9104d41b-2c78-0216-3262-4ed50f389ea7@nostrum.com>
In-Reply-To: <9104d41b-2c78-0216-3262-4ed50f389ea7@nostrum.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 06 Feb 2020 11:22:15 -0800
Message-ID: <CABcZeBMF2CT--gdKNuVWw+e8CvLYjL3yX0YtMj54CQBvdZ0o0A@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Brian Dickson <brian.peter.dickson@gmail.com>, Tim Wicinski <tjw.ietf@gmail.com>, draft-ietf-dprive-bcp-op@ietf.org, dprive-chairs@ietf.org, DNS Privacy Working Group <dns-privacy@ietf.org>, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f88c8a059ded32e0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/zf8IgZeETxIg2lbwvSa9_MAGQt4>
Subject: Re: [dns-privacy] Adam Roach's No Objection on draft-ietf-dprive-bcp-op-08: (with COMMENT)
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2020 19:22:56 -0000

Thanks. I am just looking at this text, and I think it's inappropriate. To
recap something I seem to be saying a lot lately, the Internet Threat Model
assumes a Dolev-Yao-style attacker who controls the network between the
client and the server. TLS is designed to be secure in this environment,
and while the WebPKi is imperfect, suggesting that compromise of local DNS
lookups leads to compromise of user data seems exaggerated, at least in the
case of Web traffic.

-Ekr


On Thu, Feb 6, 2020 at 10:22 AM Adam Roach <adam@nostrum.com> wrote:

> Top-posting because I agree with the facts as you present them. I just
> reach a different conclusion based on these facts. To be clear, I think a
> belt-and-suspenders approach is generally preferable. I am merely
> suggesting that the "must" statement I cite may be stronger than is
> actually advisable given that such an approach is merely a small increment
> of security for protocols that are otherwise secured (e.g., HTTP, which is
> the example the document chooses), rather than the sole defense, as may be
> the case with other protocols.
>
> My top-line suggestion here is to choose a different example than HTTP.
>
> Secondary to that is a suggestion that the "must" statement really only
> makes sense when it is a sole counter-measure, and that a softer
> recommendation ("should") makes more sense otherwise.
>
> These are non-blocking comments, so I'm going to reiterate that the WG can
> ignore them -- I just wanted to make sure they were considered. It would be
> nice to hear from other folks on the topic as well.
>
> /a
>
> On 2/6/20 11:57, Brian Dickson wrote:
>
>
>
> On Thu, Feb 6, 2020 at 9:31 AM Adam Roach <adam@nostrum.com> wrote:
>
>> On 2/6/20 09:08, Adam Roach wrote:
>> >
>> > For the specific example chosen, it's been made pretty clear over the
>> > years that at least the clients for the specific service you cite have
>> > no interest in incurring this additional cost. If that's the working
>> > group consensus, then I have no interest in over-riding it. But
>> > ignoring operational realities seems kind of ivory tower-ish, which
>> > feels like the kind of thing that undermines the general credibility
>> > of the rest of the document.
>> >
>>
>
> Could you please be more specific?
>
> When you say "for the specific service", do you mean DNSSEC?
>
> And do you mean the signing of DNS zones using DNSSEC, when you refer to
> clients of that service?
>
> Perhaps you missed my microphone comments at the last IETF?
>
> Specifically that GoDaddy will be turning on DNSSEC for the vast majority
> of its DNS hosting customers?
>
> This represents about 40% of the DNS zones on the Internet.
> (The exact time frame is not set in stone, but we expect this to be done
> in the first half of 2020.)
>
> Given that this significantly alters the calculus, I don't think that is a
> good enough reason to object in and of itself anymore.
>
> The other aspect of this is the asymmetry involved in the defenses against
> impersonation:
>
>    - The choice to sign a DNS zone is under control of the zone owner
>    - The choice to deploy RPKI on routes (to protect against BGP
>    hijacking) is under control of the IP prefix holder
>    - Both methods rely on third parties to cooperate to achieve the
>    protections offered
>    - RPKI routing filters are now widely deployed, and RPKI registrations
>    are substantial
>    - The remaining issue is DNSSEC validation; many (most?) of the public
>    recursive operators do this already
>
> The logic should be, defend against all feasible attacks, rather than
> justifying the non-defense in one area (DNSSEC for DNS) based on the
> assertion that another area is not being defended (RPKI for BGP).
>
> Brian
>
>
>>
>> I realize that my editing made one of the pronoun antecedents here go
>> away. The second sentence should have said something more like "If
>> keeping the current text is the working group consensus..."
>>
>> /a
>>
>>
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://www.ietf.org/mailman/listinfo/dns-privacy
>

v2.23.0 | Report a Bug | By Email