Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information
Tim Wicinski <tjw.ietf@gmail.com> Fri, 16 August 2019 11:43 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FE7E120018 for <dnsop@ietfa.amsl.com>; Fri, 16 Aug 2019 04:43:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1qUEjSEyzkF for <dnsop@ietfa.amsl.com>; Fri, 16 Aug 2019 04:43:19 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9151B120072 for <dnsop@ietf.org>; Fri, 16 Aug 2019 04:43:19 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id j7so9300827ota.9 for <dnsop@ietf.org>; Fri, 16 Aug 2019 04:43:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=yk64RxXap3PbRSrkFNOiOz44CnA9okl9kAfOqokgmsI=; b=uDReNzqFNSEyEuQZKe//etEKRxvYXU48ueYs2KQCmCXJ9rSBRGjiV8sEvmJ0+zGqal riCK73//6MK/59hDxPikIHmnvoU47Xn0jvbeWh6qTdn+zzp2BYH4XPvq4RZIR5nrM883 kqWIjnQRUvfEgqgLvNLxnvyfoelg595C5Y1idryEe6qLaOsBVpwNjs3NdyJ1CAun8DL3 rltDiILdzvGL4rpUqVD2wtpmHztCZFNhfKH0wZUr1FD/pgFwq6NgRp3k/K9iw+PdaagO QR1a84ftbxtdRzObrmojCEDx81gqY96TErscrofogFsAECFgyr3GMZWpdPLYsKjYbELi Jh6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=yk64RxXap3PbRSrkFNOiOz44CnA9okl9kAfOqokgmsI=; b=MtYzmNSNwQlATcm0oBoeaYNgOwQuiBhkAdUkDdT/3u9pD2IZWyj59AJJ4BOoEjPqwD GuOP+czpHwwZqKlcKSbkpJ7TjIQ7RVhANYShCDZe3Vj3W5TxIyTKL43Eg6g30blLcIlG l8lzCsknOZl74LIBc68+RMrZmOATMqSeh1NN1IV3L7LSpKTphYhyB1HPfJUt5iPKqqCo id/ySSc++PGQn3ml4KnjRcQShUQuJ5/EAK9n6Gz6cfRHLdflyNEMzgGJepDQS45bXPBu 5D3cewDVFYOJKlnfAi9Yv1Kad6nN8Xz7sBsi3l9t15kG+laFuUb4wHEX7cZPBXXXh09n 2hNw==
X-Gm-Message-State: APjAAAW4SjRU+SKkg21s8P7O9plNP5AMBW4HfkCMDvX12Oj2Lj7G32yg F4FVyvmsDc240a1W6DTv0IRuDyRmpV6w1aAzhKSwM+SP
X-Google-Smtp-Source: APXvYqxn/8AeZD+4MX0h9rvobnjyi9PSsZ8+SYSLVHlesueajaXGr6YAUNIKnTGMhxGJUnvSOKm902xUpaxWoUJ4ACM=
X-Received: by 2002:a05:6830:1345:: with SMTP id r5mr1373915otq.158.1565955798754; Fri, 16 Aug 2019 04:43:18 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+EUk_Qmnk=x3-om1OMjSMFrhd9qFUKTEBk6qWjh6fgRXQ@mail.gmail.com> <CAFpG3gc7bvJNo3SF=anU5aPfEjF0j-c2q8ZUHH3Gd684m9Ypyg@mail.gmail.com> <02BB3B07-F1C1-4D2B-BA08-EF1A5AAACA4C@icann.org> <CAFpG3gcdxpd=rh93nipx9QcuOgwMo--qZhoEbtg=cM8aHG=fQQ@mail.gmail.com>
In-Reply-To: <CAFpG3gcdxpd=rh93nipx9QcuOgwMo--qZhoEbtg=cM8aHG=fQQ@mail.gmail.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Fri, 16 Aug 2019 07:43:07 -0400
Message-ID: <CADyWQ+F-HhX2cRNO9rfytsi6L4fZ=YkMzOGpR+rEtX2E0jFj5Q@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001e68ad05903a7f28"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1JyJ5-IEobQw0rYkv2s6XqfJ0B8>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2019 11:43:23 -0000
All The Call for Adoption for draft-sah-resolver-information has ended, and there seems to be strong consensus. The consensus is "Let's adopt this document, but let's do more work on the details". The chairs here this quite strongly. We'll adopt the document and if the working group should be able to work on addressing all issues. Thanks for the comments. Tim On Tue, Aug 6, 2019 at 4:05 AM tirumal reddy <kondtir@gmail.com> wrote: > Hi Paul, > > Please see inline > > On Mon, 5 Aug 2019 at 19:56, Paul Hoffman <paul.hoffman@icann..org > <paul.hoffman@icann.org>> wrote: > >> Thank you for your detailed list >> >> On Aug 5, 2019, at 4:07 AM, tirumal reddy <kondtir@gmail.com> wrote: >> > >> > I did not receive response to the attacks discussed in >> https://mailarchive.ietf.org/arch/msg/dnsop/4ubj2D4bzxS1VTsZKzcNqBcWgtM. >> > Listing the attacks and comments for further discussion: >> >> To be clear, most of what you have below are not "attacks" at all.. >> > > Please explain why you think these are not "attacks" at all ? > > >> >> > a) Attackers can also host DoH/DoT servers and claim they offer >> security and privacy policies. How will the stub resolver know the >> recursive server is not lying ? >> >> The same way it can "know" that a web site it is going to follows that >> site's claims of security and privacy policies. That is: it cannot without >> help from trusted third parties. A resolver's claims inherently can be no >> different. This can be clarified in the draft. >> > > An user visiting a web site is different from an endpoint discovering a > network provided DoH/DoT server. Both good and back actors can advertise > DoH/DoT servers with the same security and privacy policies.. The attacker > can also potentially block the discovery of good DoH/DoT server. > > The above attacks are different from an user visiting www.google.com and > the browser rejecting the spoofed certificate from an MiTM. > > How will the user/endpoint distinguish between advertised good and > malicious DoH/DoT servers ? > > >> >> > b) How will the client know the policy statement is issued by a >> resolver deployed by the network administrator or by an attacker ? >> >> See above. This is barely different than the web model, if at all. >> > > No, this is not the same as a web model. Attacker can host a malicious > domain, deploy DoH/DoT servers and get the server certificate signed by a > CA (it can be automated with ACME and is free of cost with letsencrypt). > > >> >> > c) I don't see any discussion in the draft explaining how the client >> determines the future DHCP configuration options are coming from a trusted >> > source. >> >> For the DNS method, it can use DNSSEC validation. For the HTTPS method, >> it can use normal TLS authentication. This can be clarified in the draft. >> > > No, my comment is how will the client determine the future DHCP > configuration options are coming from a trusted source.. TLS authentication > and DNSSEC validation will also work for malicious DoH/DoT servers. > > >> >> > If the source cannot be trusted, endpoint can be configured to use a >> malicious resolver server compromising the endpoint security and privacy, >> > and future DHCP configuration options will not be helpful (DHCP clients >> typically have no secure and trusted relationships to DHCP servers). >> >> Are you saying here that, because there is no typically-trusted way to >> get this information from DHCP, there should be no way to get it from the >> DNS either? If so, that seems like a harsh restriction. >> > > If DHCP response can be spoofed, the endpoint has no way to know the DNS > response is coming from a trusted source even with DNSSEC and TLS > validation. > > Consider the following scenario: > > The network to which the endpoint attached uses OpenDNS to block access to > malicious domains. The attacker spoofs the DHCP response to send > Google DoH/DOT server instead of OpenDNS.. Assuming Google does not block > access to malicious domains, the attack is successful. > Note that DNSSEC and TLS server certificate validations will not prevent > the attack. > > >> >> > d) What type of DNS information is self-published ? >> >> The draft clearly says that a resolver can self-publish any information >> it wants, so I don't understand the question. >> > > The question is what is the information and what is its use to the > endpoint. In other words, why should a stub resolver implement this > specification and what problems will it solve to the end user ? > > >> >> > e) What type of decisions will the stub resolver make based on the >> features advertised by the recursive resolver ? >> >> Whichever decision it wants. This is true for any protocol, yes? >> > > No, the decisions may have privacy and security implications. > > >> >> > f) What is the need for both new RRtype and new well-known URI ? >> >> As I said earlier in the thread, it is not a "need". >> >> Some clients who want the information will want to use HTTPS because >> that's what they already do (such as applications with DoH clients); there >> is no need to force them to also have DNS transport stacks just to get the >> information. >> >> Some clients who want the information will want to use DNS because that's >> what they already do (such as stub resolvers); there is no need to force >> them to also have HTTPS transport stacks just to get the information. >> > >> > g) Why isn't the information the resolver will publish discussed in >> this document itself ? >> >> This is the same as asking "why isn't every DHCP option defined in the >> main DHCP protocol specification". We cannot know all the kinds of >> information that a resolver will want to publish. Different resolver >> operators have told me that, if this is adopted, they will suggest types of >> information they want stubs to know about them. There is no reason to >> restrict them in that, I believe. >> > > DHCP discusses several options (see > https://tools.ietf.org/html/rfc3315#section-22) and discusses scope for > future options in separate documents. This draft does not even specify any > details on the information the resolver will publish. > > >> > h) An on-path attacker can modify the response to return NXDOMAIN >> response. How is this attack prevented ? >> > Looks like DNSSEC validating client is mandatory to detect fake >> NXDOMAIN response. >> >> Yes, exactly. If you have a better suggestion, that would be great. >> > > If DNSSEC is mandatory to implement by the endpoint, it should be > specified in the document. Please note neither > https://tools.ietf.org/html/rfc8310 nor > https://tools.ietf.org/html/rfc8484 mandate the use of DNSSEC. > > >> >> > i) If the server certificate cannot be validated, why will the client >> trust the resolver information provided by server whose identify cannot be >> validated ? >> >> That's up to a client's policy for the specific information they receive. >> Again, this is no different than DHCP. > > > I don't see any such client policy mentioned in > https://tools.ietf.org/html/rfc8484. Are you aware of any browsers that > ignore server certificate validation > and why would the browser ignore the results of server certificate > validation ? > > >> The fact that few DHCP clients actually use DHCP authentication hasn't >> stopped the world from using it widely. >> > > And the world is moving away from clear text HTTP to use HTTPS. Ignoring > the server certificate validation will compromise the endpoint security and > privacy, and needs strong justification. > > >> >> > The draft does not look ready for adoption. >> >> Given the above, and given that the WG would be able to change any part >> of the draft it wants, do you still feel that way? > > > Yes, the draft look premature for adoption. As you already know, the > outcome of this work will impact DPRIVE, DoH and the discussions in ADD > mailing list. You may want to inform them about this draft, and seek > feedback. > > >> Or do you feel that there is no need at all for a resolver to be able to >> announce its features? >> > > No. > > Cheers, > -Tiru > > >> >> --Paul Hoffman > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Call for Adoption: draft-sah-resolver-inf… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-sah-resolver… Martin Thomson
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… Paul Hoffman
- Re: [DNSOP] Call for Adoption: draft-sah-resolver… Rob Sayre
- Re: [DNSOP] Call for Adoption: draft-sah-resolver… Paul Wouters
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… Martin Thomson
- Re: [DNSOP] Call for Adoption: draft-sah-resolver… Ralf Weber
- Re: [DNSOP] Call for Adoption: draft-sah-resolver… tirumal reddy
- Re: [DNSOP] Call for Adoption: draft-sah-resolver… tirumal reddy
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… Joe Abley
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… Paul Hoffman
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… Paul Hoffman
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… Paul Ebersman
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… Ben Schwartz
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… Ralf Weber
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… Brian Dickson
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… John Levine
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… tirumal reddy
- Re: [DNSOP] [Ext] Call for Adoption: draft-sah-re… Tim Wicinski