IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Mark Andrews <marka@isc.org> Thu, 09 February 2017 22:49 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8254D129616 for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 14:49:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E3DADxdFMTsK for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 14:49:05 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56903129448 for <dnsop@ietf.org>; Thu, 9 Feb 2017 14:49:04 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 201F31FCAB3; Thu, 9 Feb 2017 22:48:56 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B821B160042; Thu, 9 Feb 2017 22:48:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A1EB616006C; Thu, 9 Feb 2017 22:48:54 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3Ey25DWePEwj; Thu, 9 Feb 2017 22:48:54 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 1B91F160042; Thu, 9 Feb 2017 22:48:54 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 2FB1B63666E6; Fri, 10 Feb 2017 09:48:51 +1100 (EST)
To: Ted Lemon <mellon@fugue.com>
From: Mark Andrews <marka@isc.org>
References: <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <FB835756-2C46-40A9-88ED-2F8ADF812BA6@fugue.com> <20170208052544.862956356F33@rock.dv.isc.org> <FFAFD844-824C-44EA-A4B1-1AD28B4FE95C@fugue.com> <20170208060208.8C8E1635864D@rock.dv.isc.org> <E0A42577-0984-4ADD-8658-91413CBE783D@fugue.com> <20170208194208.DB02C635DD72@rock.dv.isc.org> <CAH1iCipA5nvWJqjdGUwJeeT_eU8EH8VYJU2hX1hJoiTb617K8Q@mail.gmail.com> <20170209163123.56hdbzaluekmvbh7@nic.fr> <20170209195722.DC1AB636586C@rock.dv.isc.org> <0394528C-99CD-41D4-9AB6-844D1318264C@gmail.com> <20170209204506.BC40D6365CBE@rock.dv.isc.org> <12D7473B-3A22-4A8D-9C13-2AEEDEABB879@fugue.com>
In-reply-to: Your message of "Thu, 09 Feb 2017 16:01:12 -0500." <12D7473B-3A22-4A8D-9C13-2AEEDEABB879@fugue.com>
Date: Fri, 10 Feb 2017 09:48:51 +1100
Message-Id: <20170209224851.2FB1B63666E6@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9iE3qW9nUxZZVjwi21FyWgj3Ql0>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 22:49:06 -0000

In message <12D7473B-3A22-4A8D-9C13-2AEEDEABB879@fugue.com>, Ted Lemon writes:
>
> On Feb 9, 2017, at 3:45 PM, Mark Andrews <marka@isc.org> wrote:
> > At the moment we have Ted saying that if you want privacy you MUST
> > also turn on DNSSEC validation and implement QNAME minimisation and
> > implement agressive negative caching (still a I-D).
>
> No, I am _not_ saying that.   I am saying that an unsigned delegation
> doesn't help with privacy unless you also specially configure your local
> resolver, and if you are going to specially configure your local
> resolver, then there are several options for how to do that.   The only
> reason you need DNSSEC is that if you specially configure your local
> resolver to lie, then DNSSEC validation will break that.   If you aren't
> doing DNSSEC validation, you can say any old thing in your local resolver
> and the stub will believe it.

And a signed answer doesn't help unless the recursive server is
validating (so it can trust the NXDOMAIN) and has QNAME minimimistion
(to prevent *.alt leaking in the first place) and has agressive
negative caching (so the answer from the minimised QNAME query get
turned into a answer for *.alt).

Now we can put QNAME minimisation into a server.
Now we can put the code to support agressive negative caching into a server.
We can't force validation to be enabled.

We need all three things for the privacy leakage to stop.  Any two
alone doesn't stop it.

The alternative is to do a insecure delegation and build in a default
empty zone for alt.  You then have to take steps to break the privacy
leak by disabling the empty zone.  Additionally it works with all
existing servers if they just add a empty .alt zone.  It doesn't
require validation to be enabled.

It's the difference between defaulting private or not.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email