Re: [DNSOP] DNSSEC as a Best Current Practice
Brian Dickson <brian.peter.dickson@gmail.com> Mon, 21 March 2022 20:01 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1DC03A1510 for <dnsop@ietfa.amsl.com>; Mon, 21 Mar 2022 13:01:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3VmlscmsHDiy for <dnsop@ietfa.amsl.com>; Mon, 21 Mar 2022 13:01:18 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E34B23A0A50 for <DNSOP@ietf.org>; Mon, 21 Mar 2022 13:01:17 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id w4so19198669edc.7 for <DNSOP@ietf.org>; Mon, 21 Mar 2022 13:01:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1ZhcdW4pwv5jJOKpVephe5Y8Y0ROneAC+FmfSF24wSE=; b=Dxr3bMLTbhMH9A/bE4ERZlKqatzQmXU/AQhJxGPkZLgW7+WDz5E9HFp1axKdE/nauz tVfUtRWxVJiXiH1cxdjkE28saqxc/eGmB0niUCVxzMCUD4JpRr9U+laErSMngVgk5gFW 5/3Gk8k/O/NVNXa0WVG85NXqwdzVMSX/wJ75k9Aa81YtR5M/4soP4tdvx+Lo7nD3snyC uQCb6FV7rU65QuLMbrTRIcJhQMGcLmKtRrVd9oVtLE9XtFpjKYskix64i4keY/YsySnv RtHYdac6GC+Sew1NaMulHNh9BlDzRZqN44iuCK1NKseGb94MAMWEHlISY4aBYixknlG3 Ug3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1ZhcdW4pwv5jJOKpVephe5Y8Y0ROneAC+FmfSF24wSE=; b=4GvMpeGnmKDCuLi5vRImSw58EMzl9ZdlvfGIs2sGGvprk0DhVTYzXkcJ0RKywD3RJj SMfQivWvSJ4dJ9/5HIyKJIA8/dZI6XXufWEvjGDLG5aV3QhKC43yyjaqCw4Pp/7wq5Dd c7PcCPOZhA4lIOnPbcvn4yh4AVTCooRrGy0cT8PkpQIQXlKl5vksPsIhmh8kJxWT+6PT Sqz1d3Dnt9fbdTlLSW8IE5z81oqQh1o1/SGiVqsBzG5Rt9h7H8G6bKr1fO5G3B+Ot3Rf StGi515lQ6zgIjxEKFggsPnpTaoF0/OLlcf3OwPatQRCQA4golSXTIM4sJi6KpZERpYb QACw==
X-Gm-Message-State: AOAM533HNAwI56JUVcZq5B2bpdz/nOOeXjw+MB5FR0EcADAzkcLr1Kqi 9LaaYz3EE74pao1yN13QZTznoY+2aWtwrd2379kJFKoD
X-Google-Smtp-Source: ABdhPJzLG7JY5stnP1xXzz2D7bwK7N1c8F9+WJx4fLGzvfFSjcHXobxJZ/SEwDOwPnpFEp4kHF8sV2DynPgYIJj1fg4=
X-Received: by 2002:a50:d949:0:b0:418:ecfe:8c25 with SMTP id u9-20020a50d949000000b00418ecfe8c25mr24713283edj.156.1647892875824; Mon, 21 Mar 2022 13:01:15 -0700 (PDT)
MIME-Version: 1.0
References: <7aaed092-8877-ec15-9b7b-5d488e383d04@necom830.hpcl.titech.ac.jp> <7C43871E-60AF-485D-8AB3-65E72539F831@nohats.ca> <59fdc791-4482-141b-03b4-bc27e8824f31@necom830.hpcl.titech.ac.jp> <1cd37a4-2f80-5a8c-f377-d224a363d76@nohats.ca> <6d46abd6-60ca-d896-6408-fe83a83895cf@necom830.hpcl.titech.ac.jp>
In-Reply-To: <6d46abd6-60ca-d896-6408-fe83a83895cf@necom830.hpcl.titech.ac.jp>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 21 Mar 2022 13:01:04 -0700
Message-ID: <CAH1iCir6OdMWZLFnP_=me+PFhYL+FxTjhEjKFO32+g61JgjnNg@mail.gmail.com>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc: "dnsop@ietf.org WG" <DNSOP@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007dd3c405dabff524"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ATZlE6omzzq8lPUsqpnKXnhz9u0>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 20:01:23 -0000
On Mon, Mar 21, 2022 at 5:28 AM Masataka Ohta < mohta@necom830.hpcl.titech.ac.jp> wrote: > Paul Wouters wrote: > > >> If a resolver correctly knows an IP address of a nameserver of a > >> parent zone > > > > This statement seems a recursion of the original problem statement?] > > What? > > The statement is not more demanding for resolvers to be configured > with correct certificates. > I'm presuming you mean "DNSSEC ICANN/IANA Root Trust Anchor", which is a public key, not a certificate per se. I presume you're comparing two models, one using DNSSEC, and one where no DNSSEC validation is done ever (replaced with TLS, either DNS over TLS to Authority, or DNS over HTTPS to Authority, including root, TLD and all authority servers for all zones). I'll use that assumption in the remainder of this message... > > > This would not help for on-path attackers (without DoT, DoH) > > See below. > > > How would this be safe against the current BGP attacks we are seeing? > > Are you saying connecting to an IP address secured by DNSSEC > is safe even under BGP attacks? > The complete model of using DNSSEC involves also using TLSA records (DANE). In the DNSSEC-protected TLSA record model, BGP attacks have no direct impact on DNSSEC-protected zones, including BOTH the address records (A/AAAA) AND the TLS information (complete certificate, or public key, or hash of either of those), and consequently no impact on the TLS connections subsequent to the DNS lookups (i.e. no possible cert-level MITM or web site spoofing). The exclusive capability of a MITM would be to DOS the DNS lookups, or to block the TLS set-up (if the attacker were on the data path to the endpoint). So, yes, a web site properly protected using all of the DNSSEC-based capabilities, where the client software was doing the validation using the corresponding methods, would be safe against any and all MITM attacks, including BGP. Note that this is already the case for SMTP (using SMTPS via TLSA records). Those SMTP connections between parties publishing and validating TLSA records are not subject to downgrade attacks, and only properly validated endpoints can communicate (securely). > > >> As for MitM attacks, PKI, in general, is insecure against > >> them as was demonstrated by diginotar. So, don't bother. > > > > DNSSEC is more hierarchical than the "bag of CAs", so a failure > > like this would be more contained. Regardless, I do not understand > > how PKI failures relate to DNS? > > Are you saying you don't understand DNSSEC is a form of PKI? > I'm reasonably sure that Paul W meant "WebPKI" when he said PKI. WebPKI is effectively a "flat namespace" sort of PKI, meaning a bunch of CAs all have the right to issue certificates, with no exclusivity (which is part of what lead to the diginotar thing). By comparison, DNSSEC is an exclusively hierarchical, singular control point PKI system. At each level of the hierarchy, the public keys are under the exclusive control of the zone owner/administrator/operator, and signed by the parent zone. (Any concerns on the out-of-band update aspects are potentially worthy of work, but that is also the case for the OOB update aspects for WebPKI.) > > >> IETF can do nothing if some government legally force > >> people to install some government provided certificates > >> to some PKI, including DNSSEC, which is as easy as > >> MitM attacks on ISP chain may be by government order. > > > > With DNSSEC, a government in country X cannot spoof data of > > country Y, they can only block it. > > Country X legally forcing people to install government provided > root certificates can freely spoof PKI, including DNSSEC, data > of country Y. > This is another place where the "flat" WebPKI vs the "hierarchical" DNSSEC models are not exactly the same. In addition to resolvers, end hosts have the ability to do DNSSEC validation (on data received from resolvers). Any host (resolver or end host) is capable of installing trust anchors for any level of the DNS hierarchy, which would preempt any spoofed delegation information (DS records) and reduce unsigned delegation spoofery to the aforementioned DOS level of interference. End hosts would never see the spoofed answers. End hosts may also have some ability to make use of other resolvers (very much dependent on local conditions, of course). The scope of what country X can do with respect to country Y, is limited by any number of orthogonal elements. Those include - geographical limits (e.g. the physical boundary of country X) - topological considerations (all the paths from every host/user to the outside world) - resolvers reachable by any/all hosts/users - host/application configuration on all of the resolvers and hosts - necessity of altering responses at every level of the DNS hierarchy by on-path changes for all of the above elements Additionally, outside of the physical geographical boundary of country X, nothing country X can do can accomplish the spoofing of data of country Y. And within country X, the necessity of asserting configuration control of resolvers and hosts, would seem to be an extremely high bar for a state actor. > > > Again, I think perhaps you should write this up in a draft, so > > we can see how your proposal would cover everything that DNSSEC > > covers. > > Before diginotar, maybe. After that, I don't think it necessary > any more. > Honestly, rather than spending any effort in that area, any concern about protecting TLS connections would best be done by convincing web browser software vendors to implement DANE (TLSA) validation. Brian
- [DNSOP] Is DNSSEC a Best Current Practice? Paul Hoffman
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Paul Wouters
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Stephen Farrell
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Bill Woodcock
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Grant Taylor
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Colm MacCárthaigh
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Livingood, Jason
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Grant Taylor
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Yasuhiro Orange Morishita / 森下泰宏
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Paul Vixie
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Mukund Sivaraman
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Masataka Ohta
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Viktor Dukhovni
- [DNSOP] DNSSEC as a Best Current Practice Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice David Conrad
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Joe Abley
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Dr Eberhard W Lisse
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Dr Eberhard W Lisse
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Vixie
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Jerry Lundström
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice james
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Tim Wicinski
- Re: [DNSOP] DNSSEC as a Best Current Practice Mukund Sivaraman
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta