IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt

Paul Wouters <paul@nohats.ca> Tue, 29 September 2015 05:34 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 404CB1A1A6D for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 22:34:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F561Oo5x1mP9 for <dnsop@ietfa.amsl.com>; Mon, 28 Sep 2015 22:34:03 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71CFB1A1A6C for <dnsop@ietf.org>; Mon, 28 Sep 2015 22:34:03 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3nQ8XS0gF7zDnb; Tue, 29 Sep 2015 07:34:00 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=bp5pFLfG
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id wM9-Pb0t1iy5; Tue, 29 Sep 2015 07:33:59 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 29 Sep 2015 07:33:58 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 1D5F78009F; Tue, 29 Sep 2015 01:33:58 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1443504838; bh=K/GV8Kar2k6vS3yo0uXu6N1Z5I2Kv9QBhoEf8Nni9Yg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=bp5pFLfGXiEuqavP9HL/xbwAw7qOJHbbMpl8IK8okvPDUFBMOoGyEwSiS1EJoqfog qGHnsXshzY7jsnS9SjHjJOxoKxCwDBhYW9yt1PdddPnwfr21jRbm8dO0bmN+/xpD0p AqiWNBk2uTe08a+FAIwIYApb9DDU1JlyBCzcGBCU=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id t8T5XvN2012769; Tue, 29 Sep 2015 01:33:57 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 29 Sep 2015 01:33:57 -0400
From: Paul Wouters <paul@nohats.ca>
To: Mukund Sivaraman <muks@isc.org>
In-Reply-To: <20150929045345.GC4513@jurassic.l0.malgudi.org>
Message-ID: <alpine.LFD.2.20.1509290129380.28073@bofh.nohats.ca>
References: <20150926191009.28433.58915.idtracker@ietfa.amsl.com> <20150926191551.GA32562@jurassic.l0.malgudi.org> <20150928173028.GA2328@mycre.ws> <20150928173255.GA23429@jurassic.l0.malgudi.org> <20150928182004.GA3197@mycre.ws> <56098631.4060607@redbarn.org> <alpine.LFD.2.20.1509281435590.5153@bofh.nohats.ca> <20150929045345.GC4513@jurassic.l0.malgudi.org>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/L-Jhlj9mxQyMXrPFK2bqTccJZOA>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] New Version Notification for draft-muks-dns-message-checksums-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2015 05:34:05 -0000

On Tue, 29 Sep 2015, Mukund Sivaraman wrote:

> On the other hand, DNSSEC requires signatures for each RRset bloating messages

Just like TLS is bloating HTTP? :)

> Anyway, I'll explain with an example why DNSSEC is not sufficient to
> protect against DNS message modifications. Assume a company provides a
> service in different countries. They want users in each country to use
> the local CDN only, let's assume because users have no route to other
> CDNs outside the country or because it's too expensive to service data
> from other countries. They use views in DNS, each serving a different
> country and the A/AAAA records returned by the authoritative server
> provides the correct IP address for that country. Assume that zones in
> these views are signed using the same KSK/ZSK.
>
> This will work fine, but an attacker who has access to country A's
> response may succeed in poisoning a message in country B with A's data
> and DNSSEC validation will not catch it. DNSSEC protects each RRset, but
> not the DNS message.

Such a powerful attacker can also just reroute or NAT the IP addresses
of the one CDN to the other. Sure, it might be annoying to you but since
it is still using DNSSEC validated data that you deem valid for some
clients, it shouldn't be the end of the world either.

I'm not convinced this draft is worth doing. But I don't see it causing
much harm either.

Paul

v2.23.0 | Report a Bug | By Email