[DNSOP] Mia Culpa: Recursive resolver DNSSEC validation is necessary...
Nicholas Weaver <nweaver@icsi.berkeley.edu> Tue, 08 October 2013 16:52 UTC
Return-Path: <nweaver@icsi.berkeley.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C07A21E8253 for <dnsop@ietfa.amsl.com>; Tue, 8 Oct 2013 09:52:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VwCr674eKy8Y for <dnsop@ietfa.amsl.com>; Tue, 8 Oct 2013 09:52:34 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 50B8721E826D for <dnsop@ietf.org>; Tue, 8 Oct 2013 09:52:29 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 05ECB2C400F for <dnsop@ietf.org>; Tue, 8 Oct 2013 09:52:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 2SyhRh7axDKh; Tue, 8 Oct 2013 09:52:28 -0700 (PDT)
Received: from gala.icir.org (gala.icir.org [192.150.187.130]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 9AEE42C4006; Tue, 8 Oct 2013 09:52:28 -0700 (PDT)
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Content-Type: multipart/signed; boundary="Apple-Mail=_91E6E761-C3CD-4D29-A0F8-3EEB78B1D888"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Date: Tue, 08 Oct 2013 09:52:27 -0700
Message-Id: <B6A9984C-6502-4977-BF9E-BFCDBF9FF64A@icsi.berkeley.edu>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
X-Mailer: Apple Mail (2.1510)
Cc: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Subject: [DNSOP] Mia Culpa: Recursive resolver DNSSEC validation is necessary...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2013 16:52:38 -0000
I've in general advocated client, rather than recursive resolver validation, and with the client doing "iterative fetch and accept" on all DNSSEC failures. With the recent revelation that the NSA/GCHQ is doing packet-injection on the backbone, at scale, and even using this to target NATO allies, I've changed my tune. Even forget about NSA/GCHQ directly, they've now implicitly said that "hey, its OK" for everyone else to do it, too. Backbone DNS injection allows converting a man-on-the-side attacker (who, eg, even with a certificate, can't intercept TLS using perfect forward secrecy, and who when attacking HTTP can only see requests before deciding what to do) into a full man-in-the-middle, as long as the attacker knows the target's recursive resolver. Thus I've changed my tune: 1: Recursive resolvers MUST validate DNSSEC as well as clients. Not because I trust the recursive resolver, but there is now an adversary set where recursive resolver validation does help, and its an easier point to do. 2: Validation failures due to bad signatures/etc MUST result in a failure unless specifically whitelisted. 3: Future protocols MUST support "Connect by multiple name" semantics: Given MULTIPLE names, only connect if all K names have the same IP after resolution. (This enables multiple-validation-path DNSSEC, which is a pretty uni). -- Nicholas Weaver it is a tale, told by an idiot, nweaver@icsi.berkeley.edu full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
- [DNSOP] Mia Culpa: Recursive resolver DNSSEC valiā¦ Nicholas Weaver