Re: [DNSOP] DNSSEC as a Best Current Practice
Ted Lemon <mellon@fugue.com> Mon, 21 March 2022 08:26 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 151CA3A18DF for <dnsop@ietfa.amsl.com>; Mon, 21 Mar 2022 01:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N2F3wGxbCI6a for <dnsop@ietfa.amsl.com>; Mon, 21 Mar 2022 01:26:12 -0700 (PDT)
Received: from mail-oi1-x235.google.com (mail-oi1-x235.google.com [IPv6:2607:f8b0:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39D953A18E1 for <dnsop@ietf.org>; Mon, 21 Mar 2022 01:26:11 -0700 (PDT)
Received: by mail-oi1-x235.google.com with SMTP id o64so15468538oib.7 for <dnsop@ietf.org>; Mon, 21 Mar 2022 01:26:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SNp4d8eF9h3sTofbpkZuEvF2IeYmRFMzkKEhOn1QTI0=; b=y5OAzZXs4DsgSKIYcU3B7vSJaVsXXgZdWW9Ai0QwJv7jD8yS1ymy6/9q3Q6mwFI/1X u5o5WgFtgtDc1KUh8PGiIh+jQ5bzinS8xLZqog5WqLtt1NcCRMXcW82xKqaghh1LTn50 zBZ+s+e5H1fSRBFr+teF5dQXLGP2tZ+CXFTRtE/EqC373lPFSDrJDFs52D0MLP70jE4D 34VkMYU/DMkvG+EEiENHYtbN0SMgT+/lmEvEcFZ2udY0UoCvgu0IYvd1DbH4fsLUrAB1 OfzedIUMizLfeFbtk+tj3f3tPVqJ8OMFdmLWsNJJ0mkns/fugarVpf1RB3wiz6twEsEf 4gLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SNp4d8eF9h3sTofbpkZuEvF2IeYmRFMzkKEhOn1QTI0=; b=IADHlLybPbsMOGyIAbVVM9MxiBQtx76emLUzihJaw3NYydBGYr2Nr8vDIeAn2uqCnD 1ss/W7nH51Tgo1fW1+/1GcmhuAWM2WfZ9nkNNtiKEmSiGeI597ssGWCe2rv0e103+ZcW JgQDULm+aSxhnUAtVy0iCgp7FAKAwNV5A15AjAX6IHpe3opV3Cdd2n3MXbo0Ldkl7fRB sejwEa6MRB9ySVzQ6uezeJK0IZlR54uIaNFhlkWe/8tLhkgXbwPkAE1hb/UyiVpWpvJV r3cLuk9dPOE/TKJM+b7Hx+mkbchgMNWFdfFVJEvlx37dbvzQfw1ukzj1VyBMNkZRZ33l 2K1A==
X-Gm-Message-State: AOAM5325HV+YnHqB6+islw/rAi9gkg5pkSkjaTvdUod3Bsq/EHjEdgx+ 4Q3Tb4AHmzfj4sUTafsdmX7f4+rG1S14UZ9dwFYxgf5XqptD4re1+a8=
X-Google-Smtp-Source: ABdhPJyhdWAPYSuUWrQbTZVGn1fVR+ovROQW+yQ5Gjv+7mox7k1KLLsOkHcXWtVSU+1/4PcvKmKes3ERYzt3VtXy8iQ=
X-Received: by 2002:aca:1919:0:b0:2ec:b56e:6932 with SMTP id l25-20020aca1919000000b002ecb56e6932mr9195506oii.209.1647851170794; Mon, 21 Mar 2022 01:26:10 -0700 (PDT)
MIME-Version: 1.0
References: <7aaed092-8877-ec15-9b7b-5d488e383d04@necom830.hpcl.titech.ac.jp> <7C43871E-60AF-485D-8AB3-65E72539F831@nohats.ca> <59fdc791-4482-141b-03b4-bc27e8824f31@necom830.hpcl.titech.ac.jp>
In-Reply-To: <59fdc791-4482-141b-03b4-bc27e8824f31@necom830.hpcl.titech.ac.jp>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 21 Mar 2022 09:25:34 +0100
Message-ID: <CAPt1N1maPf2zrEkyXL1yqkkNbVOR6sUyLXZv2Lc_r4=iVhVO=w@mail.gmail.com>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Cc: Paul Wouters <paul@nohats.ca>, dnsop@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ada2a505dab63faa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TrTNuwWw337SCViSe1NHTn_zqAw>
Subject: Re: [DNSOP] DNSSEC as a Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 08:26:18 -0000
On Mon, Mar 21, 2022 at 9:02 AM Masataka Ohta < mohta@necom830.hpcl.titech.ac.jp> wrote: > If a resolver correctly knows an IP address of a nameserver of a > parent zone and the resolver and the nameserver can communicate > with long enough ID, the resolver can correctly know an IP > address of a nameserver of a child zone, which is secure enough > data origin security. > It's pretty easy to intercept all packets destined for a particular IP address and spoof the responses. IETF can do nothing if some government legally force > people to install some government provided certificates > to some PKI, including DNSSEC, which is as easy as > MitM attacks on ISP chain may be by government order. Attacks of this nature are in principle detectable. The way to detect them is to notice these forcibly injected certificates based on the public keys presented in them. Of course, you need to have a source of truth, and nothing is perfect, but also, the best is the enemy of good enough. There's been plenty of discussion and research on the topic of how to notice that forged certificates are being presented. What I don't see happening (maybe I'm missing it) is this stuff being deployed in the real world. As for using "something like cookies" to secure the communications channel, this is functionally the same problem as noticing that certificates have been forged, but gets you a lot less benefit in practice, because you have to have a secure channel to each thing you want to be able to validate, or else you have to have a server that is able to do such validation for you and a secure channel to it (which amounts to the same thing). So although DNSSEC is complicated, and it's easy to talk about simpler solutions, whenever you dig into the details, what you find is that either they don't actually deliver what DNSSEC delivers, or else they wind up being more complicated and harder to operate. Security doesn't come for free.
- [DNSOP] Is DNSSEC a Best Current Practice? Paul Hoffman
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Paul Wouters
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Stephen Farrell
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Bill Woodcock
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Grant Taylor
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Colm MacCárthaigh
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Livingood, Jason
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Grant Taylor
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Yasuhiro Orange Morishita / 森下泰宏
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Paul Vixie
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Mukund Sivaraman
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Tim Wicinski
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Masataka Ohta
- Re: [DNSOP] Is DNSSEC a Best Current Practice? Viktor Dukhovni
- [DNSOP] DNSSEC as a Best Current Practice Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice David Conrad
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Joe Abley
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Dr Eberhard W Lisse
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Dr Eberhard W Lisse
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Ted Lemon
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Vixie
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Bjørn Mork
- Re: [DNSOP] DNSSEC as a Best Current Practice Brian Dickson
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Paul Hoffman
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Masataka Ohta
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Jerry Lundström
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC as a Best Current Practi… Jim Reid
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta
- Re: [DNSOP] DNSSEC as a Best Current Practice james
- Re: [DNSOP] DNSSEC as a Best Current Practice Paul Wouters
- Re: [DNSOP] DNSSEC as a Best Current Practice Tim Wicinski
- Re: [DNSOP] DNSSEC as a Best Current Practice Mukund Sivaraman
- Re: [DNSOP] DNSSEC as a Best Current Practice Masataka Ohta