IETF Logo Mail Archive

Re: [DNSOP] Privacy and DNSSEC

Vittorio Bertola <vittorio.bertola@open-xchange.com> Mon, 27 April 2020 09:48 UTC

Return-Path: <vittorio.bertola@open-xchange.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 021CB3A0832 for <dnsop@ietfa.amsl.com>; Mon, 27 Apr 2020 02:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=open-xchange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxM8120UPPvO for <dnsop@ietfa.amsl.com>; Mon, 27 Apr 2020 02:47:59 -0700 (PDT)
Received: from mx4.open-xchange.com (alcatraz.open-xchange.com [87.191.39.187]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED9213A082C for <dnsop@ietf.org>; Mon, 27 Apr 2020 02:47:58 -0700 (PDT)
Received: from open-xchange.com (imap.open-xchange.com [10.20.30.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx4.open-xchange.com (Postfix) with ESMTPS id CA4256A263; Mon, 27 Apr 2020 11:47:53 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=open-xchange.com; s=201705; t=1587980873; bh=gWiqQXW1gxXq07IE5D7QgcqETGoyTh9dQAzncxpIE3c=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From; b=VIzN3X5/rz3/IbXuafu36WJ2kFS3weTzuGXmVJxHOrMgyB8+wrnnYiQbfCVtY0BGO 8SneqjVHGY/6QkgH6zAZJRRl/hkgU++I5xM3kCiw1isCqc2PQa7PrRINQYp3lcJ+6v 2SkQ3D9I+nknCQObl4o04zZ5gpt6gGkjzuLaRa1x08t06LXwMDuflF7fE3aapyG7h7 dkRoqLv/Dfiv8plcaS9aQnTNMLU0ClejjncXAEsPAhkzbwetOkVH8YsRWxVSbAT5gt 3fokK6bhu7xktpb95v0uWRmSFKvGQO60BVwkZ6QYBwFF8Cq1DzKX115l6nhCwaaOwB X4evWuDBHqg5g==
Received: from appsuite-gw2.open-xchange.com (appsuite-gw2.open-xchange.com [10.20.28.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by open-xchange.com (Postfix) with ESMTPSA id BB9F63C0532; Mon, 27 Apr 2020 11:47:53 +0200 (CEST)
Date: Mon, 27 Apr 2020 11:47:53 +0200
From: Vittorio Bertola <vittorio.bertola@open-xchange.com>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Message-ID: <1787861661.3582.1587980873673@appsuite-gw2.open-xchange.com>
In-Reply-To: <71d22908-b0a9-5f0c-585e-0d10aa3edc8a@nic.cz>
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CADyWQ+Gugw5ScSGDhDWLvrMQB-nNS+cOAcETQ9ssf2wPMFYq3w@mail.gmail.com> <CA+nkc8DkHaVR91koywh4KMx+-Pmw2gRR1KnuwUcP_j0G+k3S7A@mail.gmail.com> <CAHPuVdWSAX8Ha=djd_6qGC8NvaKAPjnNxu5UX8XW7fwZ6t_U_A@mail.gmail.com> <CA+nkc8DDHsocDkReb1GA1=6d_yau_jXLgwxZRhMFAfdJHaXMiw@mail.gmail.com> <CAHQ5LGpys=rDCDyvoBRW1_p4=V9XRCq+v5+cmqKaWHHbsCTNOA@mail.gmail.com> <CAHPuVdUEWQ+-OU8VTPwbZ8WDN8iTRk7dC0EASJNJVFr4FovaXA@mail.gmail.com> <b5263551-875a-f21d-6200-40b9ea9ae5ed@nic.cz> <CAHPuVdUh4UTP5pH_X83pm8OvY7juEotSYT6FLbVyE4_S-ev9Bg@mail.gmail.com> <71d22908-b0a9-5f0c-585e-0d10aa3edc8a@nic.cz>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3580_137473176.1587980873645"
X-Priority: 3
Importance: Normal
X-Mailer: Open-Xchange Mailer v7.10.3-Rev8
X-Originating-Client: open-xchange-appsuite
Autocrypt: addr=vittorio.bertola@open-xchange.com; prefer-encrypt=mutual; keydata= mQENBFhFR+UBCACfoywFKBRfzasiiR9/6dwY36eLePXcdScumDMR8qoXvRS55QYDjp5bs+yMq41qWV9 xp/cqryY9jnvHbeF3TsE5yEazpD1dleRbkpElUBpPwXqkrSP8uXO9KkS9KoX6gdml6M4L+F82WpqYC1 uTzOE6HPmhmQ4cGSgoia2jolxAhRpzoYN99/BwpvoZeTSLP5K6yPlMPYkMev/uZlAkMMhelli9IN6yA yxcC0AeHSnOAcNKUr13yXyMlTyi1cdMJ4sk88zIbefxwg3PAtYjkz3wgvP96cNVwAgSt4+j/ZuVaENP pgVuM512m051j9SlspWDHtzrci5pBKKFsibnTelrABEBAAG0NUJlcnRvbGEsIFZpdHRvcmlvIDx2aXR 0b3Jpby5iZXJ0b2xhQG9wZW4teGNoYW5nZS5jb20+iQFABBMBAgAqBAsJCAcGFQoJCAsCBRYCAwEAAp 4BAhsDBYkSzAMABQMAAAAABYJYRUflAAoJEIU2cHmzj8qNaG0H/ROY+suCP86hoN+9RIV66Ej8b3sb8 UgwFJOJMupZfeb9yTIJwE4VQT5lTt146CcJJ5jvxD6FZn1Htw9y4/45pPAF7xLE066jg3OqRvzeWRZ3 IDUfJJIiM5YGk1xWxDqppSwhnKcMOuI72iioWxX0nGQrWxpnWJsjt08IEEwuYucDkul1PHsrLJbTd58 fiMKLVwag+IE1SPHOwkPF6arZQZIfB5ThtOZV+36Jn8Hok9XfeXWBVyPkiWCQYVX39QsIbr0JNR9kQy 4g2ZFexOcTe8Jo12jPRL7V8OqStdDes3cje9lWFLnX05nrfLuE0l0JKWEg8akN+McFXc+oV68h7nu5A Q0EWEVH5QEIAIDKanNBe1uRfk8AjLirflZO291VNkOAeUu+dIhecGnZeQW6htlDinlYOnXhtsY1mK9W PUu+xshDq7lXn2G0LxldYwyJYZaJtDgIKqVqwxfA34Lj27oqPuXwcvGhdCgt0SW/YcalRdAi0/AzUCu 5GSaj2kaGUSnBYYUP4szGJXjaK2psP5toQSCtx2pfSXQ6MaqPK9Zzy+D5xc6VWQRp/iRImodAcPf8fg JJvRyJ8Jla3lKWyvBBzJDg6MOf6Fts78bJSt23X0uPp93g7GgbYkuRMnFI4RGoTVkxjD/HBEJ0CNg22 hoHJondhmKnZVrHEluFuSnW0wBEIYomcPSPB+cAEQEAAYkBMQQYAQIAGwUCWEVH5QIbDAQLCQgHBhUK CQgLAgUJEswDAAAKCRCFNnB5s4/KjdO8B/wNpvWtOpLdotR/Xh4fu08Fd63nnNfbIGIETWsVi0Sbr8i E5duuGaaWIcMmUvgKe/BM0Fpj9X01Zjm90uoPrlVVuQWrf+vFlbalUYVZr51gl5UyUFHk+iAZCAA0WB rsmACKvuV1P7GuiX3UV9b59T9taYJxN3dNFuftrEuvsqHimFtlekUjUwoCekTJdncFusBhwz2OrKhHr WWrEsXkfh0+pURWYAlKlTxvXuI7gAfHEQM+6OnrWvXYtlhd0M1sBPnCjbyG63Qws7Rek9bEWKtH6dA6 dmT2FQT+g1S9Mdf0WkPTQNX0x24dm8IoHuD3KYwX7Svx43Xa17aZnXqUjtj1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gV1c_40J0OothWfi6NGO4Legz7Q>
Subject: Re: [DNSOP] Privacy and DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 09:48:02 -0000

>     Il 25/04/2020 08:23 Vladimír Čunát <vladimir.cunat+ietf@nic.cz> ha scritto:
> 
>     Still, note that for some consumers the secure transport may be an argument to drop validating DNSSEC themselves.  If they choose some DNS provider that they trust with privacy (it might be their ISP), it seems not a huge leap to trust them with DNS integrity as well (say, the provider doing DNSSEC validation).  Especially as today "regular users" don't get that much benefit from validation, mostly relying on https/tls. 
> 
In any case, for most users today DNSSEC validation is done by the resolver and not on their device, and in that case the length of the leap you mention is zero: you already have to take the resolver's word for the fact that the result of DNSSEC validation really was what the resolver tells you, so there is no additional security in knowing that the resolver says that it did DNSSEC validation and it was ok.

There is for the resolver, of course, but this means that the resolver can evaluate independently how to trust the results that it gets for its queries; it could rely on DNSSEC, or it could rely on some form of authentication of the authoritatives (e.g. ADo* and/or PKI), or on any other existing or new mechanism.

> 
>     Some of them also want a variant of DNS filtering, which still clashes with validation a bit (if done *after* filtering).
> 
Which is one more reason why clients might prefer "trust whatever the secure resolver says" to "trust the DNSSEC information that the resolver puts in your results". DNSSEC and DNS filtering are incompatible by design, and if you have to choose among the two, many users will prefer the latter.

Of course, this changes if we go into the "resolverless" mode envisaged by a couple of the ADD drafts, or in the currently rare case when the client is not a stub and does full resolution directly (the two things are IMHO architecturally equivalent). In that case, the client's security would really benefit from doing DNSSEC validation directly.

--

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com mailto:vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy

v2.23.0 | Report a Bug | By Email