Re: [DNSOP] my dnse vision

Tony Finch <dot@dotat.at> Mon, 10 March 2014 17:44 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE3E51A063F for <dnsop@ietfa.amsl.com>; Mon, 10 Mar 2014 10:44:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v9QcGEVopamn for <dnsop@ietfa.amsl.com>; Mon, 10 Mar 2014 10:44:34 -0700 (PDT)
Received: from ppsw-41.csi.cam.ac.uk (ppsw-41-v6.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f41]) by ietfa.amsl.com (Postfix) with ESMTP id 284AF1A0535 for <dnsop@ietf.org>; Mon, 10 Mar 2014 10:44:33 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:38924) by ppsw-41.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1WN4FV-0001n6-SH (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 10 Mar 2014 17:44:25 +0000
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1WN4FV-0000AA-LD (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 10 Mar 2014 17:44:25 +0000
Date: Mon, 10 Mar 2014 17:44:25 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: Phillip Hallam-Baker <hallam@gmail.com>
In-Reply-To: <CAMm+LwjSdvpKKm-nWbx0AUavcGyANkT+mw-FLQQp_R1nEtf==Q@mail.gmail.com>
Message-ID: <alpine.LSU.2.00.1403101737520.13302@hermes-1.csi.cam.ac.uk>
References: <201403051107.s25B7ext069332@givry.fdupont.fr> <02410136-DFE2-42C8-A91E-AA84641AFFCF@ogud.com> <20140305144213.GA19170@laperouse.bortzmeyer.org> <alpine.LSU.2.00.1403051637160.18502@hermes-1.csi.cam.ac.uk> <20140306145020.GA5976@laperouse.bortzmeyer.org> <alpine.LSU.2.00.1403101654150.18502@hermes-1.csi.cam.ac.uk> <CAMm+LwjSdvpKKm-nWbx0AUavcGyANkT+mw-FLQQp_R1nEtf==Q@mail.gmail.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/gy0LpV6Xycp0MnW5YfGz8LIn5Po
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] my dnse vision
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Mar 2014 17:44:37 -0000

Phillip Hallam-Baker <hallam@gmail.com> wrote:
>
> First off it means that if the recursive is being used in discovery-only
> mode it can simply pass data from the authoritative to the stub without
> checking the DNSSEC chain.

If the recursive server is cacheing it needs to do DNSSEC validation to
protect its cache from poisonous authorities.

> The problem comes in that unlike the stub-resolver interaction where we can
> do one key exchange with a service and keep the relationship going for the
> life of the device (i.e. years), a resolver has to maintain relationships
> with thousands to millions of authoritative servers and we probably can't
> rely on these for more than a month or two at a time.

Yes :-/

[...]

> Resolver is connecting to an authoritative to make a request
> really-obvious.com to answer a query from a stub (i.e. this is not a
> pre-fetch).
>
> Resolver has no session key on file so it sends the request in plaintext.

This leakage is bad expecially for recursors with few users and / or
queries for infrequently visited domains.

> It can however be alerted to support for the security protocol in the
> DNSSEC information for the zone.

This is a bad idea because it makes partial deployment difficult - e.g.
staged roll-out of encryption. DNSSEC information is per-zone but
encryption has to be per-server.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
German Bight, Humber, Thames: North or northeast 5 or 6, decreasing 4 or 5.
Slight or moderate. Mainly fair. Moderate or good, occasionally poor.