IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error

Paul Wouters <paul@nohats.ca> Mon, 31 July 2017 13:57 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CCBB1322F5 for <dnsop@ietfa.amsl.com>; Mon, 31 Jul 2017 06:57:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SqBBkrkMiFUG for <dnsop@ietfa.amsl.com>; Mon, 31 Jul 2017 06:57:16 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 482641322F4 for <dnsop@ietf.org>; Mon, 31 Jul 2017 06:57:16 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3xLgxP5t8Pz3Bm; Mon, 31 Jul 2017 15:57:13 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1501509433; bh=7fH4FJE6zWA/vPJkEF3kMjwCeBL5bYI3Loz6xiLgXX4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=f/t/A/F/G6kqsNXcFneA4VWk3yufBXiyuZWUSJh90SnbQ5pG21Hu3dVPgKgAS+p/L ZCIrb3Yy7SoD8c8qu3MrrwnW6VQWrqirEny7PzlnRnGRM4S5mROMbESMX1KdEpFIHe f8erelzu/DzG8Hg7H33ux+y+r3hnqMtYygc8C2os=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id pcAky0O94XkQ; Mon, 31 Jul 2017 15:57:12 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 31 Jul 2017 15:57:12 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 8707730AF32; Mon, 31 Jul 2017 09:57:11 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 8707730AF32
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 8088E40D3592; Mon, 31 Jul 2017 09:57:11 -0400 (EDT)
Date: Mon, 31 Jul 2017 09:57:11 -0400
From: Paul Wouters <paul@nohats.ca>
To: Evan Hunt <each@isc.org>
cc: Joe Abley <jabley@hopcount.ca>, Shane Kerr <shane@time-travellers.org>, dnsop@ietf.org
In-Reply-To: <20170730074253.GA33522@isc.org>
Message-ID: <alpine.LRH.2.21.1707310953260.21291@bofh.nohats.ca>
References: <CADyWQ+Ffu8JOn6co184PC-Uvv4G1qYU3d0ZchupRJEDDmfYKaw@mail.gmail.com> <CAJE_bqf7R7ZW5ixcZdOcaHDso+C5QbtGbz+Z1mOs+p9_C2_cAg@mail.gmail.com> <alpine.LRH.2.21.1707290851010.26738@bofh.nohats.ca> <53F8E12A-85F9-44F1-9CA5-F546244832D0@time-travellers.org> <8506D4D8-E31B-4AEB-AC7E-4C89EAEEA9DC@hopcount.ca> <20170730074253.GA33522@isc.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tzVHWtCH4L1PntuiZikbXmPsVCM>
Subject: Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 13:57:18 -0000

On Sun, 30 Jul 2017, Evan Hunt wrote:

> It's clearly helpful for human debugging.
>
> But, yes, you're correct -- diagnostic information included with a
> SERVFAIL is about as trustworthy as the AD bit, and in the absence of an
> authentication mechanism such as TSIG, clients should not rely on it or
> base policy on it.

But we know people are already building software and systems that DO
trust the AD bit, even with non-localhost resolv.conf entries. This
saves them the overhead of adding a dnssec library to their application,
and saves them from running a system resolving understanding dnssec.

So I'm pretty worried that people will treat new unprotected error
codes exactly the same. They'll handwave and say that's the system
administrator's issue to solve, not the application's responsibility.

> Some of the error codes might be trustworthy enough if you're using COOKIE
> or TCP; that would enusre at least that it wasn't an off-path forgery.

That's a very small use case with pervasive monitoring and
coffeeshop and hotel wifi.

> This should be spelled out in more detail in the security considerations.

I'm seriously afraid that's not going to matter at all when people
implement this.

Paul

v2.23.0 | Report a Bug | By Email