IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Mark Andrews <marka@isc.org> Thu, 09 February 2017 23:47 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AD5312945D for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 15:47:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTZsoBPSQVae for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 15:47:41 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EEB51288B8 for <dnsop@ietf.org>; Thu, 9 Feb 2017 15:47:41 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id D31761FCAB6; Thu, 9 Feb 2017 23:47:32 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 8613E160042; Thu, 9 Feb 2017 23:47:31 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 6CC8B16006C; Thu, 9 Feb 2017 23:47:31 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 8W2wv9sJT8Ml; Thu, 9 Feb 2017 23:47:31 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 58214160042; Thu, 9 Feb 2017 23:47:30 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id D30AD6366A94; Fri, 10 Feb 2017 10:47:26 +1100 (EST)
To: Brian Dickson <brian.peter.dickson@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <FB835756-2C46-40A9-88ED-2F8ADF812BA6@fugue.com> <20170208052544.862956356F33@rock.dv.isc.org> <FFAFD844-824C-44EA-A4B1-1AD28B4FE95C@fugue.com> <20170208060208.8C8E1635864D@rock.dv.isc.org> <E0A42577-0984-4ADD-8658-91413CBE783D@fugue.com> <20170208194208.DB02C635DD72@rock.dv.isc.org> <CAH1iCipA5nvWJqjdGUwJeeT_eU8EH8VYJU2hX1hJoiTb617K8Q@mail.gmail.com> <20170209163123.56hdbzaluekmvbh7@nic.fr> <20170209195722.DC1AB636586C@rock.dv.isc.org> <0394528C-99CD-41D4-9AB6-844D1318264C@gmail.com> <20170209204506.BC40D6365CBE@rock.dv.isc.org> <12D7473B-3A22-4A8D-9C13-2AEEDEABB879@fugue.com> <20170209224851.2FB1B63666E6@rock.dv.isc.org> <CAH1iCiqi_xJjwXvsR-x76fcz20NiugnjYqameK1ZHWd+54SLpw@mail.gmail.com>
In-reply-to: Your message of "Thu, 09 Feb 2017 15:09:46 -0800." <CAH1iCiqi_xJjwXvsR-x76fcz20NiugnjYqameK1ZHWd+54SLpw@mail.gmail.com>
Date: Fri, 10 Feb 2017 10:47:26 +1100
Message-Id: <20170209234726.D30AD6366A94@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uxP9udZgXTC4KCyYWIkcvvOxJqU>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Ted Lemon <mellon@fugue.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 23:47:43 -0000

In message <CAH1iCiqi_xJjwXvsR-x76fcz20NiugnjYqameK1ZHWd+54SLpw@mail.gmail.com>
, Brian Dickson writes:
> 
> On Thu, Feb 9, 2017 at 2:48 PM, Mark Andrews <marka@isc.org> wrote:
> 
> >
> > In message <12D7473B-3A22-4A8D-9C13-2AEEDEABB879@fugue.com>, Ted Lemon
> > writes:
> > >
> > > On Feb 9, 2017, at 3:45 PM, Mark Andrews <marka@isc.org> wrote:
> > > > At the moment we have Ted saying that if you want privacy you MUST
> > > > also turn on DNSSEC validation and implement QNAME minimisation and
> > > > implement agressive negative caching (still a I-D).
> > >
> > > No, I am _not_ saying that.   I am saying that an unsigned delegation
> > > doesn't help with privacy unless you also specially configure your local
> > > resolver, and if you are going to specially configure your local
> > > resolver, then there are several options for how to do that.   The only
> > > reason you need DNSSEC is that if you specially configure your local
> > > resolver to lie, then DNSSEC validation will break that.   If you aren't
> > > doing DNSSEC validation, you can say any old thing in your local resolver
> > > and the stub will believe it.
>
> Suppose a signed delegation for alt, to some widely operated, centrally
> managed servers (say, the arpa servers).

All delegations from the root are signed as the root zone is signed.
The difference is it a secure delegation (with DS record) or a
insecure delegation (proof of non existance of the DS).

I'd insecurely delegate alt to the root servers themselves.  There
is no point in spreading the leakage.

> Now suppose an unsigned delegation for some other name under alt, such as
> "foo.alt", to an empty zone on the same set of servers.
> 
> The only difference here is where the unsigned delegation is, and what the
> scope of that delegation is.
> 
> In this scenario, any local "foo.alt" can lie about the contents of
> "foo.alt", because it is outside of the secure delegation chain from the
> root.
> 
> The only difference is that the delegation is not directly from the root.
> 
> Any other name under "alt" would have its existence securely denied, unless
> and until a request for an insecure delegation was made and approved.
> 
> Is there a problem with this scenario?

It requires alt to be a registry.  One of the point of this I-D is
to get a namespace that doesn't have a registry.

> > And a signed answer doesn't help unless the recursive server is
> > validating (so it can trust the NXDOMAIN) and has QNAME minimimistion
> > (to prevent *.alt leaking in the first place) and has agressive
> > negative caching (so the answer from the minimised QNAME query get
> > turned into a answer for *.alt).
> >
> > Now we can put QNAME minimisation into a server.
> > Now we can put the code to support agressive negative caching into a
> > server.
> > We can't force validation to be enabled.
> >
> > We need all three things for the privacy leakage to stop.  Any two
> > alone doesn't stop it.
> >
> 
> 
> There's something I don't understand.
> 
> In the case where the local namespace (in your email, that would be "alt",
> in my example above, that would be "foo.alt") is not configured, why does
> leaking matter? Obviously the real local use case is "won't work - broken
> config", and leaking is mostly moot.
> 
> In the case where the local namespace is instantiated, the queries won't
> leak to the root, so privacy is assured.
> 
> Are you saying that leakage when the local namespace is non-existent, is
> a/the issue?

Because when TPB go on a witch hunt for all users of xxxx.alt we
don't want the root servers operators to be able to return the
addresses.  It's not a matter of if, just when.  We have seen that
happen too many times.

> I don't agree, if that is what you are asserting.
> Queries for "rumplestiltskin.foo.alt" can't expect privacy, unless they are
> using a resolver specifically configured for "foo.alt".
> Note that defaulting to providing "empty.as112.arpa", and having the DNAME
> to "alt.empty.as112.arpa", would further actually accomplish privacy,
> without affecting the local instantiation of "foo.alt" via
> "foo.alt.empty.as112.arpa".

A DNAME doesn't give privacy.  You need QNAME minimisation with a
qtype of DNAME instead of NS.

> Brian
> 
> 
> >
> > The alternative is to do a insecure delegation and build in a default
> > empty zone for alt.  You then have to take steps to break the privacy
> > leak by disabling the empty zone.  Additionally it works with all
> > existing servers if they just add a empty .alt zone.  It doesn't
> > require validation to be enabled.
> >
> > It's the difference between defaulting private or not.
> >
> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> >
> 
> --001a113fece2d952b805482113d7
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
> te">On Thu, Feb 9, 2017 at 2:48 PM, Mark Andrews <span dir=3D"ltr">&lt;<a h=
> ref=3D"mailto:marka@isc.org" target=3D"_blank">marka@isc.org</a>&gt;</span>=
>  wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bor=
> der-left:1px #ccc solid;padding-left:1ex"><div class=3D"HOEnZb"><div class=
> =3D"h5"><br>
> In message &lt;<a href=3D"mailto:12D7473B-3A22-4A8D-9C13-2AEEDEABB879@fugue=
> .com">12D7473B-3A22-4A8D-9C13-<wbr>2AEEDEABB879@fugue.com</a>&gt;, Ted Lemo=
> n writes:<br>
> &gt;<br>
> &gt; On Feb 9, 2017, at 3:45 PM, Mark Andrews &lt;<a href=3D"mailto:marka@i=
> sc.org">marka@isc.org</a>&gt; wrote:<br>
> &gt; &gt; At the moment we have Ted saying that if you want privacy you MUS=
> T<br>
> &gt; &gt; also turn on DNSSEC validation and implement QNAME minimisation a=
> nd<br>
> &gt; &gt; implement agressive negative caching (still a I-D).<br>
> &gt;<br>
> &gt; No, I am _not_ saying that.=C2=A0 =C2=A0I am saying that an unsigned d=
> elegation<br>
> &gt; doesn&#39;t help with privacy unless you also specially configure your=
>  local<br>
> &gt; resolver, and if you are going to specially configure your local<br>
> &gt; resolver, then there are several options for how to do that.=C2=A0 =C2=
> =A0The only<br>
> &gt; reason you need DNSSEC is that if you specially configure your local<b=
> r>
> &gt; resolver to lie, then DNSSEC validation will break that.=C2=A0 =C2=A0I=
> f you aren&#39;t<br>
> &gt; doing DNSSEC validation, you can say any old thing in your local resol=
> ver<br>
> &gt; and the stub will believe it.<br>
> <br></div></div></blockquote><div><br></div><div>Suppose a signed delegatio=
> n for alt, to some widely operated, centrally managed servers (say, the arp=
> a servers).</div><div>Now suppose an unsigned delegation for some other nam=
> e under alt, such as &quot;foo.alt&quot;, to an empty zone on the same set =
> of servers.</div><div><br></div><div>The only difference here is where the =
> unsigned delegation is, and what the scope of that delegation is.</div><div=
> ><br></div><div>In this scenario, any local &quot;foo.alt&quot; can lie abo=
> ut the contents of &quot;foo.alt&quot;, because it is outside of the secure=
>  delegation chain from the root.</div><div><br></div><div>The only differen=
> ce is that the delegation is not directly from the root.</div><div><br></di=
> v><div>Any other name under &quot;alt&quot; would have its existence secure=
> ly denied, unless and until a request for an insecure delegation was made a=
> nd approved.</div><div><br></div><div>Is there a problem with this scenario=
> ?</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0=
>  0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class=3D"HOEnZb=
> "><div class=3D"h5">
> </div></div>And a signed answer doesn&#39;t help unless the recursive serve=
> r is<br>
> validating (so it can trust the NXDOMAIN) and has QNAME minimimistion<br>
> (to prevent *.alt leaking in the first place) and has agressive<br>
> negative caching (so the answer from the minimised QNAME query get<br>
> turned into a answer for *.alt).<br>
> <br>
> Now we can put QNAME minimisation into a server.<br>
> Now we can put the code to support agressive negative caching into a server=
> .<br>
> We can&#39;t force validation to be enabled.<br>
> <br>
> We need all three things for the privacy leakage to stop.=C2=A0 Any two<br>
> alone doesn&#39;t stop it.<br></blockquote><div><br></div><div><br></div><d=
> iv>There&#39;s something I don&#39;t understand.=C2=A0</div><div><br></div>=
> <div>In the case where the local namespace (in your email, that would be &q=
> uot;alt&quot;, in my example above, that would be &quot;foo.alt&quot;) is n=
> ot configured, why does leaking matter? Obviously the real local use case i=
> s &quot;won&#39;t work - broken config&quot;, and leaking is mostly moot.</=
> div><div><br></div><div>In the case where the local namespace is instantiat=
> ed, the queries won&#39;t leak to the root, so privacy is assured.</div><di=
> v><br></div><div>Are you saying that leakage when the local namespace is no=
> n-existent, is a/the issue?</div><div><br></div><div>I don&#39;t agree, if =
> that is what you are asserting.</div><div>Queries for &quot;rumplestiltskin=
> .foo.alt&quot; can&#39;t expect privacy, unless they are using a resolver s=
> pecifically configured for &quot;foo.alt&quot;.</div><div>Note that default=
> ing to providing &quot;empty.as112.arpa&quot;, and having the DNAME to &quo=
> t;alt.empty.as112.arpa&quot;, would further actually accomplish privacy, wi=
> thout affecting the local instantiation of &quot;foo.alt&quot; via &quot;fo=
> o.alt.empty.as112.arpa&quot;.</div><div><br></div><div>Brian</div><div>=C2=
> =A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;borde=
> r-left:1px #ccc solid;padding-left:1ex">
> <br>
> The alternative is to do a insecure delegation and build in a default<br>
> empty zone for alt.=C2=A0 You then have to take steps to break the privacy<=
> br>
> leak by disabling the empty zone.=C2=A0 Additionally it works with all<br>
> existing servers if they just add a empty .alt zone.=C2=A0 It doesn&#39;t<b=
> r>
> require validation to be enabled.<br>
> <br>
> It&#39;s the difference between defaulting private or not.<br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> Mark<br>
> </font></span><div class=3D"HOEnZb"><div class=3D"h5">--<br>
> Mark Andrews, ISC<br>
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> PHONE: <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742">+61 2=
>  9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
> =A0INTERNET: <a href=3D"mailto:marka@isc.org">marka@isc.org</a><br>
> </div></div></blockquote></div><br></div></div>
> 
> --001a113fece2d952b805482113d7--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email