IETF Logo Mail Archive

Re: [DNSOP] Privacy and DNSSEC

Mark Andrews <marka@isc.org> Tue, 28 April 2020 05:48 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73A943A0AFE for <dnsop@ietfa.amsl.com>; Mon, 27 Apr 2020 22:48:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uEY17CcrtDYz for <dnsop@ietfa.amsl.com>; Mon, 27 Apr 2020 22:48:19 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C567E3A0AEB for <dnsop@ietf.org>; Mon, 27 Apr 2020 22:48:19 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id A3DD33AB000; Tue, 28 Apr 2020 05:48:18 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 91678160056; Tue, 28 Apr 2020 05:48:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 779D116005B; Tue, 28 Apr 2020 05:48:18 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id NweMjaWcB1GD; Tue, 28 Apr 2020 05:48:18 +0000 (UTC)
Received: from [172.30.42.69] (unknown [49.2.228.79]) by zmx1.isc.org (Postfix) with ESMTPSA id CF12E160056; Tue, 28 Apr 2020 05:48:17 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <18685549.zqRq8fnmLB@linux-9daj>
Date: Tue, 28 Apr 2020 15:48:13 +1000
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BD9397FD-4A38-44AE-86CA-68161F122E6B@isc.org>
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <2119709.gsHikbp680@linux-9daj> <CAHPuVdX6EdJEB3k_QXHBPi5Yc+TLkV6T7__sFzocJnyHk0_cRQ@mail.gmail.com> <18685549.zqRq8fnmLB@linux-9daj>
To: Paul Vixie <paul@redbarn.org>
X-Mailer: Apple Mail (2.3445.9.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/y9UrLPrcO2WtizvHzJQS8guzgWk>
Subject: Re: [DNSOP] Privacy and DNSSEC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 05:48:22 -0000


> On 28 Apr 2020, at 14:06, Paul Vixie <paul@redbarn.org> wrote:
> 
> On Tuesday, 28 April 2020 01:02:27 UTC Shumon Huque wrote:
>> On Sat, Apr 25, 2020 at 2:57 AM Paul Vixie <paul@redbarn.org> wrote:
>>> ...
>> 
>> The DNSSEC specs have always contemplated validating stub resolvers.
>> I think the Kaminsky cache poisoning scare inadvertently focussed our
>> efforts on solving the DNSSEC-to-RDNS problem to the exclusion of other
>> more complete possibilities.
> 
> stub resolvers were thrown overboard in order to get DS working.

More correctly there isn’t protocol work to do to get stub resolvers and
DNSSEC working.  It just requires vendors to *implement* DNSSEC in the stub
resolver or even in the application.  You can take a BIND 4 resolver library
and get DNSSEC working on top of it.

>> There has certainly been work on validating stubs on the margin though:
>> getdns, stubby, etc, but those are only used by a small minority of tech
>> savvy users (as far as I'm aware).
> 
> as long as the configured RDNS is DS-aware, yes. if the RDNS is older than 
> that, and if there's a firewall preventing the stub from talking directly to 
> authorities, there's no way for a stub to learn the DS part of the signature 
> chain. so, a stub resolver needs a completely modern RDNS to work. this has 
> not scaled, and won’t.

The RDNS needs to be DNSSEC aware as you can’t get RRSIGs that match the answer,
NSEC, or NSEC3 records without that, much the same as you can’t point a validating
recursive server at a non-validating forwarder and have DNSSEC work reliably.

>> The one significant impediment cited for validating stubs is the middlebox
>> last mile problem. Here again, there has been attempted work, e.g. the
>> TLS DNSSEC chain extension for TLS enabled applications. And DNS
>> over TLS/HTTPS could prove to be an enabler for validating stub resolvers
>> to obtain a clean, unmolested path to an upstream recursive service.
> 
> i agree that if we change most of the rules, we can get a different outcome.
> 
> -- 
> Paul
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email