IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error

Evan Hunt <each@isc.org> Mon, 31 July 2017 17:11 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0C421326D7 for <dnsop@ietfa.amsl.com>; Mon, 31 Jul 2017 10:11:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y3iHGKS2VHdq for <dnsop@ietfa.amsl.com>; Mon, 31 Jul 2017 10:11:09 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BFC31326D6 for <dnsop@ietf.org>; Mon, 31 Jul 2017 10:11:09 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 797403498BD; Mon, 31 Jul 2017 17:11:07 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 6CBD7216C1E; Mon, 31 Jul 2017 17:11:07 +0000 (UTC)
Date: Mon, 31 Jul 2017 17:11:07 +0000
From: Evan Hunt <each@isc.org>
To: Paul Wouters <paul@nohats.ca>
Cc: Joe Abley <jabley@hopcount.ca>, Shane Kerr <shane@time-travellers.org>, dnsop@ietf.org
Message-ID: <20170731171107.GA42492@isc.org>
References: <CADyWQ+Ffu8JOn6co184PC-Uvv4G1qYU3d0ZchupRJEDDmfYKaw@mail.gmail.com> <CAJE_bqf7R7ZW5ixcZdOcaHDso+C5QbtGbz+Z1mOs+p9_C2_cAg@mail.gmail.com> <alpine.LRH.2.21.1707290851010.26738@bofh.nohats.ca> <53F8E12A-85F9-44F1-9CA5-F546244832D0@time-travellers.org> <8506D4D8-E31B-4AEB-AC7E-4C89EAEEA9DC@hopcount.ca> <20170730074253.GA33522@isc.org> <alpine.LRH.2.21.1707310953260.21291@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.21.1707310953260.21291@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zgbZshPtyfK2_v3U4QwTYEDnxUs>
Subject: Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 17:11:11 -0000

On Mon, Jul 31, 2017 at 09:57:11AM -0400, Paul Wouters wrote:
> But we know people are already building software and systems that DO
> trust the AD bit, even with non-localhost resolv.conf entries. This
> saves them the overhead of adding a dnssec library to their application,
> and saves them from running a system resolving understanding dnssec.

Are there applications specifically trusting AD=1 and behaving differently
than with AD=0?  Or are they just ignoring it and trusting every answer
equally?  I would have expected the latter, but I confess to being
surprised if there are people going out of their way to implement "DNSSEC
validation" by just buying whatever magic beans some dude in the forest
has for sale.

> > Some of the error codes might be trustworthy enough if you're using COOKIE
> > or TCP; that would enusre at least that it wasn't an off-path forgery.
> 
> That's a very small use case with pervasive monitoring and
> coffeeshop and hotel wifi.

In case I wasn't clear, I'm suggesting that TCP and COOKIE would be
adequate protection for any error code where the worst case scenario is
no worse than what any MITM can do. If you've already got control of the
channel, then I can't see how sending the client "Prohibited" or "Lame"
messages gives you any more of an advantage than you already had.  However,
any response that says anything about DNSSEC validity should be presumed
guilty until proven innocent.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.23.0 | Report a Bug | By Email