Re: [Doh] New version: draft-ietf-doh-resolver-associated-doh-03.txt
nusenu <nusenu-lists@riseup.net> Sun, 24 March 2019 09:46 UTC
Return-Path: <nusenu-lists@riseup.net>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id D4C1D127979
for <doh@ietfa.amsl.com>; Sun, 24 Mar 2019 02:46:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=riseup.net
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id bmQcFYaHvgLk for <doh@ietfa.amsl.com>;
Sun, 24 Mar 2019 02:46:36 -0700 (PDT)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id B4A7C12785F
for <doh@ietf.org>; Sun, 24 Mar 2019 02:46:36 -0700 (PDT)
Received: from capuchin.riseup.net (capuchin-pn.riseup.net [10.0.1.176])
(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
(Client CN "*.riseup.net",
Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
by mx1.riseup.net (Postfix) with ESMTPS id 2E2021A026D
for <doh@ietf.org>; Sun, 24 Mar 2019 02:46:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
t=1553420796; bh=q8RaY1HYbZZmpbuiQymqmZxMcoR2UvmPoJY3wBNQQNU=;
h=To:References:From:Subject:Date:In-Reply-To:From;
b=KQNHTpxw7VtzsZi9tnDk2o3DjUXct3vkyAloqh28kkTn7gk2Fa/v/BiuuGAFJqZx5
6IzkO4EUE+weZcgb4L/odySPmf0uzCPusUq2GIrhAwJn7KX5OtogBfy7arBYbTGOao
ZORv08RVXXR/zNd/LuFxxBWeSQGPgwsefIgqNNpQ=
X-Riseup-User-ID: C8FE24A327E2350F7A059D7B3CC8B1215BAC64F78A85C587005EFF8A182AB783
Received: from [127.0.0.1] (localhost [127.0.0.1])
by capuchin.riseup.net (Postfix) with ESMTPSA id 09B7812130B
for <doh@ietf.org>; Sun, 24 Mar 2019 02:46:34 -0700 (PDT)
To: doh@ietf.org
References: <155341529409.18062.10657099011172813446@ietfa.amsl.com>
<55AE7511-5BDF-4E96-84B3-BD0B6E6C6FE3@icann.org>
From: nusenu <nusenu-lists@riseup.net>
Openpgp: preference=signencrypt
Autocrypt: addr=nusenu-lists@riseup.net; prefer-encrypt=mutual; keydata=
xsFNBFj53gUBEADYKwT0pW1yiqt6UReZW8T2nXVCyeVT2G6z7AvW69afp82uthRH237pQ7Qs
5vq91DivN6fGN6cVksp0N9Yv+5HEQAwUxpLfcNDcGzmHMd0JMItEtozGv3a4FuiUoHAqeGXM
6Kzi3v5F2PZGF+U4QaGKEZq6u50gO/ZFy4GfC9z9tsO6Cm7s7KldVHMGx/a0MEGMwh6ZI9x2
hGXSSAKu58KRUkEpHzDiQTj+/j58ndNfZRQv6P5BLppHADRPqwEOm4RQcQYskyM0FdKXbJ8E
5GW268meflfv2BASsl3X/Xqxp+LNrstXIbFZ+38hVlQDDmdvaASpPTzIAxf8FxMYZqI+K1UE
kP5nU45q84KiZoXwT6YYJDKToLSDnYkKlsrCSnLkE3Nb/IexgNoYO4nE6lT9BDV3athQCWw1
FwB5idRYWnIqbVgUFgYZDUdZBJmeTEeI+Wn5hFz6HvFVc/+haMVTcoEKSkG/tsSGsKOc2mp6
z+71io9JWrVQGmw7OeZeE4TvkF9GhwS8jrKO4E0crfcT/zT6368PZCO6Wpir8+po/ZfOWbbh
1hi3MxmXn4Fki55Zrvhy3sf28U+H/nByQV4CssYv/xVhIZsN/wNQLcDLgVs4JTBUik8eQR0Y
Qrq9lG3ZVtbpEi7ZTJ6BOGIn2TKHsVIVGSQA0PdKpKYV45Lc4QARAQABzSBudXNlbnUgPG51
c2VudS1saXN0c0ByaXNldXAubmV0PsLBfQQTAQgAJwUCWPneBQIbAwUJBaOagAULCQgHAgYV
CAkKCwIEFgIDAQIeAQIXgAAKCRCtYTjCRc1Cfq/kD/sHx+mnL6OLwJvBj1rVTyoHJYJARajz
Go0yRlbrZSH6Z05OD3SDR9UVpWOZeY8JyFoTyCFQjAbIVjKifj0uSmi0j1iahrAgGGfik0cN
XUkCxrW6jcJQ37EbvYWu4PryqLuC7IeQW1wCcB1ioyGYKkm2K6LZ9rzZPVYSmPohJ+gVI0Jt
EdlNZl4JuZot9eA5w/22uvcStQHzXDsUxfqK8OAJpU8E3iBBdNpLPMDWpFz4g2yw5PD6jZ+K
Q39PYMUFULaKe4YCw1O+0MFhZJI4KEcRYHuVy1b3cJjxzgVfEyFctLDsO1sh07vBhoVKUi8W
e00pvGtv8QYxxMYIA3iACbsjGEr69GvvZ2pAnu9vT9OUCaES4riDCxbkMxK/Cbwk8F6mo0eq
HDQ7sOZWQv81ncdG9ovlA7Pj96cEXgdtbbllF1aUZ8sAmT14YjGzhArGv7kyJ1imH5tX3OXk
hBGA9JTk2mDNjEpFaTEajSvDiKyeEhWNTLm15siWkpg1124yjUkhQ3OCkw7aUDMiVn8+DQHo
J2pP/84uUvngbhm1jV7nk8mxTUFgppUePkb5hhnRRzeK72QY00EwRdn7qnpNgijMJ3Fpjfy2
EeCEl3nNdcB7U0F+0ijA6P/+DROldxNr4eiP50RvV8XiW/yi2IkKBk50GNB87yYnDETxxx/c
2i00AM7BTQRY+d4FARAAwJZ6U7UT8uB1WCfLK3AOR1Wa9bzOAghlTR4WXbHB4ajQKG7/Fzud
99bnwD0V3/AOVz/SbGDyHe+7HMvd1A0Ll4NgyH6OpxY7wOwCXAYTAbcXLpM7eKTjjsb9A9XG
3FcIGvjcy76OkaewqhiABaShlStEYcPkRusHZuecXtCnfCjJKihU/kinWpBO9gY6SrF2KFCw
aeS4r37brXQ9y8uy3gZ168QFuIa5AKfL0r5YN3k4StNSA2p5Z/pufWXMN3B03QC+3fireiz3
dinlHK6XjUW8oWSdNxJhexT/lUw+episNuWTQruy7PD+HeohYGXqjggmPUiWc171Sewb2f8H
CHViHMee8QXqo/LSRkYVrtsx0HUSMKsVQOma/u2By03ucroIkQJQQfqX3YpK1i3EpUO2L0/m
E8UpBvUm1vrst54EFym4tYNJTj9reVffFKh2cczmPVN5o8v3RrdTF96mGtcb9EJbGV4277ZE
LqUspviEBXynqU3yZ48JhIWHj22/ha6TeBpapYZDOJ8lePed8E34J/GYE2YXl65LhpXAKvWz
O3KiByGMysb9Li6zqZ9/BYQtg5CA6Q8Oo7pBxK4iiDH3GX2WvymmLoaOBpOaIYdvKr39fajE
mzfbg7TdZKXxqp2KDrbw7vUJLDyrmPWpxHyhKHItzoi1Y59wzYSq3h0AEQEAAcLBZQQYAQgA
DwUCWPneBQIbDAUJBaOagAAKCRCtYTjCRc1CfpfgEAC3tXZzhgKbF6fx5gMNDp/9MBpialvu
k69UaGL3HUqM0/ytiT4FjYUmOK2mk37iop46GivsOC50PykG9gjbg9/QKUqgsZzJ8LJ+ldY4
/GKtiP5JoO59Obj8MJJ5Ta8yPfZiiNx/I8ydqd18E4PmQUCPlEKhett81t3+8R/mGwG72TaA
hHwDjZAEjiXdnXh+z0AKpflCnYQafq0V73ofzuw4KovpJWMk/WPs5oSHhuV4TZ8nRkF6BR4y
rEvs1kq8Y6DuNqQGwY3yilpnmqfMzzlWo7MlY657domU54bhGOsvNuZZsFDlcBczQo6h9OKq
ckkVHUMAw38pX+EghzEfhYVWYmLNv5G9TA/M2s3frO3aN7ukNDq7CKIwfVz71/VfPaLQMY7/
jirzp9yIBZEi4E+PwP38FAGiD+nxzuUJv1rvxf6koqUGoHRvdppju2JLrC2nKW0La7RX7uZJ
esCVkamT/XaXPROBTrZZqwbIXh2uSMzgXkC2mE1dsBf2rdsJ4y73+0DYq7YE52OV9MNoCYLH
vpkapmD00svsP4sskRsrquPHkBBVCJa22lTaS8Oow9hGQe7BDjEhsVoPol889F0mbTRb3klv
mGQ6/B/HA0pGWR9wISY8a7D40/qz6eE6+Yg22mtN1T8FFlNbyVmtBj0R/2HfJYhGBElLPefH
jhF0TA==
Message-ID: <bb9404fb-e9e2-31d0-b647-a08ee6bdfc4a@riseup.net>
Date: Sun, 24 Mar 2019 09:46:00 +0000
MIME-Version: 1.0
In-Reply-To: <55AE7511-5BDF-4E96-84B3-BD0B6E6C6FE3@icann.org>
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature";
boundary="QNbX8wkdCyC8Q6639KpG4uvHNGrxgjIhb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/t6Y6dMnngS3N0fnMqw5_xsiwwJI>
Subject: Re: [Doh] New version: draft-ietf-doh-resolver-associated-doh-03.txt
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>,
<mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>,
<mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 09:46:39 -0000
Paul Hoffman wrote: > The diffs here are what I think have general agreement from the > discussion about this draft so far, but I may have missed things. > Comments are still quite welcome. Thanks for the update, I had a look at the diff: draft-ietf-doh-resolver-associated-doh-03.txt: > If DNS queries sent from stub resolvers to recursive resolvers are > not sent over transports that assure data integrity and server > authentication, the "DoH servers from DNS" and "Resolver addresses > from DNS" protocols are susceptible to on-path attackers directing a > user to a DoH server that is not actually associated with their > resolver. Do53 is not a secure transport, and neither is DoT using > the opportunistic profile. > > The DNS responses used in "DoH servers from DNS" and "Resolver > addresses from DNS" cannot be validated with DNSSEC [RFC4033], and > thus even a validating stub resolver would treat them the same as any > other DNS responses in unsigned zones. Thanks for adding this to the security section. Maybe also add a sentence about the downgrade attack weakness of the protocol? I'm wondering about the reasoning for not adding additional safeguards to reduce the window of opportunity for attackers exploiting the weaknesses in the DoH server discovery mechanism as suggested in [1]? > "If the DoH client has a DoH URI configured already, > it MUST NOT override the DoH URI learned through the discovery > mechanisms in this document." [...] > extend: > >> A client MUST re-issue the queries in "DoH Servers from DNS" and >> "Resolver Addresses from DNS" every time the configured resolver in >> the operating system changes > > with: > > or whenever the client's IP address changes > (even if the resolver does not change). [...] > "The mechanism in section 2 is the safest and MUST be attempted first." > > > You could also consider some downgrade attack protections where the attacker > simply blocks 443 to force the unauthenticated mechanism in section 3. > > Such a protection could be implemented via an additional field in the JSON file > by borrowing max-age from HSTS. > https://tools.ietf.org/html/rfc6797#section-6.1.1 kind regards, nusenu [1] https://mailarchive.ietf.org/arch/msg/doh/295yrI72xt0eSnYueiOuqVpSj4s -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
- [Doh] I-D Action: draft-ietf-doh-resolver-associa… internet-drafts
- [Doh] New version: draft-ietf-doh-resolver-associ… Paul Hoffman
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Joseph Lorenzo Hall
- Re: [Doh] New version: draft-ietf-doh-resolver-as… nusenu
- Re: [Doh] [Ext] Re: New version: draft-ietf-doh-r… Paul Hoffman
- Re: [Doh] I-D Action: draft-ietf-doh-resolver-ass… Stephane Bortzmeyer
- Re: [Doh] [Ext] I-D Action: draft-ietf-doh-resolv… Paul Hoffman
- [Doh] Authentication in draft-ietf-doh-resolver-a… Paul Hoffman
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Ralf Weber
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Paul Hoffman
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Ben Schwartz
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Ben Schwartz
- Re: [Doh] [Ext] New version: draft-ietf-doh-resol… Paul Hoffman
- Re: [Doh] [Ext] Re: Authentication in draft-ietf-… Paul Hoffman
- Re: [Doh] Authentication in draft-ietf-doh-resolv… nusenu
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Patrick McManus
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Patrick McManus
- Re: [Doh] Authentication in draft-ietf-doh-resolv… tirumal reddy
- Re: [Doh] New version: draft-ietf-doh-resolver-as… Erik Nygren
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Erik Nygren
- Re: [Doh] [EXTERNAL] Re: Authentication in draft-… Winfield, Alister
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Martin Thomson
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Ben Schwartz
- Re: [Doh] Authentication in draft-ietf-doh-resolv… nusenu
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Martin Thomson
- Re: [Doh] Authentication in draft-ietf-doh-resolv… Thomas Peterson