Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

John C Klensin <john-ietf@jck.com> Fri, 06 March 2015 06:15 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0A0D1ACCE7 for <ietf@ietfa.amsl.com>; Thu, 5 Mar 2015 22:15:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.31
X-Spam-Level:
X-Spam-Status: No, score=-2.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wvpXtP0XS8Uv for <ietf@ietfa.amsl.com>; Thu, 5 Mar 2015 22:15:06 -0800 (PST)
Received: from bsa2.jck.com (bsa2.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DCEC1ACCE1 for <ietf@ietf.org>; Thu, 5 Mar 2015 22:15:06 -0800 (PST)
Received: from [198.252.137.35] (helo=JcK-HP8200.jck.com) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1YTlXE-000KEq-4o; Fri, 06 Mar 2015 01:14:56 -0500
Date: Fri, 06 Mar 2015 01:14:51 -0500
From: John C Klensin <john-ietf@jck.com>
To: =?UTF-8?Q?Patrik_F=C3=A4ltstr=C3=B6m?= <paf@frobbit.se>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
Message-ID: <707B021F63C5C411E563AE4B@JcK-HP8200.jck.com>
In-Reply-To: <6FC72D10-6AF2-4F84-B1AC-27F5B7E632AC@frobbit.se>
References: <tsl8ufoh9ko.fsf@mit.edu> <2DF7230C-D1D8-4B21-9003-B336108A38CB@vpnc.org> <20150224172649.GX1260@mournblade.imrryr.org> <tslvbircj0d.fsf@mit.edu> <0325DF3F-17F3-4400-BDEA-EDB5334BF35C@frobbit.se> <20150225180227.GT1260@mournblade.imrryr.org> <7AB921D35A7F9B23A53BD11A@JcK-HP8200.jck.com> <tslvbip8io6.fsf@mit.edu> <54F09A35.9060506@qti.qualcomm.com> <54F78650.6070503@qti.qualcomm.com> <20150305064513.GH1260@mournblade.imrryr.org> <54F7FE09.3030200@cisco.com> <7111545C27DE9021135BE185@JcK-HP8200.jck.com> <tslegp3o0zn.fsf@mit.edu> <6FC72D10-6AF2-4F84-B1AC-27F5B7E632AC@frobbit.se>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.35
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/1sM7VJ_8LB_YOUu7nF4GE7Cz3wE>
X-Mailman-Approved-At: Fri, 06 Mar 2015 08:08:20 -0800
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, ietf@ietf.org, Pete Resnick <presnick@qti.qualcomm.com>, Mark Nottingham <mnot@mnot.net>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 06:15:08 -0000


--On Thursday, March 05, 2015 20:01 +0100 Patrik Fältström
<paf@frobbit.se> wrote:

> What about something like this:
> 
> 7.  Security Considerations
> 
>    DNS is a protocol both running over UDP and TCP, it also
> explicitly    uses proxies, for clients in many cases

Given that the term "proxy" does not appear in either 1034 or
1035 and is sometimes use to refer to something that intercepts
and changes DNS responses (exactly what DNSSEC is suppose to
prevent) I think you should either choose a different term or
provide a definition or reference.  Certainly "explicitly uses
proxies" is incorrect without such qualification.

> configured using DHCP.  An    extension to DNS has been
> developed called DNSSEC that give the    ability for the
> receiver of a response to a DNS query to validate an
> electronic signature.  With a proper validation the content
> can be    trusted to a much higher degree.

See my prior whine about trust models.  I think you should be
talking about an integrity check (on consistency between what is
stored in the DNS and the query response) here and not hand-wave
about "validation" or degrees of trust.  DNSSEC can be said to
verify that the records received at an endpoint )or the last
validation point) are consistent with what is stored under the
name for which the query was actually issued.  If should not
enhance the trust that the name that the user intended actually
reached a server.  Even if one ignores deliberate phishing, as
you know better than most, trust assertions about whether what
the user intended and what a server sees get very tricky when,
e.g., something like UTR 46 modifies the labels being looked up
before IDNA or query processing.

> One description of
> a threat model    to DNS, including description of what
> threats DNSSEC is intended to    defend against can be found
> in RFC 3833 [RFC3833].
> 
>    If for example the URI resource record is not signed with
> the help of    DNSSEC and validated successfully, trusting the
> non-signed URI might    lead to a downgrade attack.

While this may be obvious to experts, the experts probably don't
need it.  For everyone else, you are probably missing a
statement about interception, changes to the query or URI, and a
system that won't respond as intended to STARTTLS or equivalent.
Note, in particular, that if one started out with:


  foo.example.com. IN URI 0 0  good.example.com.

and a query for that produced a response that contained
  foo.example.com. IN URI 0 0  evil.example.com.

That would clearly be a problem for DNSSEC but, if both of the
hosts designated by "good" and "evil" responded to STAETTLS by
opening TLS connections at desired degrees of security, there
would be no downgrade attack, "only" a MITM host diversion
attack.

>    What also can happen is that the URI in the resource record
> type has    errors in it.  Applications using the URI resource
> record type for    resolution should behave similarly as if
> the user typed (or copy and    pasted) the URI.  At least it
> must be clear to the user that the    error is not due to any
> error from his side.
 
>    One SHOULD NOT include userinfo (see User Information,
> Section 3.2.1,    in RFC 3986 [RFC3986]) in a URI that is used
> in a URI resource record    as DNS data must be viewed as
> publicly available information.

Generally, while I think you should warn that URI records may
cause some risks that do not exist with, e.g., conventional name
to address mappings (note that the "downgrade attack or not"
considerations above would apply equally well to:

  foo.example.com.  IN A 10.2.0.44
being diverted into a response of 
  foo.example.com.  IN A 10.0.0.6

(which would be, historically, a likely upgrade attack, but it
has nothing to do with URI records but is equally preventable by
an integrity check.))

As long as there is a warning, I really don't care very much
what you say, but whatever you do say should be as accurate as
possible.

   john