Re: Quic: the elephant in the room

Nico Williams <> Sat, 10 April 2021 17:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BCB8D3A1719 for <>; Sat, 10 Apr 2021 10:57:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UedqSc-J5qpZ for <>; Sat, 10 Apr 2021 10:57:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 75C6E3A16D2 for <>; Sat, 10 Apr 2021 10:57:21 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id 70F7C1E25D3; Sat, 10 Apr 2021 17:57:20 +0000 (UTC)
Received: from (100-96-27-157.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id 32BEA1E2724; Sat, 10 Apr 2021 17:57:18 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by (trex/6.1.1); Sat, 10 Apr 2021 17:57:20 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Wiry-Fumbling: 5e0ae89c1f7a13ec_1618077440296_714050259
X-MC-Loop-Signature: 1618077440295:630111919
X-MC-Ingress-Time: 1618077440295
Received: from (localhost []) by (Postfix) with ESMTP id F067F7E638; Sat, 10 Apr 2021 10:57:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=KKXONX3nQjhlpC m3554Ve+6Ktww=; b=B8cjwRdj7lJqgC5BpUdVOLUcgcqLsZHnneCoEZmHnnrXae aPdoF9A0UVrDq2W4DzLFlxAeynShx96mRGRTKpeywfROXvuKRtl6zI/cmtb0rh51 esZjVXtmiTkMUy+hJ0HUv0WisNJHzssPh3wUWMEZY60gAyzHz1hEG2vio212g=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id D8CEB7F0E6; Sat, 10 Apr 2021 10:57:15 -0700 (PDT)
Date: Sat, 10 Apr 2021 12:57:13 -0500
X-DH-BACKEND: pdx1-sub0-mail-a31
From: Nico Williams <>
To: Ben Laurie <>
Cc: Michael Thomas <>, Phillip Hallam-Baker <>, IETF Discussion Mailing List <>
Subject: Re: Quic: the elephant in the room
Message-ID: <20210410175712.GF9612@localhost>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 10 Apr 2021 17:57:27 -0000

On Sat, Apr 10, 2021 at 10:29:42AM +0100, Ben Laurie wrote:
> When I was designing Certificate Transparency, Chrome ruled out any side
> channel communications requirement during handshake. Given that DNS is
> required anyway, perhaps this would be different. However, the other
> problem is introducing DNS as a trust root - the DNS hierarchy is
> considerably less secure than CAs were even before CT but now it's really a
> very poor option in comparison.

I disagree with that last sentence.

First, having a PKI with hard naming constraints and a single root
(though with alternatives supported) is considerably better than WebPKI,
which has neither of those.  This alone is not enough because resolvers
generally send the full qname to every DNS server on the resolution
path, so . and ccTLDs get a chance to impersonate if they want to, but...

...second, using qname minimization makes it very difficult for root
zone or ccTLD operators to mount impersonation attacks because they
can't know the full qname, so if they want to impersonate, they have to
impersonate all qnames you end up asking for, not just the one target.
It can be done, of course.  I imagine something like a stingray device
that is preloaded with .'s signing keys and so can MITM everything,
though that would be an enormous risk to the device's operators.

I expect an objection about how many round trips qname minimization
adds.  Though if you're not hitting caches then you have those extra
round trips anyways, and recursive caching resolvers should get the full
qname, so maybe qname minimization is not a performance disaster.

> Could be fixed with DNS Transparency, of course.

Well, yes, that could and should be done.