IETF Logo Mail Archive

Re: DNS64, DANE and DPRIV

Phillip Hallam-Baker <phill@hallambaker.com> Mon, 08 December 2014 03:56 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 587971A1BB8 for <ietf@ietfa.amsl.com>; Sun, 7 Dec 2014 19:56:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fb4B3jtb304Z for <ietf@ietfa.amsl.com>; Sun, 7 Dec 2014 19:56:15 -0800 (PST)
Received: from mail-la0-x229.google.com (mail-la0-x229.google.com [IPv6:2a00:1450:4010:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BA881A1BB1 for <ietf@ietf.org>; Sun, 7 Dec 2014 19:56:15 -0800 (PST)
Received: by mail-la0-f41.google.com with SMTP id hv19so3317009lab.0 for <ietf@ietf.org>; Sun, 07 Dec 2014 19:56:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=5+Ib2TenDhOcYo9Jk2FiD8yokvX5EmxAhmX1TiQxcsQ=; b=qwSO4hwOHYkHVZxK5NISSw6sDgoc/xTRTWExR6S6zax+ATx3IP7s6Ymnv+PHNdTGV1 7ONlyMOFYU0q4U/p7ygcs3+AqyqGYWigMxNOEFXyT1xsTPBIiIBT2EC2GRCxpJFcWhkf gbm5tVtBUcvzjp8htIM94rCFxh+e8cZTz+3tt+LzWpoHf+avU/RyLju1AGr8D3bOn0ih 7PpLKS6Q0C1MUUSUe3riKSkADYIDz6N2VsS4gW/Ca7HvUP9hhbtR0NoQaY88nMQI9m9q fnQY7ne10wFzDKiAsutfxZr4XnHJY3JdZSd5/Zx2Re7SqQiKLQZUV7Ueuf0zfLcGmk7z lUiw==
MIME-Version: 1.0
X-Received: by 10.152.116.79 with SMTP id ju15mr14192850lab.84.1418010973545; Sun, 07 Dec 2014 19:56:13 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.19.42 with HTTP; Sun, 7 Dec 2014 19:56:13 -0800 (PST)
In-Reply-To: <30614.1417993457@sandelman.ca>
References: <CAMm+Lwj+KjTVka1M7O+tsp76C_OCGR0bWKH_k5UrZXSYZrF+GA@mail.gmail.com> <30614.1417993457@sandelman.ca>
Date: Sun, 07 Dec 2014 22:56:13 -0500
X-Google-Sender-Auth: qQRfdj07yGcKUDZUNCka-rjBhGU
Message-ID: <CAMm+Lwhgr5WOgn24i8nARHcVcmkPDR5_HxcD1W6eeqeqBqGdog@mail.gmail.com>
Subject: Re: DNS64, DANE and DPRIV
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/alternative; boundary="001a11c34ec45daac60509ac6860"
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/x-mLBGYF5cv9AJW4jZnqSKKfCKY
Cc: IETF Discussion Mailing List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2014 03:56:17 -0000

On Sun, Dec 7, 2014 at 6:04 PM, Michael Richardson <mcr+ietf@sandelman.ca>
wrote:

>
> Phillip Hallam-Baker <phill@hallambaker.com> wrote:
>     > The point of DNS64 is to provide a mechanism that makes it easy to
> turn on
>     > IPv6 today. All the client needs is a connection to a DNS router that
>     > supports DNS64.
>
> You worded that wrong.
> DNS64 lets people turn off IPv4 (and/or avoid NAT4*4).


Turn off or not have the code in the stack at all. Yep.

For a lot of embedded devices, I think this is the ideal. They don't really
need full Internet connectivity in any case. They might have a ten or
twenty year service life though so I care rather more that they are IPv6
capable than a desktop that might last seven years tops.




>
>     > Because of network circumstances a client using DNS64 is almost
> certainly
>     > going to need to use DPRIV for access simply because port 53 has been
>     > sabotaged so thoroughly. So we are going to have to trust the DPRIV
>     > resolver to level 1 at minimum
>
> That's an interesting observation: can you elaborate on the sabotage?
> I think I know, but I'd rather you were more clear about this.
>

There are two types of sabotage: Ignorance and malice.

Ignorance includes stupidity like chopping DNS messages to 512 (sometimes
500) bytes, filtering out unknown RRs and such. And the usual IETF approach
is to wait for people to learn better (hey we have been waiting 40 years...)

Malice is increasingly common though. Like when I found my ISP had
redirected ALL port 53 traffic through their own resolver so they could do
a sitefinder hack if NXT showed up. The DNS is a powerful control point,
people will make use of it unless it is properly secured.


You can't ignore or wish away malice when writing a security spec.

I have been arguing that DNSSEC requires a new client resolver protocol to
be practical for ten years now. And the need has only increased.




> I've wanted DNS64 to happen in the host, and given that a number of hosts
> had
> to be fixed to function in IPv6 only environments, a change to include
> DNS64
> would not be crazy in my opinion, and eliminates much of the end-to-end
> DNSSEC-breakage that DNS64 can imply.
>
> (or to put it another way: when you turn on end-host DNSSEC validation,
> and enable DPRIV, you had better provide DNS64 at the same time)
>

This bit isn't clear to me.

My main point is that if you are playing NAT64 games and example.com only
has an A record, then a DNSSEC signature on the A record is like a
chocolate teapot to an IPv6 only device.

Sure we could come up with some mechanism for describing the NAT64 mapping
so that the end host could read it. But where would the mapping come from,
who would sign that? Doing validation in the client does not actually
provide leverage here.


Perhaps what would help here is a trust calculus that would expose what the
assumptions are that a device is relying on. The problem with PKI is that
it is so easy to add a layer of indirection.

v2.23.0 | Report a Bug | By Email