IETF Logo Mail Archive

Re: [dnsext] draft-mohan-dns-query-xml-00.txt

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Thu, 29 September 2011 00:37 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC215E8004; Wed, 28 Sep 2011 17:37:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1317256643; bh=1xxv30aRfo3om20Ll+dhcA6rmZ1zHdMo+IspjDhsbqY=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=ye0uNswNMj/qFCimMciK/NvRKOt5/hBUqO23aAwpwixUFb9GbtUwPvKuVyM7SAHgU jNl7XveQqQakGxkAOqt4E9RZKIb3UIDDZCt0qOTiv8pxwR8enTpSX0WZZ/IQXnxLBL gBcJdCSgyTvjCeIlenQZXE+MI10SzlD6Z+SwrlkM=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 679195E8004 for <dnsext@ietfa.amsl.com>; Wed, 28 Sep 2011 17:37:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T2G5JPOx9cva for <dnsext@ietfa.amsl.com>; Wed, 28 Sep 2011 17:37:21 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id 48B035E8003 for <dnsext@ietf.org>; Wed, 28 Sep 2011 17:37:21 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 1E5912C4003; Wed, 28 Sep 2011 17:40:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id nFKIhAB2Sxw7; Wed, 28 Sep 2011 17:40:10 -0700 (PDT)
Received: from [10.0.1.2] (c-76-103-166-40.hsd1.ca.comcast.net [76.103.166.40]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 871472C4002; Wed, 28 Sep 2011 17:40:10 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
In-Reply-To: <CACU5sDkmovsrEup9=PzTa7edgA9Z_jQvSEF07JM7mwOAs_mYbg@mail.gmail.com>
Date: Wed, 28 Sep 2011 17:40:11 -0700
Message-Id: <9127D76F-53FC-4F69-B0E7-5328CFFF6871@ICSI.Berkeley.EDU>
References: <CACU5sDnBx5AijEgFXKNPjtcVdtBnBJamsn-f_ye0Jm3TQq0mvw@mail.gmail.com> <alpine.LFD.1.10.1109281525430.25654@newtla.xelerance.com> <CACU5sDk-2NeWgp-MBt1O0=MoP1mnH5UgWY1PuYK_YyJTpJ256Q@mail.gmail.com> <71422E92-1832-4703-98F4-62FB839A5235@icsi.berkeley.edu> <CACU5sDkmovsrEup9=PzTa7edgA9Z_jQvSEF07JM7mwOAs_mYbg@mail.gmail.com>
To: Mohan Parthasarathy <suruti94@gmail.com>
X-Mailer: Apple Mail (2.1244.3)
Cc: Paul Vixie <vixie@isc.org>, dnsext@ietf.org
Subject: Re: [dnsext] draft-mohan-dns-query-xml-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Sep 28, 2011, at 4:48 PM, Mohan Parthasarathy wrote:

> On Wed, Sep 28, 2011 at 2:16 PM, Nicholas Weaver
> <nweaver@icsi.berkeley.edu> wrote:
>> 
>> On Sep 28, 2011, at 2:07 PM, Mohan Parthasarathy wrote:
>>> If I want to be able to run both my web service and DNS service from
>>> the same address, then I can't just run DNS alone over 80/443.
>> 
>> Have you looked at just running normal DNS recursively from the end host, including failover to TCP when things are obviously breaking?
>> 
>> We don't have ALL the information yet (our test is not comprehensive enough), but most systems CAN do direct fetches on UDP or TCP if they must: non-functioning recursive resolvers should not be a problem for DNSSEC validation.
>> 
> 
> I am not sure I understand the question. If you are dependent on a
> recursive server to fetch the DNSSEC records, then that server needs
> to be DNSSEC aware. If you are operating in iterative mode fetching it
> yourself, then it does not work in environments where firewalls
> normally prohibit talking to external name servers. Which one are you
> talking about ? We had a lengthy discussion about the various options
> in the dnssec-deployment group recently.

Don't be dependent on the recursive server.  Just fetch it thyself iteratively, starting with the root, and be done with it.  

There are cases where this fails, but the cases are far rarer than you think, especially when using TCP as well as UDP, and FAR FAR less common than the broken proxies clients are configured to use as recursive resolvers.


>> In fact, for the purposes of A records, etc, just the recursive request from the end host is enough to be "close enough" to the security effect you would get from full DNSSEC validation.  (DANE or the like, where DNSSEC is used to validate key material not host->IP mappings, requires end-host validation)
>> 
>> 
> 
> Why do you assume that the draft is not applicable for DANE use case ?

Actually, its that the draft is ONLY applicable for the DANE use case or other cases where DNSSEC is used to distribute cryptographic material...

Given you are doing a direct fetch, starting with the root and bypassing the recursive resolver.  In this case, validating DNSSEC for A-records and the like does not matter at all, because almost all adversaries who are in a position to modify the DNS reply you receive can also instead modify the protocol which USES the A record.

And the final protocol either resists a MITM (in which case, DNSSEC validation of A records doesn't matter because modifying the DNS reply doesn't help the adversary) or is vulnerable to a MITM (in which case, DNSSEC validation of A records doesn't matter because the adversary could just MITM the final application protocol).


In fact, this is my proposed policy for client validation FAILURE using existing, non-DNSSEC aware APIs:  IF DNSSEC validation fails, bypass the recursive resolver, do a direct iterative fetch, and accept whatever you get without question, since most DNSSEC validation failures will be errors, not attacks.



I also agree with the observation from Paul Hoffman that XML is way too heavyweight and that JSON is the way to go for serializing arbitrary blobs of data over HTTP.

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.8.7 | Report a Bug | By Email