Re: [Resolverless-dns] Paper on Resolver-less DNS

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 30 August 2019 05:30 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25F89120113 for <resolverless-dns@ietfa.amsl.com>; Thu, 29 Aug 2019 22:30:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_B5rXuABUpH for <resolverless-dns@ietfa.amsl.com>; Thu, 29 Aug 2019 22:30:24 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AB901200E3 for <resolverless-dns@ietf.org>; Thu, 29 Aug 2019 22:30:24 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 6D185725C1; Fri, 30 Aug 2019 01:30:23 -0400 (EDT)
Date: Fri, 30 Aug 2019 01:30:23 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: resolverless-dns@ietf.org
Message-ID: <20190830053023.GE90696@straasha.imrryr.org>
Reply-To: resolverless-dns@ietf.org
References: <a8d9398b-4fea-0a1e-3fa7-5954d001f9ea@informatik.uni-hamburg.de> <1405682425.665.1566561941610@appsuite-gw1.open-xchange.com> <220061a8-608c-0a87-4656-213c87979284@informatik.uni-hamburg.de> <849BE7D4-A07E-496B-B413-E1C979390DA8@osterweil.net> <b2b3e56a-c577-f08a-627a-f54e2e6fadb6@informatik.uni-hamburg.de> <f093a605-6e7d-0237-df5c-441d6789c66f@erik-sy.de> <54892F22-27E4-4444-9CC8-2D9E84A9668F@dukhovni.org> <4ec7dd1d-e914-0adb-4240-296f2f762b5f@informatik.uni-hamburg.de> <ADC6E119-0EED-4990-A975-F594C9282872@dukhovni.org> <64650d58-924f-c0f3-d181-614d59527477@informatik.uni-hamburg.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <64650d58-924f-c0f3-d181-614d59527477@informatik.uni-hamburg.de>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/4b2MeK2NKRT9nSdUEpejQ6jqqzY>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2019 05:30:27 -0000

On Thu, Aug 29, 2019 at 11:28:13PM +0200, Erik Sy wrote:

> On 8/29/19 17:34, Viktor Dukhovni wrote:
> > Resolver-less DNS as proposed disregards long-standing defenses
> > against address forgery by third parties,
>
> Can you please explain this point?

IIRC the protocol allows any authenticated server (with Let's
Encrypt, that's everybody) to return "out-of-bailiwick" answers
(for any unrelated domain).

Yes, a client's designated resolver can also do that, but some
clients perform local DNSSEC validation, and in any case there's a
big difference between trusting name resolution to a set of dedicated
resolvers, vs. each and every server one happens to visit (by
clicking on a malicious link for example).

> >  breaks geo load-balancing,
>
> No, there are no new issues with geo load-balancing compared to using a
> public DNS resolver.

Well, the public DNS resolvers (which I do not use on my network)
typically pass an EDNS0 client-subnet option to the upstream
authoritative server.  I don't recall anything similar in the paper.

But if we're doing away with geo load-balancing, and moving to only
using anycast IPs to reduce latency, that's fine by me, there are
other more important problems.

> > breaks local filters that protect networks against known bad actors,
> > and IDS systems that detect compromised nodes.
>
> If you think there are any new issues compared to using a public DNS
> resolver, I would appreciate you explaining these points.

There are a lot more resolvers than the public DNS resolvers that
you seem to expect the whole world to be using.  The resolvers at
the office and on my home network are local, I don't use "public
DNS resolvers".

> > It introduce a new cache-poisoning channel, and surprising differences
> > between the IP addresses a browser might use to reach a site from cold
> > start vs. after visiting some unrelated site.
>
> Also traditional DNS resolvers are vulnerable to cache-poisoning attacks.

Not with DNSSEC validation, and modestly difficult off-path.  But
with this proposal, you get cache poisoing by design from any
off-path server the client happens to visit.

> > In the case of IPv6 it can be used to fingerprint and track clients by
> > giving them ephemeral client-specific addresses (in the server's /64
> > or broader prefix) for third-party servers, and then proxying their
> > connections (at layer 4) to the real server, while tracking the
> > client's access to each site.
>
> This tracking mechanism is also feasible using traditional DNS.

But not available to every off-path server I visit.  My resolver
does not do that.  Your proposal would delegate this ability
to every random server I visit.  That's a security fail.

> >> At least the given mechanism needs also to provide a significant
> >> security benefit. In my view, the additional benefit of DNSSEC+ DANE
> >> compared to Certificate Transparency + Strict Transport Security (HSTS
> >> or MTA-STS) is for the majority of server operators or users not relevant.
> > Let's not mix up HTTP and MTA-to-MTA SMTP.  In SMTP, DANE has significantly
> > broader deployment (protected domains) than MTA-STS.
>
> Please note that MTA-STS is still a very young protocol.

It is not getting much support from either Exim or Postfix, any
time soon it is mostly a cloud-provider <-> cloud-provider walled
garden.  If you like your mail centralized and mined for targetted
ads, use email from these providers and MTA-STS.

But again the issues with resolverless DNS (for web browsers) are
unrelated to DANE vs. MTA-STS for MTA-to-MTA SMTP, or even DANE for
the web.  DANE and PKIX are concerned with peer authentication, not
integrity of IP address records, and modulo traffic analysis provide
a secure channel even if layers 1 through 4 are compromised by the
attacker.

-- 
	Viktor.