Re: [Resolverless-dns] Paper on Resolver-less DNS
Ted Hardie <ted.ietf@gmail.com> Thu, 15 August 2019 21:03 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2321200DB for <resolverless-dns@ietfa.amsl.com>; Thu, 15 Aug 2019 14:03:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvNWeoVUfvLg for <resolverless-dns@ietfa.amsl.com>; Thu, 15 Aug 2019 14:03:45 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A831D1200C7 for <resolverless-dns@ietf.org>; Thu, 15 Aug 2019 14:03:45 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id q22so1994166iog.4 for <resolverless-dns@ietf.org>; Thu, 15 Aug 2019 14:03:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BpUHEE2wS40UjAyPqKpkfovX492JesU0uh1b0UPMdmE=; b=EzwvYefuaVkcCJMgekthbowemMlT3AUIgl8Kx/guWujtF9YLsGCueiIEMsy+M5Eo4z zzpt/iUCE09WnWkzznUxMyKpgeTlodT1hE0RvfEeIGiOiOlMh/kgJL/SNXyEbVpKld6R ZBsywvvn4Sgf2Zp4qQGZOF8kl8uvhIWlCbJCd2WzuFhBRj6qrlXcL1uw8Hk0SVFZw2Fh RrCTb/tB5cXaRZhZnzfEsLYIMRfVL9ytVWgueOg+/ybYv0Ogyp6lDNZBFdvgTedRujjG 23qWofIKyOwU7gWtqk6Qx0qQ/uFHwXMv3IBpef6HgPjVPijQgsRpAUPpOzR+iR2fxklI JpIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BpUHEE2wS40UjAyPqKpkfovX492JesU0uh1b0UPMdmE=; b=Q1JS+d3BkydUkxVdxTuBWHxdRrHPJXz0eZr+5T9sISCRgZPphOMdAdYisSE2e7f7Wy 082sW58s5NhzuQTz+tbWxdav2MliJ0dofbDolbGxstwSFzndtzfzztTiTCo2GZ6dTbxZ Yo5KVdDQTUI7FP+JYgHhijmhWXZf/IdeY0yCyjZM1p2/gPyFNzNfM+9ISVWHmxcO6TH6 7E28TP82p3WfebwWx3/37tg/SsJzZiKelMQTGVQvYviHFxLA1OUzrHyw31hM77YpmLN8 TkdqvT9ZzKGm8p1QbR8Dr/iS4IqSyB+KWyZwinMUCYiiZmU3Yg9ZzQ8VEGWTQPDqZJFt ETog==
X-Gm-Message-State: APjAAAWR78i5HJlvabNQ5sB6oR27FlOGcqCPssAAq3VWDuNSi4TdSOkK E512Xop0K5df+ilj6Vv0OjRbZlpop1dD9wfKMDo=
X-Google-Smtp-Source: APXvYqzyulwkhKrswstDGWkJOOnMO+SFpPOo7z6mZeSLprNS6RFUPt4cjwLiY+81o5yoVMDE7Hm/biuM0E3d0BYaCQw=
X-Received: by 2002:a05:6602:22ce:: with SMTP id e14mr7572778ioe.290.1565903024606; Thu, 15 Aug 2019 14:03:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsBhR1yaLxQk7wZk54Jdf5nvkS03KC3UTae0Famu2+SV8g@mail.gmail.com> <20190815163938.CF9CB85D108@ary.local> <CA+9kkMDtGt0hMPv1szjoLuHsO1h5wPrsY-5LkJdDU5FcVKFSkA@mail.gmail.com> <d32e9589-c9f7-593d-b0f6-0e842a461c43@informatik.uni-hamburg.de>
In-Reply-To: <d32e9589-c9f7-593d-b0f6-0e842a461c43@informatik.uni-hamburg.de>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Thu, 15 Aug 2019 14:03:17 -0700
Message-ID: <CA+9kkMCg3ohS4fLzR6DznFQEZnZkn3ZvAg995C-XpovMvb5NWw@mail.gmail.com>
To: sy@informatik.uni-hamburg.de
Cc: resolverless-dns@ietf.org
Content-Type: multipart/alternative; boundary="00000000000088dd0205902e35be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/FzJMLvtI470A_Mg-gQ7JuFsVKQ4>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2019 21:03:49 -0000
Hi Erik, Thanks for your reply. On Thu, Aug 15, 2019 at 1:25 PM Erik Sy <sy@informatik.uni-hamburg.de> wrote: > Hi Ted, > > On 8/15/19 19:57, Ted Hardie wrote: > > From my perspective, the push-based DNS record approach is most risky > > for this latter set of risks. The document currently says: > > > > First, clients are only allowed to send application data over an > > established connection ifthey validated the server’s identity via > > a server authentication mechanism or a fallback DNS lookup. Figure > > 2 presents the validation strategy applied by user agents on DNS > > records retrieved via resolver-less DNS > > > > > > I can't reproduce the diagram here, but my reading is that you can use > > this DNS data if you have cached TLS resumption ticket or equivalent; > > in that case, you can start the 0-RTT exchange knowing the other side > > will be able to see the application data only if they have the right > > cryptographic materials. This misses the risk that establishing a > > connection may leak private information*. > > The problem you are describing is not introduced by resolver-less DNS. A > traditional DNS resolver can conduct the exact same attack by > distributing fake DNS records and observe the client's connection > establishment. > > Agreed, but your proposal appears as written to allow any web server to try the attack, where it was formerly limited to a configured resolver. Unless I misunderstand the proposal, that a significant change in attack surface. > > It also create a new, fun dependency in the already confusing > > interaction of cache lifetimes. The DoH style method creates an > > interdependence between DNS TTL and HTTP cache lifetimes; this creates > > one with the ticket lifetime. > > I feel like you possibly misunderstood the validation strategy. I > proposed an opportunistic approach, where the client always attempts a > connection establishments towards the IP address retrieved via > resolver-less DNS. You're right, I misread it. I thought you were saying that the client should try only in the case where it had the TLS resumption ticket and should fall back *before attempting the resolution* otherwise. You may want to update the text pointing to Figure 2 or Figure 2 to make that clearer. > Subsequently, if the connection does not provide > server authentication, the client evaluates a fallback DNS record > retrieved via the traditional DNS. This seems to indicate that the attack I mentioned earlier is much easier to mount as both tracks in Figure 2 allow it. It also raises the risk that a client will receive a server authentication from a CA not intended by the domain owner (our friend the enterprise, an attacker, a government, etc.). We have some mitigations for that, but they are not complete. Unless you somehow limit the number of domains a web server can provide DNS records for in some way that approximately matches their own URL authority, this seems fairly risky to me. You can eliminate the risk for a DNSSEC validating application if the DNS records allow the validation to occur. But that is not, at least yet, common. regards, Ted Thus, I do not understand why an > interdependence with the ticket lifetime is created. > > > Erik > > > RFC 5077 says this: > > A client SHOULD delete the ticket and associated state when the time > expires. > > It MAY delete the ticket earlier based on local policy. A server MAY > > treat a ticket as valid for a shorter or longer period of time than > > what is stated in the ticket_lifetime_hint. > > If you know a server sets 0 or a long lifetime, in other words, you > > may be able to guess that a session ticket is available, but otherwise > > it is a crapshoot either for the benign DNS-record supplying host or > > an attacker. > > > > Given the large number of cases that will have to follow fallback DNS > > lookup for the authentication, I think this a useful building block > > only for very popular services (since they are likely to be in the > > cache). Given the other resources they have and the reputational risk > > of allowing random sites to provide DNS records related to them, I'm > > not yet sure that this is worth it. > > > > Ted > > > > *Imagine you are a government which wishes to detect when citizens use > > GRINDR, as you disapprove of same sex encounters. You can have > > government and affiliated sites push GRINDR DNS records using this > > method; when someone with a fresh TLS ticket for GRINDR tries to > > connect, you get their IP address and whatever other data leaked in > > the exchange. You can limit this risk in various ways (e.g. by > > requiring the presented TLS certificate of the DNS-record supplying > > host have the domain in its list of alternative names), but this > > limits the effectiveness of this method and also runs the risk that > > governments may have root certificates that can generate those. > > > > > > > > -- > Resolverless-dns mailing list > Resolverless-dns@ietf.org > https://www.ietf.org/mailman/listinfo/resolverless-dns >
- [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ben Schwartz
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS John R Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Fred Baker
- Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
- Re: [Resolverless-dns] Paper on Resolver-less DNS John R Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Steffen Nurpmeso
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Steffen Nurpmeso
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Hardie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Orth
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS John Levine
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
- Re: [Resolverless-dns] Paper on Resolver-less DNS Anne Bennett
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ralf Weber
- Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
- Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Vittorio Bertola
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Ted Lemon
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Eric Osterweil
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Joe Abley
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Bob Harold
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Erik Sy
- Re: [Resolverless-dns] Paper on Resolver-less DNS Viktor Dukhovni
- Re: [Resolverless-dns] Paper on Resolver-less DNS Paul Vixie