Re: [Resolverless-dns] 103 Unofficial Side-meeting Notes
"Ralf Weber" <dns@fl1ger.de> Thu, 08 November 2018 07:53 UTC
Return-Path: <dns@fl1ger.de>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EE18130E34 for <resolverless-dns@ietfa.amsl.com>; Wed, 7 Nov 2018 23:53:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dzvlz1YxEono for <resolverless-dns@ietfa.amsl.com>; Wed, 7 Nov 2018 23:53:41 -0800 (PST)
Received: from smtp.guxx.net (smtp.guxx.net [IPv6:2a01:4f8:a0:322c::25:42]) by ietfa.amsl.com (Postfix) with ESMTP id AB4E6130E10 for <resolverless-dns@ietf.org>; Wed, 7 Nov 2018 23:53:41 -0800 (PST)
Received: by nyx.guxx.net (Postfix, from userid 107) id DB62A5F40221; Thu, 8 Nov 2018 08:53:40 +0100 (CET)
Received: from [172.19.152.185] (dhcp-8a4f.meeting.ietf.org [31.133.138.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id E09375F40221; Thu, 8 Nov 2018 08:53:37 +0100 (CET)
From: Ralf Weber <dns@fl1ger.de>
To: Justin Henck <henck=40google.com@dmarc.ietf.org>
Cc: resolverless-dns@ietf.org
Date: Thu, 08 Nov 2018 14:53:33 +0700
X-Mailer: MailMate (1.12.1r5552)
Message-ID: <8FADE530-60F2-4105-8F1D-EDAB1159D88F@fl1ger.de>
In-Reply-To: <CAN-AkJvigoBO=CsPfiM8GGnbgxAZ8bbJ20R9UWRENyRTTAuJ4Q@mail.gmail.com>
References: <CAN-AkJvigoBO=CsPfiM8GGnbgxAZ8bbJ20R9UWRENyRTTAuJ4Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/bENnlYS2yahr_Bi0L1TsbQCxUUY>
Subject: Re: [Resolverless-dns] 103 Unofficial Side-meeting Notes
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Nov 2018 07:53:44 -0000
Moin! On 6 Nov 2018, at 21:42, Justin Henck wrote: > Hi all, > Thanks for attending the side-meeting today. Though there are clearly > some > issues to resolve, there were three specific proposals put forward > during > and after the meeting for pushing DNS records or similar information. > (Listed below in the order they were presented.) Since I'm a newcomer, > what > seems like a good goal for 104? > > Proposal 1: DNSSEC-signed: Any outbound link or resource from a site This has the problem that the information the http server has might be signed, but still could lead the user to a bad endpoint from a CDN perspective as the DNS query probably was done with the IP of the http server and not the client. Yeah I know there is ECS for this, but most authoritative servers only accept that when you are whitelisted. > Proposal 2: ??: CDN-local links or resources This is the only way that potentially could work, but even then you loose all the security properties your resolver normally provides you and it totally is possible for bad guys to serve traffic over a CDN. > Proposal 3: Within TLS: Any automatically loaded resource, perhaps in > the > HTML Seems similar to 2, maybe a bit wider, but still could be used to attack you. I think we have to recognise the case that an attacker controls the endpoint you connect to and can circumvent security measures you have in a your resolver which might be protection agains DNS rebinding (sneaking in a public name to point to your RFC1918) for homes and enterprises, or might start a phishing attack by sneaking in a IDN near identical name (goᴏgle.com. - look closely if you would have catched this real domain is xn--gogle-n29a.com. ) and then directing you there. In both cases your security properties possibly get worse when using resolver less DNS. So long -Ralf —-- Ralf Weber
- [Resolverless-dns] 103 Unofficial Side-meeting No… Justin Henck
- Re: [Resolverless-dns] 103 Unofficial Side-meetin… Ben Schwartz
- Re: [Resolverless-dns] 103 Unofficial Side-meetin… Dave Lawrence
- Re: [Resolverless-dns] 103 Unofficial Side-meetin… Ben Schwartz
- Re: [Resolverless-dns] 103 Unofficial Side-meetin… Dave Lawrence
- Re: [Resolverless-dns] 103 Unofficial Side-meetin… Ralf Weber