Re: [Resolverless-dns] Paper on Resolver-less DNS

Ted Lemon <mellon@fugue.com> Fri, 16 August 2019 14:39 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: resolverless-dns@ietfa.amsl.com
Delivered-To: resolverless-dns@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40462120825 for <resolverless-dns@ietfa.amsl.com>; Fri, 16 Aug 2019 07:39:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Quj8M4HzaJl for <resolverless-dns@ietfa.amsl.com>; Fri, 16 Aug 2019 07:39:55 -0700 (PDT)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599EC120819 for <resolverless-dns@ietf.org>; Fri, 16 Aug 2019 07:39:55 -0700 (PDT)
Received: by mail-qk1-x734.google.com with SMTP id s14so4944241qkm.4 for <resolverless-dns@ietf.org>; Fri, 16 Aug 2019 07:39:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=ZC6e/7e2hgGiRK0wAmRIzMy4jQq9eUR6CBmLba95NXE=; b=imLzqudSjEolpSRaBos9Ejm4RhhX/QqRD2THXMyqXIgWy/J9/0Z8+JyI9RuBs07mm0 g9sPRPiwajZnkKSRYX5ywsEpiiN5tBe4vgOGYIrXLPlWxYEsWZ3RqT0zX+rD64FEVX3R GdeGAkfBCA48wDypbiL5g2sa4+U2Pyf4XSA58js9NoKpWbWYtIuChZWOs/ek60l7W6SP GxwOr7n5+ja7uSpiE/Ud6ASXcrEsP9LeExbq8n/p1cN+DdTZC0Ezd6Vj4vHX2eS6g3lH AJGjgjnil6jUDQxDfjDiNBTqkZvhMeN/vh4r30cUvKyFmkHol52BzMIHUanQc4XdR4u8 KsFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=ZC6e/7e2hgGiRK0wAmRIzMy4jQq9eUR6CBmLba95NXE=; b=kn4XbE5vCGLB419O51trfXo/l9oCLQ8ZKcCflIn9ve8SjtRZjIv3HlFgRBthi81aFp PySjxRa4yEr5YpMov/UdHqgzQ1Gi2Z2VkbSb9RBacsIJWIO4YXmku+n6VpC4zioKPq5l yqzadnAM12I/ZBCdzg7GGmhd9HsPlJazBGia0Ylv9pf7/LQqI61ub/7Oo0ZuPx67N+C5 IEjQmAl6wxm18J0gX70GdL5LVyyFHr66e3sHHhzJAnc0BtExURGXI4NAzo+unT3lwdUT UcU1DNHK1b/2YmcoYyy7rXqw0JqlPcZVaFDVkqi0qnTaV4gL1okDvHYN936hdrZPFZDS tKqA==
X-Gm-Message-State: APjAAAU0Ofexw3pbPhs9NUQTSX/IXQvsJ9i1Ywxuu9a7IByaASocKI5B hJkAut67j/Lzk2gpqiVWb/tt5uSp5YEdgA==
X-Google-Smtp-Source: APXvYqwPC3NREJ7+hkPCfLeYBB3eWKsVbV2sh70B/JdjvNsfi5gNCQk4MnMXI7+Gn635tznN7rzshw==
X-Received: by 2002:a37:2c41:: with SMTP id s62mr9394055qkh.415.1565966394338; Fri, 16 Aug 2019 07:39:54 -0700 (PDT)
Received: from [10.0.100.56] (c-73-186-137-119.hsd1.nh.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id k74sm3224277qke.53.2019.08.16.07.39.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 16 Aug 2019 07:39:53 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 16 Aug 2019 10:39:52 -0400
Message-Id: <1E5934E0-3A30-436F-B127-75F985DEFFF9@fugue.com>
References: <67d6cd75-ca8d-06cf-dd7a-b52d1416ab3f@informatik.uni-hamburg.de>
Cc: resolverless-dns@ietf.org
In-Reply-To: <67d6cd75-ca8d-06cf-dd7a-b52d1416ab3f@informatik.uni-hamburg.de>
To: sy@informatik.uni-hamburg.de
X-Mailer: iPhone Mail (17A568)
Archived-At: <https://mailarchive.ietf.org/arch/msg/resolverless-dns/egKUf5SzGL5-26N72E4orUEA1jA>
Subject: Re: [Resolverless-dns] Paper on Resolver-less DNS
X-BeenThere: resolverless-dns@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Resolverless DNS <resolverless-dns.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/resolverless-dns/>
List-Post: <mailto:resolverless-dns@ietf.org>
List-Help: <mailto:resolverless-dns-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/resolverless-dns>, <mailto:resolverless-dns-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2019 14:39:57 -0000

Both of those papers talk about incompetence of operation, not about technical weaknesses. Competently operated DNSSEC will not have the problems these two papers describe. Are you aware of any technical problem with using TLSA to prevent PKI attacks, or is this just FUD?

Sent from my iPhone

> On Aug 16, 2019, at 09:36, Erik Sy <sy@informatik.uni-hamburg.de> wrote:
> 
> 
>> On 8/16/19 14:46, Ted Lemon wrote:
>>> On Aug 16, 2019, at 03:28, Erik Sy <sy@informatik.uni-hamburg.de> wrote:
>>> I think attacks assuming a broken PKI cannot be
>>> effectively mitigated by DNS.
>> DNSSEC +TLSA doesn’t work?
> Looking at the deployment issues of DNSSEC [1] and TLSA [2], I think
> DNSSEC+TLSA do not solve the broken PKI problem on the web. Furthermore,
> I'm not aware of any user agent enforcing a strict validation of
> DNSSEC+TLSA, which would be necessary to mitigate the described attacks.
> 
> 1:
> https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-chung.pdf
> 
> 2: https://link.springer.com/chapter/10.1007/978-3-319-17172-2_15
>