IETF Logo Mail Archive

Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01

Eric Rescorla <ekr@rtfm.com> Sat, 30 March 2024 02:54 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C52BC14F712 for <tls@ietfa.amsl.com>; Fri, 29 Mar 2024 19:54:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dlbVl-kBP-XK for <tls@ietfa.amsl.com>; Fri, 29 Mar 2024 19:54:22 -0700 (PDT)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5928C14F710 for <tls@ietf.org>; Fri, 29 Mar 2024 19:54:22 -0700 (PDT)
Received: by mail-yb1-xb35.google.com with SMTP id 3f1490d57ef6-dc6cbe1ac75so1866309276.1 for <tls@ietf.org>; Fri, 29 Mar 2024 19:54:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1711767262; x=1712372062; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=M3hL5gdzuPRaa1zdj6mrbn3gOcNFTuDdpo1aOzLPBXg=; b=GIZ0ojGfOxvufRuiglX+J6PzuPq30ZX69rA0zWsfyYEA9Rd6EForvr7EpW/tParvGm ZGbhM2qxyQXPBOLKflJ1OEuzdJPLCxfNlXqD7ZtMhLw96ialYJdQtZ13sKsE3L1iU8Kt 8qroELa+wUhvYrRWyppBNjs3h/s/6UELJnmmotBoPuY8BFfL4dU4ZPq4WKMs9NepZqFU dEBJSKCEmpYRpM2IkDkFyynMh9vvVmgFXNh9qyDG3ZGN5KNQ4Csdb6DYXA5yx9xYk1HY JzAHLc+JeGk0dEa+18QbXm4j/FwTZTwZRWHpAJkwHxeuo9GkrBtHDo09aCp44Zm4lOLe N8Ww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711767262; x=1712372062; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=M3hL5gdzuPRaa1zdj6mrbn3gOcNFTuDdpo1aOzLPBXg=; b=MrUxPT0EMMzyCyc/6nehw17d3MFjsA5CsVuFRr1DqvZTPjuS1wNih55PT+Ly1JdOTW Lz2b/ZXZQhdfUp+TpduFLl8o48UweWNrCmMCQCs6c5KIezZJgZReLqzqCuHhRjL/gCzj XWpESvWaYP0FZZR+uX1rupaoioVuofaU4tZXO5mvkA1GrahDrSS6Dx949tNn0GAstaDx o8PHc8ueMLSBWXFl65kjkq//6OHqEAPpotfv8IJcY2ol+BLynX008PvrRSxIZS3NA95+ qShiOPNGMcqZESXStjORwwp9hGGxNwYuazBIrrjmf5aGRSxEwHRnGStfRcy44S6b07z+ 4BgA==
X-Forwarded-Encrypted: i=1; AJvYcCV7HzyhxgfF+P65Fb8jauCYhoxo3K8NHETWOzNoCnJlnp0a2AoNciKljiBdrD8uzP5DxqgXrl5YFqfuJic=
X-Gm-Message-State: AOJu0YxDfvX9YAAvTDopq2sbZzYqyj7aQQy98f98D/dZOCEOXKVfQm/W /QN3D52/9fdDNJHH2boNTjnteE2881PwUmj6lHxQXwWkutCBPL6GSqmWvzANm0sx0+ECmCGqifp o/wdF3+nF/q3iHTBdLzQMG9b5FJmuRGV1sBTQ2A==
X-Google-Smtp-Source: AGHT+IFD1SWmav9P3PafPwO2dj9tGGOv+vI6k3j55hZVxrtpEQE64gD4W71JfYySu66OpoykgKMEsRLK1V09LE14jg0=
X-Received: by 2002:a25:b224:0:b0:dcd:9a9b:8d7e with SMTP id i36-20020a25b224000000b00dcd9a9b8d7emr4818931ybj.9.1711767261540; Fri, 29 Mar 2024 19:54:21 -0700 (PDT)
MIME-Version: 1.0
References: <171174253501.29384.9373864670898234756@ietfa.amsl.com> <CAChr6SwCKV4P_xab_3dKSwKDfPdxjz3WinQaWebMcXh8-_xy0g@mail.gmail.com> <CAPt1N1knx=+K627L6rsf4nGuiwpSXjWoMB4QcMfwhJdaGKypUw@mail.gmail.com> <CAChr6SxKA7YidnYWW=6DOWeQo+_CKNaWNOQL9JQnJUB3thgBhw@mail.gmail.com> <CAPt1N1=snvSeQ74xs=HNVyszxjTD1SPMxw3+BVh-5-HBnOcZag@mail.gmail.com> <CAChr6Sx0WX-X3dWjkwMJAa4Rz3BhnUdYMFwWgLkorm6d-16g1w@mail.gmail.com> <CAPt1N1=LzjPMfADvdTdt_kCZ3XTznKs4p4_FYAH_RDb6WVcv7w@mail.gmail.com>
In-Reply-To: <CAPt1N1=LzjPMfADvdTdt_kCZ3XTznKs4p4_FYAH_RDb6WVcv7w@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 29 Mar 2024 19:53:45 -0700
Message-ID: <CABcZeBMVbi2_0yaTTe+-U2cBWqscXAdhcrwPufKNg0a-8U292A@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Rob Sayre <sayrer@gmail.com>, dnsdir@ietf.org, draft-ietf-tls-svcb-ech.all@ietf.org, tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009016ad0614d7df21"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NYmnhxmq6Y4xdvW8Efsy5f6dWeA>
Subject: Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 02:54:27 -0000

Hi Ted,

Doesn't this section of RFC 9460 address this case and say what you are
recommending:

https://www.rfc-editor.org/rfc/rfc9460.html#section-3.1

-Ekr



On Fri, Mar 29, 2024 at 6:49 PM Ted Lemon <mellon@fugue.com> wrote:

> Okay, I think I see the disconnect, maybe. The issue I'm pointing to is
> that you may or may not be doing DNSSEC validation. And you may or may not
> be /able/ to do DNSSEC validation if the infrastructure breaks it
> accidentally or deliberately.
>
> The document says: "The SVCB-optional client behavior specified in
> (Section 3 of [SVCB]) permits clients to fall back to a direct connection
> if all SVCB options fail. This behavior is not suitable for ECH, because
> fallback would negate the privacy benefits of ECH."
>
> So it's saying that the default handling of SVCB is incorrect and would
> fail open, and overriding that behavior. Given that this is the case, that
> implies that it matters whether the data has been validated, but nowhere in
> the document, certainly not in Security Considerations, is any mention made
> of this issue. So that's what I'm pointing out.
>
> It is absolutely not the case in practice that all stub resolvers do
> validation. You are making a security decision about trust based on data
> the trustworthiness of which you've not discussed, in a situation where the
> implementor has meaningful choices to make with respect to validating that
> trustworthiness. So it's worth mentioning that if the policy is not to
> validate, this vulnerability exists.
>
> I'm a DNS guy, not a TLS guy, so I don't know the history of this work—I'm
> just making this observation about the document I was asked to review. The
> fact that (apparently) no DNSDIR review ever raised this issue about the
> other documents you mentioned is of no interest to me—I'm not reviewing
> those documents.Whether you take this advice is between you and the IESG.
> I'm not even claiming to be right—just pointing out the issue I see.
>
> On Fri, Mar 29, 2024 at 7:21 PM Rob Sayre <sayrer@gmail.com> wrote:
>
>> I don't think it relates to DNSSEC. You can fail at DNS (DNSSEC failure)
>> or you can fail during ECH (unless you want to use non-ECH, which is not
>> ECH, and not part of this draft).
>>
>> It makes sense to me: one can reject a request unless the requirements
>> embedded in the SVCB are met (the server chooses those, which can include
>> many aspects of the request). I don't understand why one would insert
>> DNSSEC here. That seems to be the whole point--it works without it.
>>
>> thanks,
>> Rob
>>
>>
>> On Fri, Mar 29, 2024 at 3:57 PM Ted Lemon <mellon@fugue.com> wrote:
>>
>>> I'm not telling you that you have to require DNSSEC. I'm saying the
>>> document is incomplete if you don't talk about how it relates to DNSSEC. I
>>> think EKR got the point, so maybe go with his approach?
>>>
>>> On Fri, Mar 29, 2024 at 6:27 PM Rob Sayre <sayrer@gmail.com> wrote:
>>>
>>>> It's a policy choice, though, right? I think ekr hinted at this issue
>>>> as well.
>>>>
>>>> It's that one might also view requests that reveal the SNI as insecure.
>>>> If that's the case, DNSSEC doesn't help. There will certainly be a
>>>> transition period where that will be impractical for many servers. I think
>>>> these are separate problems, though.
>>>>
>>>> thanks,
>>>> Rob
>>>>
>>>>
>>>> On Fri, Mar 29, 2024 at 3:10 PM Ted Lemon <mellon@fugue.com> wrote:
>>>>
>>>>> It looks like if you can't get the SCVB you're going to fail insecure,
>>>>> so being able to use DNSSEC to prevent that for signed domains seems
>>>>> worthwhile.
>>>>>
>>>>> On Fri, Mar 29, 2024 at 4:41 PM Rob Sayre <sayrer@gmail.com> wrote:
>>>>>
>>>>>> On Fri, Mar 29, 2024 at 1:02 PM Ted Lemon via Datatracker <
>>>>>> noreply@ietf.org> wrote:
>>>>>>
>>>>>>>
>>>>>>> I don't think it's reasonable to specify the privacy properties of
>>>>>>> SVCB and
>>>>>>> /not/ talk about DNSSEC validation.
>>>>>>>
>>>>>>
>>>>>> Could you explain more about this part? I think DNSSEC doesn't add
>>>>>> much here, unless you want to accept non-ECH traffic. For example, many of
>>>>>> the test servers will bounce you to some other site if you don't send ECH
>>>>>> or screw it up in some way (speaking as someone who has screwed it up many
>>>>>> times...).
>>>>>>
>>>>>> I think there might be a DoS attack here, where someone messes with
>>>>>> the response, but they can also turn off the DNSSEC bit unless it's
>>>>>> DoT/DoH/DoQ etc. So, if using those, it's just the trustworthiness of the
>>>>>> DNS server itself, right? Sorry if I'm missing something.
>>>>>>
>>>>>> thanks,
>>>>>> Rob
>>>>>>
>>>>>> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email