IETF Logo Mail Archive

Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01

Rob Sayre <sayrer@gmail.com> Fri, 29 March 2024 20:41 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C74C9C14F686; Fri, 29 Mar 2024 13:41:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hjul6DyVdChq; Fri, 29 Mar 2024 13:41:58 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B360CC14F6A6; Fri, 29 Mar 2024 13:41:43 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a470d7f77eeso300828566b.3; Fri, 29 Mar 2024 13:41:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711744901; x=1712349701; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=kdPXQPB3SGTNXZxyEzdikRPs8aP+qRC/w0/2efYKxik=; b=gSv7N3DqYNCTSWSj/eqmP4vPH0tt+KLHZG9/OP55MfKbU3bGtOOTjhw6QbzeG8IU7I Fju8f+WcYaHlS59mhg7Gy/InMHeIafrn/qOTcSq9IgNSPsTYoFupdWVVPr2FiqhCBAty C8/a3rWgbKpjUbWbj2BsNmf3QpMhCLPQm5460BJjNXCp8LN7AcyQtt8Oj0J9oQRI9UJk r9RVQ7sOFsgGffxHIas59uqhP6gG61LP9tUePvdgglAymLLCigscVUFUCL/cTFIvFRej vQM8aq9sfSd1z+tecFTi1oiKJ932QVyK2E0R4Vjr7UK5t2Iw8j4NGUGSEgYmeTg3RVTX NTYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711744901; x=1712349701; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=kdPXQPB3SGTNXZxyEzdikRPs8aP+qRC/w0/2efYKxik=; b=V2Pybqj3dumIG9NUWU8lS3l6jT/qPQjo3C/dSCuGZd7kCzzutQ19USfsgUPR2KfE9Y PDCCwnEj8DUMnHcqIiRbFdKOl71kT1WgwMoYyKU9ILmRp2c9jGrnorXJ157p/YFOgODB Wa4XfO4LET92+zzu2NJYWgE8uluSrBZdXe+lOcsnZzsotTMi1O8rt/IZfd4e4buFn8XI C0JXrdhDi2AerQvC7V734Fnx1UPxnlJJVfL5oeJDHviG6TDeFj55Lrp8WfH0Cf8jbudI PuHHGCzxuvGcn8eLZDm//SRG1TWXhm99RNcdMmWuPk+0MlninAjQt3H4CLGP56R180tt V35g==
X-Forwarded-Encrypted: i=1; AJvYcCWL06Euv3/dUsyTXwy8wZOx4sfbEdhlj/ZWbXuuKTV58ufn5IotvH0Ibo1tCiMtTPgRJCEMnc4nU8NcCBnmKBOuglXBB/wPawnA9CtJeSUD322vIbfk9TnFrbgUkVljPHH7qw==
X-Gm-Message-State: AOJu0Ywai/HbioR0/QP+eAzb+ILdm8bAACxQ/Xl+PZRKAwOG+xAJfQ6J gIfO+Fo5cUoso5zv+dtPeTjF1EuFWvcvClCh8q9VUC0BIoPuavNUAv/hf7CxElVBrGff/v4Sp9N CWkcCjDGUgOpBFGeE5HDbC5hlncI=
X-Google-Smtp-Source: AGHT+IEbyYvZk8T152NcZtYxpmyf9XNY5Zry4Lq0Qi87rEk1gJhV0SbanEToYMNGv8ymJ3vzAmM7JXMr+dzNciQyX4U=
X-Received: by 2002:a17:906:6a24:b0:a4e:48d6:ba1f with SMTP id qw36-20020a1709066a2400b00a4e48d6ba1fmr166278ejc.55.1711744901364; Fri, 29 Mar 2024 13:41:41 -0700 (PDT)
MIME-Version: 1.0
References: <171174253501.29384.9373864670898234756@ietfa.amsl.com>
In-Reply-To: <171174253501.29384.9373864670898234756@ietfa.amsl.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 29 Mar 2024 13:41:29 -0700
Message-ID: <CAChr6SwCKV4P_xab_3dKSwKDfPdxjz3WinQaWebMcXh8-_xy0g@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: dnsdir@ietf.org, draft-ietf-tls-svcb-ech.all@ietf.org, tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cac4660614d2aa5f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ZpBs-xWY6W6mEY584YWha9B5pOs>
Subject: Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 20:41:58 -0000

On Fri, Mar 29, 2024 at 1:02 PM Ted Lemon via Datatracker <noreply@ietf.org>
wrote:

>
> I don't think it's reasonable to specify the privacy properties of SVCB and
> /not/ talk about DNSSEC validation.
>

Could you explain more about this part? I think DNSSEC doesn't add much
here, unless you want to accept non-ECH traffic. For example, many of the
test servers will bounce you to some other site if you don't send ECH or
screw it up in some way (speaking as someone who has screwed it up many
times...).

I think there might be a DoS attack here, where someone messes with the
response, but they can also turn off the DNSSEC bit unless it's DoT/DoH/DoQ
etc. So, if using those, it's just the trustworthiness of the DNS server
itself, right? Sorry if I'm missing something.

thanks,
Rob

v2.23.0 | Report a Bug | By Email