Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
Rob Sayre <sayrer@gmail.com> Sat, 30 March 2024 18:02 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4AF0C14F61E; Sat, 30 Mar 2024 11:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8egkQ0tl0DF; Sat, 30 Mar 2024 11:02:12 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44CDBC14F5F8; Sat, 30 Mar 2024 11:02:12 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-56c2c41cbdaso1593419a12.2; Sat, 30 Mar 2024 11:02:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711821730; x=1712426530; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=t+BuuVWvXBZsZE+zHsJFMxk9aVrHI3ZXNoXH/ru6Vfo=; b=b0p78XXTNOLEBxlL3OhwHglvnPHJ2tOHfdXtS2VdOZLbzzkNek994xAH9evbhv6b7s nbNkFKXUDFAl/2hw7SXd8iWf3GqcBjm8I1zc8lB4z/Jpsx5JiVzYChsXK+FDyf5MyqSG 23tF416MklsD67/AdH3U402XBdCpSNS8j51ubIvu30MUX8kMQW8cKrG5lGk6CY7x59p6 84cDkgqxVwAmO3GX9gu0U44SgS1NEFiNbYxjwaP2OHEm39RPno7zP1xylnVJS/PjXP03 kvjnadIji95WSmGb/oGjbAETjhGKSl2gcV01Z76lho83dwhUO5oBd5uziLCPtghMmf/G N5ZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711821730; x=1712426530; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=t+BuuVWvXBZsZE+zHsJFMxk9aVrHI3ZXNoXH/ru6Vfo=; b=iaZ9Nhm9LhqfKiKDg3Yic4fMT7Fh+stTGns+8F2sVnkysGC0V5uOTteaSUFr+OtPq3 yn8o+IB/EAXdQlO+bBylau+iAjBisjroN0MOFjni+RgC6SmQ2oWFzzqh+UsbQegx4X6O YJ4u8zG6xMl/Pe85pxHDNIb1YY8OWBOHtOcrQ6mt1EziwVRcOEtSP3VRI2NDVcLezJne CPDLp3UKaqgXFLkhHo4vQLVGz/lGHFlCoj7QwXjy8ee6li3BkXoVGU5XNN2+E+0CXPOX RZ93C136naHqOTA4/DVJXgnZwyFLI2X5T+xxsU204oFdZ5n9nLQ8uolid8Re2jtDXqwQ MzTg==
X-Forwarded-Encrypted: i=1; AJvYcCXskV5dZaA41pFUbuDCbVK/gX/inDRVBDulGs6AM2SrQVejyotngkf+l4ggzDTjbdxL7IcMnvX3ak9+2qqQG7KcIQGzEFtbVUs4mQGLPz0TMX2dWYwbUCTR9CJzI2QwzQRdxtxj3JjjKvUnzN4WttWI/TQl
X-Gm-Message-State: AOJu0YyYLjMQ7N7IP/5yh9FVn/5hNrqQP/m4u/I2Ifgv50rSYgXRth5c riBBuI3PnXT6MPFROLVY4/BfjMSDR1BLo5wSdKocXV17KCFzsIr357U9sQUWp+NzETcQNRBZ3xr wVqD+PFHZqSqMBCZ/uX8BtvlTd2g=
X-Google-Smtp-Source: AGHT+IFr49jkRJbKvK1u8PR2kHg9UEE4r43hT4kL241BxAwMdk2b7xNvVK9s3iTdPWPzKUIBt1cbCd8NWa6ObldFlwM=
X-Received: by 2002:a05:6402:4315:b0:568:3362:ccd1 with SMTP id m21-20020a056402431500b005683362ccd1mr4972643edc.1.1711821730393; Sat, 30 Mar 2024 11:02:10 -0700 (PDT)
MIME-Version: 1.0
References: <171174253501.29384.9373864670898234756@ietfa.amsl.com> <CAChr6SwCKV4P_xab_3dKSwKDfPdxjz3WinQaWebMcXh8-_xy0g@mail.gmail.com> <CAPt1N1knx=+K627L6rsf4nGuiwpSXjWoMB4QcMfwhJdaGKypUw@mail.gmail.com> <CAChr6SxKA7YidnYWW=6DOWeQo+_CKNaWNOQL9JQnJUB3thgBhw@mail.gmail.com> <CAPt1N1=snvSeQ74xs=HNVyszxjTD1SPMxw3+BVh-5-HBnOcZag@mail.gmail.com> <CAChr6Sx0WX-X3dWjkwMJAa4Rz3BhnUdYMFwWgLkorm6d-16g1w@mail.gmail.com> <CAPt1N1=LzjPMfADvdTdt_kCZ3XTznKs4p4_FYAH_RDb6WVcv7w@mail.gmail.com> <CABcZeBMVbi2_0yaTTe+-U2cBWqscXAdhcrwPufKNg0a-8U292A@mail.gmail.com> <CAPt1N1kEVk6MEHqnXAPenRp057eTDhptxsstcxyEkXqWBdyHQA@mail.gmail.com> <CAKC-DJiEWYDmz3EdPq2hjpR6kGPAnRPTA9H1HAwo4BR-1XG=mQ@mail.gmail.com> <CAPt1N1kNCr+khExy8ajksPakgsQtnPWC4ckmwB9kZDhQk4Cywg@mail.gmail.com> <CAChr6SwMVuCT7trjZVdG-zhGX21vMK9iu_th+Pc7_94s9hZ8bg@mail.gmail.com> <CAKC-DJi2NqpRfxb3cHbvdK+cSLBkSP7XkH4oqEQ3CxkSvRq8Kg@mail.gmail.com>
In-Reply-To: <CAKC-DJi2NqpRfxb3cHbvdK+cSLBkSP7XkH4oqEQ3CxkSvRq8Kg@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Sat, 30 Mar 2024 11:01:59 -0700
Message-ID: <CAChr6SwoKqvrsKbm-K3vK793sn0p1WR2wky8cJSR-JbHytEBiA@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Cc: Ted Lemon <mellon@fugue.com>, Eric Rescorla <ekr@rtfm.com>, dnsdir@ietf.org, draft-ietf-tls-svcb-ech.all@ietf.org, tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000028c4050614e48e77"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/e30XEj_X1BJN-oaSQ1VwT7q6ddc>
Subject: Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 18:02:12 -0000
On Sat, Mar 30, 2024 at 10:47 AM Erik Nygren <erik+ietf@nygren.org> wrote: > > An attacker who can prevent SVCB resolution can deny clients any > associated security benefits. > > Yes. > A hostile recursive resolver can always deny service to SVCB queries, but > network intermediaries can often prevent resolution as well, even when the > client and recursive resolver validate DNSSEC and use a secure transport. > These downgrade attacks can prevent a client from being aware that "ech" is > configured which would result in the client sending the ClientHello in > cleartext. > > I think s/would/could/ here. I don't know if we want to write it, but doesn't using encrypted transport DNS to an IP address avoid this problem? Like using 1.1.1.1 or 8.8.8.8 etc. I know that raises centralization issues, but it does help with this issue. thanks, Rob
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- [TLS] Dnsdir early review of draft-ietf-tls-svcb-… Ted Lemon via Datatracker
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Erik Nygren
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Erik Nygren
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] [dnsdir] Dnsdir early review of draft-i… Tim Wicinski
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Sean Turner