Re: [Trans] DNSSEC also needs CT
Nico Williams <nico@cryptonector.com> Tue, 13 May 2014 16:11 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: trans@ietfa.amsl.com
Delivered-To: trans@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 188841A0115 for <trans@ietfa.amsl.com>; Tue, 13 May 2014 09:11:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYEseMpeRRfY for <trans@ietfa.amsl.com>; Tue, 13 May 2014 09:11:26 -0700 (PDT)
Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by ietfa.amsl.com (Postfix) with ESMTP id 997161A0117 for <trans@ietf.org>; Tue, 13 May 2014 09:10:37 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by hapkido.dreamhost.com (Postfix) with ESMTP id C39CA9280A for <trans@ietf.org>; Tue, 13 May 2014 08:59:55 -0700 (PDT)
Received: from homiemail-a32.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTP id 8B3B0584064 for <trans@ietf.org>; Tue, 13 May 2014 08:54:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=VMaLJpv/9ahMw1ok3bT1 at+yGL4=; b=RCZQBDr0AJt3tP259ykPysj1ZlMl3YNUwRd16bwsAPd0JLZpb8By TyoGSxkrHVtrN/NhrZE5LY6RF+UlsUirKYSl5lZ6EnarPVnuYH/i6ugj74e7REkr 8s4niWHlR9mQGb3x4+kYdCajHCXUdMqJrLLxo5QSYK6n4+7hHz3WTnw=
Received: from mail-we0-f169.google.com (mail-we0-f169.google.com [74.125.82.169]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a32.g.dreamhost.com (Postfix) with ESMTPSA id 29AEA584065 for <trans@ietf.org>; Tue, 13 May 2014 08:54:33 -0700 (PDT)
Received: by mail-we0-f169.google.com with SMTP id u56so599975wes.14 for <trans@ietf.org>; Tue, 13 May 2014 08:54:32 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.59.231 with SMTP id c7mr213796wjr.95.1399996472669; Tue, 13 May 2014 08:54:32 -0700 (PDT)
Received: by 10.216.29.200 with HTTP; Tue, 13 May 2014 08:54:32 -0700 (PDT)
In-Reply-To: <alpine.LFD.2.10.1405131128150.25023@bofh.nohats.ca>
References: <CAK3OfOjiL2DTJPH3CaAjg8YGrrwN56SgQ+DnqPXx4MLbgXQN+A@mail.gmail.com> <alpine.LFD.2.10.1405101722240.897@bofh.nohats.ca> <CABrd9ST7K-7RGwGD2G+kDcVSceC2ZJ-5Tz2tdp5NWa3cqBK+-w@mail.gmail.com> <CAOe4Ui=nqmCfjBYNE2CJtEs1jnbavpY4Dv-T3FRDdAwAA2dScg@mail.gmail.com> <CAK3OfOiYMJkXVR+QsCzEV0ir6u53coJz0b-JdGGD5bTTz5YcMg@mail.gmail.com> <CAOe4Ui=u0fkm9_nuXx_6gpH6jHM5pBvzjzru9O8y3bpLkA0qmw@mail.gmail.com> <CAK3OfOi6y=QAMXe_2axiavxwR5nS2Uv8SM4JxQHsvEKbUyNGCA@mail.gmail.com> <CAOe4Uimvc6e6u=fJjM1-iaOTepA33Sx5CBjMV9dB8sSLqtZoWA@mail.gmail.com> <CAK3OfOhdhWdGvvhuaGyE_p5kLy0ZX-V5sAXfoLGP_8d8vPJDgg@mail.gmail.com> <CAOe4Uik+fjM4wTVBiFxphVZAwVYBPgd1a9xUyUBMSFy30SWNLg@mail.gmail.com> <CAK3OfOiC+5+s2UtSEP788W23tHq6VQSQfMsUboUp16L-27zsvQ@mail.gmail.com> <CABrd9STYxmK6gg7a5wDtejdc_Y0aD9hwQkHpFu3HbxVbMZDQHQ@mail.gmail.com> <alpine.LFD.2.10.1405130948160.25023@bofh.nohats.ca> <CABrd9SSiHfyvPxgYrDZ_idE+UGcUXVFx3BGcc2qp+t+nmuJwLw@mail.gmail.com> <alpine.LFD.2.10.1405131128150.25023@bofh.nohats.ca>
Date: Tue, 13 May 2014 10:54:32 -0500
Message-ID: <CAK3OfOivqH=HdaNPA5+c7qGvHJ0kS9S_-HNd6pM1TeeFnyJ3sw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/trans/mvta1iPdIF0f6WJlVvUjRBOikmA
Cc: "trans@ietf.org" <trans@ietf.org>, Ben Laurie <benl@google.com>
Subject: Re: [Trans] DNSSEC also needs CT
X-BeenThere: trans@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Public Notary Transparency working group discussion list <trans.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trans>, <mailto:trans-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/trans/>
List-Post: <mailto:trans@ietf.org>
List-Help: <mailto:trans-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trans>, <mailto:trans-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 16:11:35 -0000
On Tue, May 13, 2014 at 10:33 AM, Paul Wouters <paul@nohats.ca> wrote: > On Tue, 13 May 2014, Ben Laurie wrote: >> OK, good point: zone cuts need to also be verified. >> >>> The other case is injection of a custom DS RRset. How would we tell the >>> difference between the legitimate zone owner adding a DS record or an >>> attacker/parent zone owner adding one? >> >> The legitimate owner can tell - that's the point, right? > > How does that help protect a non-owner user of someone's site being > attacked with a targetted attack? If I don't run victim.com, and I am They check that what they see appears in the issuers' logs and rely on domain owners to monitor their issuers. If at all possible TLS (and other) clients will tell their peers what STHs the saw, and the servers can check that those appear in the log). If enough domain owners do this then targeted MITM attacks get harder to pull off without being detected. This is the herd immunity theory: eventually the risk of detection is so high for would-be MITMers that they won't risk it at all (except, of course, for cases like open war, where detection is a non-issue). This seems especially likely to be the case for DNSSEC because of caching. > just a visitor of victim.com, but only I am given rogue DNSSEC records, > how can I tell something is wrong? I would go to the public log and see > the DS I received is not in there? Yes. Or that it is. If it is and your peers monitor the logs then you can at least rest easy that the likelihood of MITM issuer detection is very high. Nico --
- [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Mehner, Carl
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] EXTERNAL: DNSSEC also needs CT Tao Effect
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Warren Kumari
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Salz, Rich
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Joseph Bonneau
- [Trans] Volunteer opportunity! (was Re: DNSSEC al… Melinda Shore
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.1 (5) Re: DNSSEC also needs … Daniel Kahn Gillmor
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 7.971 (5) Re: ***SPAM*** 8.1 (… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- [Trans] ***SPAM*** 8.1 (5) Re: Re: DNSSEC also ne… Daniel Kahn Gillmor
- [Trans] ***SPAM*** 8.956 (5) Re: ***SPAM*** 8.1 (… Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Melinda Shore
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Osterweil, Eric
- Re: [Trans] DNSSEC also needs CT Paul Wouters
- Re: [Trans] DNSSEC also needs CT Daniel Kahn Gillmor
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Ben Laurie
- Re: [Trans] DNSSEC also needs CT Phillip Hallam-Baker
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… i-barreira
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Stephen Kent
- Re: [Trans] DNSSEC also needs CT Nico Williams
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Stephen Kent
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Dmitry Belyavsky
- Re: [Trans] Volunteer opportunity! (was Re: DNSSE… Ben Laurie
- [Trans] trans doc issues Stephen Kent