Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add DNSSEC reference/notes to Security Considerations to address DNS Directorate feedback #2

Open
enygren opened this issue Mar 30, 2024 · 1 comment · Fixed by tlswg/draft-ietf-tls-svcb-ech#1
Open

Add DNSSEC reference/notes to Security Considerations to address DNS Directorate feedback #2

enygren opened this issue Mar 30, 2024 · 1 comment · Fixed by tlswg/draft-ietf-tls-svcb-ech#1

Comments

@enygren
Copy link

enygren commented Mar 30, 2024

Based on DNS Directorate feedback from Ted Lemon and subsequent discussion on the list, it would be good to add a reference to https://www.rfc-editor.org/rfc/rfc9460.html#section-3.1 in the Security Considerations.

This hadn't been needed prior to splitting this off.

========

Reviewer: Ted Lemon
Review result: Almost Ready

This is a DNS Directorate review for draft-ietf-tls-svcb-ech-01.

Section 4.1 advises disabling fallback, but does not talk about DNSSEC, which
is surprising given that the draft proposes privacy properties for SVCB
responses containing ECH data. I would think that it would make sense to say
that the SVCB querier should attempt to validate the response, and then talk
about what to do for bogus, insecure and valid positive and negative responses.

For example, I would think that a /bogus/ response should be taken to mean that
the SVCB record must be assumed to exist and should be treated the same as if
the list of destinations were not reachable. An /insecure/ NXDOMAIN or NODATA
response would not provide this assurance, and so what is currently described
in the document makes sense for this case. A /valid/ NXDOMAIN would assure that
no SVCB record existed, and hence ECH is not available.

I don't think it's reasonable to specify the privacy properties of SVCB and
/not/ talk about DNSSEC validation.

I could see that there might be an objection that if DNSSEC isn't working at a
particular site because of a broken DNS resolver, this would prevent connecting
to perfectly acceptable destinations simply because of general DNSSEC breakage,
not a specific attack on this specific domain. The problem is that there's no
way to distinguish this from an attack. So if this exception is allowed, the
security considerations section should talk about what the risks are of
allowing it. E.g. if we succeed in validing the root and com, but can't
validate the zone containing the SVCB (or determine that it's not signed), that
would be a clear indication of an attack, but if we can't validate the root, it
could just be brokenness, and an attacker would do well to just prevent all
validation so that we can't distinguish.
enygren added a commit to tlswg/draft-ietf-tls-svcb-ech that referenced this issue Mar 30, 2024
@enygren
Incorporate text from rfc9460 on the need for DNSSEC
bad64d6 
Fixes MikeBishop#2
to incorporate DNS Directorate feedback.  Clones text directly from rfc9460 with slight modifications.
@enygren enygren mentioned this issue Mar 30, 2024
Merged
@enygren
Copy link
Author

enygren commented Mar 30, 2024

Opened PR to address: tlswg#1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Incorporate text from rfc9460 on the need for DNSSEC tlswg/draft-ietf-tls-svcb-ech
1 participant
@enygren