Re: [DNSOP] Proposal for a new record type: SNI
In message , Phillip Hallam-Baker writes: > On Mon, Feb 20, 2017 at 8:42 PM, Mark Andrews wrote: > > > > > > > Zero if it is done right. We can easily extend the DNS to say > > "Fetch the additional record for the SRV records before answering" > > if you have this EDNS option present or just have the server do it > > without the option. There is nothing preventing a recursive server > > just doing this today. > > > > +1 Actually that is what I was assuming. > > If we are using the current DNS protocol then all we need to do is to > program the DNS servers to intelligently add the necessary additional RRs. > > Alternatively, if we are doing DNS over QUIC then we could tweak the > protocol so that this is the default. > > If the SRV prefix is _http._tcp or _https._tcp then the recursive > > server SHOULD fetch any missing additional address records for the > > SRV server including CNAME records if the server name maps to a > > CNAME and add them to the addtional section prior to returning the > > response. You could even just do this for all SRV lookups. > > > > Yup. The only catch is that we all need to do discovery the same way. > That > is why SRV+TXT as specified in RFC6763 is the way to go > > > > > A RFC saying something like this would solve the SRV issue over the > > long term a recursive servers get replaced. Unfortunately brower > > vendors don't seem to want to say "yes, we will add SRV support if > > you change the DNS to do this". > > > > I don't think they are interested in SRV just for SRV. But SRV for this > plus SNI encryption could be enough. > > We could also fix up some sort of backwards compatibility scheme. A DNS > server that knows that _http._tcp.example.com is http over port 80 can > convert A/ records as needed. Or just add the A/ records to the additional section of the NXDOMAIN/NODATA response to the SRV query using the base name. The client can synthesize the response using the additional data. That way the DNS server doesn't need to know the port mappings. If qtype is SRV strip off leading underscore labels and add addresses records for the resulting name to the additional section of the response. Or the client can just do parallel lookups and wait for all the responses before proceeding. Set a flag day N years out for when to stop performing the A/ lookups. They can decide to stop doing parallel lookups much earlier when they see SRV records being returned consistently. The flag day is just to sunset backwards lookups. > If we are dealing with a trusted DNS resolver chosen by the relying party > that is constant, we can do things like advertise 'next generation > discovery'. > > > > > And if they have a issue with the prefix one can allocate a new TYPE(s) > > for class IN that does the same as SRV records but is for http and https. > > > > Service to address can be done with a single lookup and can include the > > TLSA records as well. > > > > I would prefer to specify the security policy in an accompanying prefixed > TXT record because I need more than TLSA provides. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
On Mon, Feb 20, 2017 at 8:42 PM, Mark Andrews wrote: > > > Zero if it is done right. We can easily extend the DNS to say > "Fetch the additional record for the SRV records before answering" > if you have this EDNS option present or just have the server do it > without the option. There is nothing preventing a recursive server > just doing this today. > +1 Actually that is what I was assuming. If we are using the current DNS protocol then all we need to do is to program the DNS servers to intelligently add the necessary additional RRs. Alternatively, if we are doing DNS over QUIC then we could tweak the protocol so that this is the default. If the SRV prefix is _http._tcp or _https._tcp then the recursive > server SHOULD fetch any missing additional address records for the > SRV server including CNAME records if the server name maps to a > CNAME and add them to the addtional section prior to returning the > response. You could even just do this for all SRV lookups. > Yup. The only catch is that we all need to do discovery the same way. That is why SRV+TXT as specified in RFC6763 is the way to go > A RFC saying something like this would solve the SRV issue over the > long term a recursive servers get replaced. Unfortunately brower > vendors don't seem to want to say "yes, we will add SRV support if > you change the DNS to do this". > I don't think they are interested in SRV just for SRV. But SRV for this plus SNI encryption could be enough. We could also fix up some sort of backwards compatibility scheme. A DNS server that knows that _http._tcp.example.com is http over port 80 can convert A/ records as needed. If we are dealing with a trusted DNS resolver chosen by the relying party that is constant, we can do things like advertise 'next generation discovery'. > And if they have a issue with the prefix one can allocate a new TYPE(s) > for class IN that does the same as SRV records but is for http and https. > > Service to address can be done with a single lookup and can include the > TLSA records as well. > I would prefer to specify the security policy in an accompanying prefixed TXT record because I need more than TLSA provides. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
In message , Phillip Hallam-Baker writes: > On Mon, Feb 20, 2017 at 4:08 PM, Ben Schwartz wrote: > > > On Mon, Feb 20, 2017 at 3:39 PM, Phillip Hallam-Baker < > > ph...@hallambaker.com> wrote: > > > >> I really don't like the proposal at all. The idea of beginning the TLS > >> handshake in DNS is sound. But it is a completely new handshake and > >> authentication layer. > >> > > > > What you're proposing does sound like a completely new handshake. To be > > clear, this proposal makes no change to TLS. > > > > Well there is your problem. There is little point in doing this unless > you > feed the result into the TLS handshake to follow. > > > Right now we have a bit of a mess with service discovery. We have a solid > >> proposal that makes sense written up as a standard > >> > > > > Could you point me to which document you're referring to? > > > > https://tools.ietf.org/html/rfc6763 > > > > > and we have a lot of folk saying we should do something different, > either > >> for legacy reasons or because they find it impure. > >> > >> The solid proposal is as follows: > >> > >> * Discover all services using SRV *without exception* > >> > >> * Use TXT records to provide additional data *that is required for > >> discovery and binding* > >> > >> * TXT records may be bound to the service definition, thus covering all > >> hosts or be bound to a specific host instance. > >> > >> * Domain names used for services MAY use CNAME or DNAME. Domain names > >> that identify services MUST NOT. > >> > > > > I'm not sure I understand this distinction. > > > > Ooops... > > Domain names that identify > HOSTS > MUST NOT. > > A service is an abstract Internet service which may be provided by any > host chosen from group of hosts specified in an SRV record. A host is a > physical machine. > > SRV records map services to hosts. > A and records map hosts to IP addresses. > > > > How many DNS and destination roundtrips does this require? My > impression > > is that SRV records have proven unpopular in part because they generally > > add a DNS roundtrip delay to each initial connection. > > > > One if it is done right. Zero if it is done right. We can easily extend the DNS to say "Fetch the additional record for the SRV records before answering" if you have this EDNS option present or just have the server do it without the option. There is nothing preventing a recursive server just doing this today. This is the essential difference between a CNAME and SRV records as far as browser vendors are concerned. Waiting for the "full" answer rather than returning a partial answer when there are no cached address records. We already have RFC that say go lookup missing data before constructing a response. We do this for DNS64. We do this for CNAME. If the SRV prefix is _http._tcp or _https._tcp then the recursive server SHOULD fetch any missing additional address records for the SRV server including CNAME records if the server name maps to a CNAME and add them to the addtional section prior to returning the response. You could even just do this for all SRV lookups. A RFC saying something like this would solve the SRV issue over the long term a recursive servers get replaced. Unfortunately brower vendors don't seem to want to say "yes, we will add SRV support if you change the DNS to do this". And if they have a issue with the prefix one can allocate a new TYPE(s) for class IN that does the same as SRV records but is for http and https. Service to address can be done with a single lookup and can include the TLSA records as well. This is a server that prefetches missing additional data and know about looking up TLSA records. You will notice that the additional section get populated just by the client looking up MX records. If you ask with DO=1 you can even get validatible results. Mark [rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec ;; BADCOOKIE, retrying. ; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50368 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: 5d5611ff91b234cea8fc5d2858ab99833bfd56c3a5adef30 (good) ;; QUESTION SECTION: ;isc.org. IN MX ;; ANSWER SECTION: isc.org.7200IN MX 20 mx.ams1.isc.org. isc.org.7200IN MX 10 mx.pao1.isc.org. isc.org.7200IN RRSIG MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ= ;; Query time: 2435 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 21 12:36:03 EST 2017 ;; MSG SIZE rcvd: 279 [rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec ;; BADCOOKI
Re: [DNSOP] Proposal for a new record type: SNI
script to find the cert hashes that will reveal the specific site is too hard so never mind? Isn't the server's certificate encrypted in TLS 1.3? Yes, but Tony's proposal as I understood it was to use the hash from a TLSA certificate instead of the text of the SNI domain. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
On Mon, Feb 20, 2017 at 4:08 PM, Ben Schwartz wrote: > On Mon, Feb 20, 2017 at 3:39 PM, Phillip Hallam-Baker < > ph...@hallambaker.com> wrote: > >> I really don't like the proposal at all. The idea of beginning the TLS >> handshake in DNS is sound. But it is a completely new handshake and >> authentication layer. >> > > What you're proposing does sound like a completely new handshake. To be > clear, this proposal makes no change to TLS. > Well there is your problem. There is little point in doing this unless you feed the result into the TLS handshake to follow. Right now we have a bit of a mess with service discovery. We have a solid >> proposal that makes sense written up as a standard >> > > Could you point me to which document you're referring to? > https://tools.ietf.org/html/rfc6763 > and we have a lot of folk saying we should do something different, either >> for legacy reasons or because they find it impure. >> >> The solid proposal is as follows: >> >> * Discover all services using SRV *without exception* >> >> * Use TXT records to provide additional data *that is required for >> discovery and binding* >> >> * TXT records may be bound to the service definition, thus covering all >> hosts or be bound to a specific host instance. >> >> * Domain names used for services MAY use CNAME or DNAME. Domain names >> that identify services MUST NOT. >> > > I'm not sure I understand this distinction. > Ooops... Domain names that identify HOSTS MUST NOT. A service is an abstract Internet service which may be provided by any host chosen from group of hosts specified in an SRV record. A host is a physical machine. SRV records map services to hosts. A and records map hosts to IP addresses. > How many DNS and destination roundtrips does this require? My impression > is that SRV records have proven unpopular in part because they generally > add a DNS roundtrip delay to each initial connection. > One if it is done right. You are going to want to lock down your client to resolver DNS and you might as well fix the protocol at the same time. That is why standardizing on DNS-SD for everything is the way to go. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
John R Levine wrote: > > http://www.bieberfever.com/ ("The Official Juston Bieber Fan Club") is > > hosted by Akamai on 23.38.103.18. > > According to DNSDB (IMO the best passive DNS service), there are 605 > > other sites *also* hosted on 23.38.103.18. > > > No doubt pervasive monitors (and others) will use passive DNS systems > > to build a map of SNI DNS RRs, but I'd much much rather have the men > > in black thinking that I'm visiting www.precisiondoor.net, > > www.theman.in, or www.worldsleadingcruiselines.com than knowing my > > dirty little secret love of the Bieb... > > I really don't get this. The bad guys we're worried about have to be > sophisticated enough to do a packet capture and pick the SNI bits out of TLS > handshakes. How plausible is it that those bad guys would say, oh, using a > script to find the cert hashes that will reveal the specific site is too > hard so never mind? Isn't the server's certificate encrypted in TLS 1.3? And even in previous versions of TLS, at least in the CDN world it's somewhat common to put unrelated domains on the same SAN certificate. -- Robert Edmonds ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
http://www.bieberfever.com/ ("The Official Juston Bieber Fan Club") is hosted by Akamai on 23.38.103.18. According to DNSDB (IMO the best passive DNS service), there are 605 other sites *also* hosted on 23.38.103.18. No doubt pervasive monitors (and others) will use passive DNS systems to build a map of SNI DNS RRs, but I'd much much rather have the men in black thinking that I'm visiting www.precisiondoor.net, www.theman.in, or www.worldsleadingcruiselines.com than knowing my dirty little secret love of the Bieb... I really don't get this. The bad guys we're worried about have to be sophisticated enough to do a packet capture and pick the SNI bits out of TLS handshakes. How plausible is it that those bad guys would say, oh, using a script to find the cert hashes that will reveal the specific site is too hard so never mind? R's, John ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
On Mon, Feb 20, 2017 at 4:19 PM, John Levine wrote: > In article you write: >>Would it be easier or harder, instead of adding a new SNI RRtype, to use >>DANE TLSA records to identify the server's cert or key, and use a >>variation of TLS SNI to request the cert by digest instead of by name? > > I don't see how that would help. Using passive DNS it's easy to find > all the names that point to a server, which makes it easy to get all > of the TLSA records for those names so the bad guy knows the hashes. http://www.bieberfever.com/ ("The Official Juston Bieber Fan Club") is hosted by Akamai on 23.38.103.18. According to DNSDB (IMO the best passive DNS service), there are 605 other sites *also* hosted on 23.38.103.18. No doubt pervasive monitors (and others) will use passive DNS systems to build a map of SNI DNS RRs, but I'd much much rather have the men in black thinking that I'm visiting www.precisiondoor.net, www.theman.in, or www.worldsleadingcruiselines.com than knowing my dirty little secret love of the Bieb... Even more embarrassing is my love of Kylie Minogue -- 162.249.104.157 [0] I'd much rather have anyone watching my TLS connections think that I'm a fan of www.artofnoiseofficial.com, lilyallen.de or one of the other 900+ sites on that IP address. Yes, maps of $site -> SNI *will* be made, and will be used for profiling -- but ... "I read Playboy for the articles" only works if they have articles -- I only went to www.worldsleadingcruiselines.com to read that, *not* to try buy the new poster, you know, the one where he's hair is *sooo* dreamy... W > > R's, > John > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
In article you write: >Would it be easier or harder, instead of adding a new SNI RRtype, to use >DANE TLSA records to identify the server's cert or key, and use a >variation of TLS SNI to request the cert by digest instead of by name? I don't see how that would help. Using passive DNS it's easy to find all the names that point to a server, which makes it easy to get all of the TLSA records for those names so the bad guy knows the hashes. R's, John ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
I really don't like the proposal at all. The idea of beginning the TLS handshake in DNS is sound. But it is a completely new handshake and authentication layer. Right now we have a bit of a mess with service discovery. We have a solid proposal that makes sense written up as a standard and we have a lot of folk saying we should do something different, either for legacy reasons or because they find it impure. The solid proposal is as follows: * Discover all services using SRV *without exception* * Use TXT records to provide additional data *that is required for discovery and binding* * TXT records may be bound to the service definition, thus covering all hosts or be bound to a specific host instance. * Domain names used for services MAY use CNAME or DNAME. Domain names that identify services MUST NOT. * Treat everything else as legacy. Expect Port numbers to be supplanted by SRV prefixes. Accept that TLSA is dead. Don't tilt at windmills with yet more discovery schemes. I see a distinction between Hosts and Services. An internet service is defined by an SRV prefix. A Host has a unique IP address and may support multiple services which may also share ports. If the objective is to conceal the service name being connected to, it follows that any key used to conceal the service negotiation must be bound to the host rather than the service. The protocol that these constraints points to would use a lightweight key agreement with a client supplied nonce and a host specific DNS key to protect the initial TLS key agreement and then feed that key as one of the inputs into the KDF for the service level key agreement. One bonus of this approach is that if you don't care about authentication, you can dispense with the service authentication altogether and use encryption based on the host encryption alone. TLS is designed to provide service authentication that is its purpose and the reason for most of the complexity. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
Would it be easier or harder, instead of adding a new SNI RRtype, to use DANE TLSA records to identify the server's cert or key, and use a variation of TLS SNI to request the cert by digest instead of by name? Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Hebrides, Bailey: West backing southwest 6 to gale 8. Rough or very rough, becoming high later in west Bailey. Showers, then rain later. Good, occasionally poor. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
The reason to allow non-empty RDATA is to support servers that serve multiple multi-domain certificates from a single IP address, dispatched by SNI. This is common on CDNs and other large internet serving systems. Oh, OK, that's helpful. So the use case is a web server that serves a zillion domains, with the domains grouped into clusters that share a certificate. For each cluster, you pick one of the names as the cover name, and the SNI points to that name. The cover name doesn't have to be in the DNS, but if it's not, that makes it stick out like a sore thumb. Passive DNS on the server's IP address will reveal all of the server's names, and probes on those names to get the certs will reveal which names are in which cluster, so all SNI reveals is which names are the cover names. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
On Fri, Feb 17, 2017 at 9:47 PM, John R Levine wrote: > 1. Multiple domains on the same host set the same SNI record. Possession >> of a global DNS database is no help to the adversary. The adversary still >> cannot distinguish the domains. This is the intended use. >> > > Now I'm really confused. If the SNI value is just a cover name, and the > client's going to send the real name later, why not just pick a fixed > impossible cover name like SNI.INVALID and skip the SNI lookup? > In that case, one would simply omit the SNI, since it is optional. The draft specifies that an empty RDATA instructs the client to omit the SNI. Currently, most TLS servers do not require SNI at all, so this will often work ... but there's no way for the client to know ahead of time if it's safe to omit, so the clients always include it. The reason to allow non-empty RDATA is to support servers that serve multiple multi-domain certificates from a single IP address, dispatched by SNI. This is common on CDNs and other large internet serving systems. > Presumably if this became at all popular, everyone will send SNI.INVALID > so it wouldn't leak anything interesting. > > Regards, > John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > smime.p7s Description: S/MIME Cryptographic Signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
1. Multiple domains on the same host set the same SNI record. Possession of a global DNS database is no help to the adversary. The adversary still cannot distinguish the domains. This is the intended use. Now I'm really confused. If the SNI value is just a cover name, and the client's going to send the real name later, why not just pick a fixed impossible cover name like SNI.INVALID and skip the SNI lookup? Presumably if this became at all popular, everyone will send SNI.INVALID so it wouldn't leak anything interesting. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
I wrote a similar draft a few years ago which I've been considering resurrecting if there is interest: https://tools.ietf.org/html/draft-nygren-service-bindings-00 One of the big challenges that at least in the web context, browsers want to make as few DNS lookups as possible prior to making HTTP requests. (For example, some home gateways choke if too many requests are outstanding.) Having to lookup both A and is already a problem. So if we're going to add something, ideally we'd add something that was extensible that could be used for multiple purposes. For this case, the result could be something like: _https._b.www.example.com IN B 2 0 www.example.com. { "alpn": "h2", "tls-sni": "SOME_TOKEN", "hsts": true } _https._b.www.example.com IN B 1 0 www-alt.example.com. { "alpn": "quic352", "tp": 443, "tls-sni": "SOME_OTHER_TOKEN", "hsts": true } By adding this one single lookup, you both get to specify an alternate SNI, be able to force HTTPS-only, and specify Alternative Services (ala rfc7838 but allowing it to be done in DNS). Having an extensible model here also increases the value of a client doing the lookup as once the records exist other optional attributes can be added in. (Ignore the specific key/value pair examples in that expired I-D. They made more sense when some other things were being considered.) Based on our extensive discussions in the TLS WG over the past few years, introducing something like this into the DNS to indicate an alternate SNI value (which might be one shared with many other hostnames) or telling the client not to send an SNI value seemed to be one of the best ways to help with the SNI privacy problems, at least once there is a DNS privacy path. For example, for a cert like *.example.com (perhaps with lots of other SANs as well) there is no reason the client needs to send " something-potentially-private.example.com" when sending an SNI value of "wildcard.example.com" would do just fine. The TLS handshake is too late to learn this, but if we could move it into the DNS then clients could learn it (and potentially other useful info) before connecting. [I added DKG as he was a strong advocate of doing something in this space for signalling TLS SNI omission, alteration, or aliasing in DNS records.] Erik On Fri, Feb 17, 2017 at 3:49 PM, Ben Schwartz wrote: > Thanks for the input everyone! Here's an updated version with some > clarifications based on your feedback: > https://tools.ietf.org/html/draft-schwartz-dns-sni-02 > > Diff: > https://www.ietf.org/rfcdiff?url1=draft-schwartz-dns-sni- > 01&url2=draft-schwartz-dns-sni-02 > > I know this approach is controversial, so I'm also very curious to hear > any suggestions of other ways that we could fix this privacy leak without > slowing down everyone's connections. As a friend put it: if everyone can > see you're reading justinbieber.tumblr.com, "that defeats the whole point > of HTTPS". > > On Tue, Feb 14, 2017 at 1:02 PM, Ben Schwartz wrote: > >> Hi dnsop, >> >> I've written a draft proposal to improve the privacy of TLS connections, >> by letting servers use the DNS to tell clients what SNI to send. >> >> https://tools.ietf.org/html/draft-schwartz-dns-sni-01 >> >> I've incorporated some helpful feedback [1] from the TLS WG, but now I >> could use your help analyzing the DNS side. All comments welcome; this >> draft will change based on your feedback. >> >> One particular issue that I could use advice on: should this be a new >> record type, or should it reuse/repurpose an existing type like SRV or PTR? >> >> Thanks, >> Ben >> >> [1] https://www.ietf.org/mail-archive/web/tls/current/msg22353.html >> > > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > > ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
In article you write: >I know this approach is controversial, so I'm also very curious to hear any >suggestions of other ways that we could fix this privacy leak without >slowing down everyone's connections. I have problems with the word "other". This approach depends for its security on the assumption that it is hard to reverse SNI record lookups, that is, to find the qname(s) that have SNI records with given contents. That is a poor assumption. There are many large passive DNS databases, and a lot of people have access to them. My working assumption is that anyone sophisticated enough to peek at TLS handshake packets is sophisticated enough to find a passive DNS source. So to me the question is whether the small speculative incremental increase in user security is worth the investment to define a new record type, add it to DNS servers and provisioning systems, add it to web server configuration languages, and set up whatever infrastructure is needed to coordinate the published SNI records and what the web servers expect. I'd also note that if the assumption is that people will publish SNI records through the usual registrar and dns hosting operators managed through web consoles, there is no chance that the webware will support SNI records. We know this because they don't support any other RRTYPEs defined in the past decade, either. R's, John ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
>I'm /s/ not a TLS person, but I think that this was discussed in >the TLS WG and didn't make it into the final spec -- it requires (at >least) an additional RTT. You do get SNI encryption with Zero-RTT, but >it's too later by then... >Some slideware: https://www.ietf.org/proceedings/94/slides/slides-94-tls-8.pdf >The DNS SNI lookup could at least be done in parallel with the >"normal" DNS one (and, possibly returned in a >draft-wkumari-dnsop-multiple-responses answer :-)) To put it baldly, if it is a problem that SNI leaks, the solution is to fix SNI. This is not a solution, it is at most a band-aid that will deter a subset of unsophisticated snoops while adding useless complexity to https. For example, what are users supposed to do when the SNI DNS records and the SNI mapping in the servers inevitably get out of sync? "But fixing SNI is hard" isn't a good reason to do this. I understand that adding an extra round trip to the handshake would be a problem, but I am a long way from believing that's the only way to fix SNI. R's, John ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
presuming that the client will have to look up the hostname of the destination at some stage, and presuming that a passive network attacker may see DNS requests as well as TCP connections, how does this help? Or does this require the use of DNS over TLS. And also there will be leakage of certificate IDs in OCSP lookups which cannot be secured due to the paradox that would create. An attacker could mine sites for cert IDs and do a reverse mapping from that. Adrien -- Original Message -- From: "Ben Schwartz" To: "Robert Edmonds" Cc: "dnsop@ietf.org" Sent: 15/02/2017 9:03:09 AM Subject: Re: [DNSOP] Proposal for a new record type: SNI On Tue, Feb 14, 2017 at 2:16 PM, Robert Edmonds wrote: Ben Schwartz wrote: > Hi dnsop, > > I've written a draft proposal to improve the privacy of TLS connections, by > letting servers use the DNS to tell clients what SNI to send. > > https://tools.ietf.org/html/draft-schwartz-dns-sni-01 <https://tools.ietf.org/html/draft-schwartz-dns-sni-01> > > I've incorporated some helpful feedback [1] from the TLS WG, but now I > could use your help analyzing the DNS side. All comments welcome; this > draft will change based on your feedback. > > One particular issue that I could use advice on: should this be a new > record type, or should it reuse/repurpose an existing type like SRV or PTR? > > Thanks, > Ben > > [1] https://www.ietf.org/mail-archive/web/tls/current/msg22353.html <https://www.ietf.org/mail-archive/web/tls/current/msg22353.html> Hi, Ben: I'm kind of curious: your examples are pretty HTTP-centric, and HTTP already has some pretty strong features for origins to persistently modify how clients perform TLS, i.e., HTTP Strict Transport Security and HTTP Public Key Pinning, along with preloading of those settings by the browser vendors. Why not follow that same model for the functionality in your draft? -- Robert Edmonds Hi Robert, While this technique would apply to any use of TLS, you're right that I'm mainly motivated by improvements for HTTPS. It's true, we could accomplish something like this by preloading a data file into browsers. In some sense, this is also true for any aspect of DNS! Obviously, preloading fares very badly when the data in question is valid for short times, or applies to many thousands or millions of domains, and I think both problems apply here. For example, a CDN that operates DNS on behalf of its customers could apply SNI records to all of their domains. Preloading all of those domains into every browser seems impractical, and the list will quickly become outdated. Without preloading, we cannot solve the problem of revealing the destination in the initial connection. I would also note that HSTS and HPKP could not have been implemented using insecure DNS, given their adversary model. The SNI record is very different, and does not require DNSSEC. --Ben___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
On Tue, Feb 14, 2017 at 5:14 PM, John Levine wrote: > In article you write: >>This seems like a bandaid to TLS that I think just needs >>fixing in the TLS protocol. > > For once I agree with Paul. > > If you're going to change the client anyway, why is this better than a > modified handshake that sets up the encrypted channel before sending > the SNI? I realize this is not a great time to open up TLS, with the > dust from TLS 1.3 just settling, but there's never a good time for > some stuff. I'm /s/ not a TLS person, but I think that this was discussed in the TLS WG and didn't make it into the final spec -- it requires (at least) an additional RTT. You do get SNI encryption with Zero-RTT, but it's too later by then... Some slideware: https://www.ietf.org/proceedings/94/slides/slides-94-tls-8.pdf The DNS SNI lookup could at least be done in parallel with the "normal" DNS one (and, possibly returned in a draft-wkumari-dnsop-multiple-responses answer :-)) > > You should assume that bad guys have access to passive DNS databases, > so it's not hard to reverse the indirection that SNI records provide. Yup. I believe that much of the privacy benefit is gained if you happen to host your site on the same domain / IP as many other sites. Unfortunately this is true not just for domain fronting / this technique, but for many other situations -- it doesn't matter how well the SNI is hidden, if you connect to an IP address which only hosts a small number of sites (or sites all on the same topic) you've lost. An example of this is aa.org - the only other site on that IP is www.alcoholicsanonymous.org - if you had an expectation of privacy, it probably doesn't matter which one of the two names you went to... > If you used TXT records the reversal would be slightly harder, since > you'd have to pick them out from all the other cruft that's encoded > in _prefix TXT records. H... are you suggesting we make TXT records cruftier to increase privacy? :-) W > > R's, > John > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
In article <20170214203924.5c4v6l5b3bjip...@mycre.ws> you write: > We could encode this information in a TXT record, but that would > violate the intended purpose of TXT records: to convey information to > human readers. > >I'm not sure if it's true that TXT records are intended only for human >consumption. TXT RRs contain "descriptive text" where "[t]he semantics >of the text depends on the domain where it is found". That horse left the barn at least a decade ago, before SPF, DKIM, DMARC, and a lot of other TXT records primarily intended to be consumed by computers. Humans can read them, but this human can't do much with records like this: taugh.com. IN TXT "google-site-verification=7SCAvuZtE7dOCpG0drHDEBOqco9JnPzFUIUBSgU3eWc" Whether to use a TXT record is of course a subsidiary question to whether DNS SNI indirection is a good idea in the first place. R's, John ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
In article you write: >This seems like a bandaid to TLS that I think just needs >fixing in the TLS protocol. For once I agree with Paul. If you're going to change the client anyway, why is this better than a modified handshake that sets up the encrypted channel before sending the SNI? I realize this is not a great time to open up TLS, with the dust from TLS 1.3 just settling, but there's never a good time for some stuff. You should assume that bad guys have access to passive DNS databases, so it's not hard to reverse the indirection that SNI records provide. If you used TXT records the reversal would be slightly harder, since you'd have to pick them out from all the other cruft that's encoded in _prefix TXT records. R's, John ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
Hi, Ben: In your draft, the reason for not using TXT is given as: 2.1.3. Using TXT We could encode this information in a TXT record, but that would violate the intended purpose of TXT records: to convey information to human readers. I'm not sure if it's true that TXT records are intended only for human consumption. TXT RRs contain "descriptive text" where "[t]he semantics of the text depends on the domain where it is found". If you define "where the domain is found" as, e.g., domains like _443._tcp._sni.www.example.com, then you get to define the semantics of what is described by the TXT record at that location. I think DKIM is an example of a protocol that uses this kind of scheme with TXT records. -- Robert Edmonds ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
> On Feb 14, 2017, at 10:02 AM, Ben Schwartz wrote: > > Hi dnsop, > > I've written a draft proposal to improve the privacy of TLS connections, by > letting servers use the DNS to tell clients what SNI to send. > Hi Ben, >_443._tcp.subdomain1.example.com. IN SNI subdomain2.example.com As I read this part I was assuming that the RDATA of the SNI record is an RFC 1035 and the lack of a trailing dot made me twitch a little bit. It seems to me that you need to decide what the format of the RDATA will be. Throughout most of the doc it looks like a , but in other places it sounds like an opaque string (particularly the paragraph about extensibility). >When initiating a TLS connection to a domain and port, a client >application SHOULD query the SNI record for the prefixed domain at >the same time as the A or query, and wait for a response before >initiating TLS. In the Introduction you said "Clients can make use of this record without adding delay to their connection process" but here the instruction is to wait. How long should a client wait for a response to its SNI query? Oh, I see later you wrote: A client application SHOULD NOT delay initiating a TCP connection while waiting for the SNI DNS response. >The application MUST discard or ignore any SNI >record whose RDATA is not a well-formed domain name or an empty >string. This might need more clarification. Here's a place where the RDATA sounds very much like . But then the empty label "." becomes particularly tricky here because, arguably, a can never be an empty string. >If >the selected SNI record is present with an empty RDATA (RLENGTH = 0), >then the client SHOULD omit the Server Name Indication. Again, advice here will depend on what you choose for the RDATA format. If its then you can't really have RDLEN=0. >Client applications MUST NOT allow the contents of the SNI record to >influence their certificate validation behavior. The client's >certificate validation MUST be based on the user's specified >destination, not the RDATA of the SNI DNS record. Given this, it sounds like there is no real reason that the SNI value needs to be a domain name. It could be something else, like an opaque string or an RFC4122 UUID? I think this doc also needs a privacy considerations that talks about ways it could be abused by server operators. For example, I think it could be used as a component of a so-called super cookie. Each client could get a unique SNI from the DNS server, allowing the web site to track individuals. While you may be improving privacy with respect to passive attackers, it can reduce privacy between web clients and servers. DW ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
On Tue, 14 Feb 2017, Ben Schwartz wrote: I've written a draft proposal to improve the privacy of TLS connections, by letting servers use the DNS to tell clients what SNI to send. https://tools.ietf.org/html/draft-schwartz-dns-sni-01 I've incorporated some helpful feedback [1] from the TLS WG, but now I could use your help analyzing the DNS side. All comments welcome; this draft will change based on your feedback. This seems like a bandaid to TLS that I think just needs fixing in the TLS protocol. If I was a passive attacker logging lots of traffic, I would just query the SNI's of all major sites (and/or any other A/ records I encounter while monitoring the traffic streams) so the protection this offers is lost very quickly. I don't think the additional TLS to DNS "ephemeral SNI" synchronisation is worth the trouble. It would make more sense to have the TLS client take the hit of some additional roundtrip to the server to convey this privately after the EDH. Also, it would make more sense to actually use the TLS server PUBKEY for this, if the server uses the same pubkey for a lot of certificates or SubjectAltNames. It is just as meaningless to the observer as an ephemeral SNI, but now the TLS server can select the proper key if it is configured with multiple different keypairs. Paul ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Proposal for a new record type: SNI
Ben Schwartz wrote: > Hi dnsop, > > I've written a draft proposal to improve the privacy of TLS connections, by > letting servers use the DNS to tell clients what SNI to send. > > https://tools.ietf.org/html/draft-schwartz-dns-sni-01 > > I've incorporated some helpful feedback [1] from the TLS WG, but now I > could use your help analyzing the DNS side. All comments welcome; this > draft will change based on your feedback. > > One particular issue that I could use advice on: should this be a new > record type, or should it reuse/repurpose an existing type like SRV or PTR? > > Thanks, > Ben > > [1] https://www.ietf.org/mail-archive/web/tls/current/msg22353.html Hi, Ben: I'm kind of curious: your examples are pretty HTTP-centric, and HTTP already has some pretty strong features for origins to persistently modify how clients perform TLS, i.e., HTTP Strict Transport Security and HTTP Public Key Pinning, along with preloading of those settings by the browser vendors. Why not follow that same model for the functionality in your draft? -- Robert Edmonds ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop