I did not receive response to the attacks discussed in
https://mailarchive.ietf.org/arch/msg/dnsop/4ubj2D4bzxS1VTsZKzcNqBcWgtM.
Listing the attacks and comments for further discussion:
a) Attackers can also host DoH/DoT servers and claim they offer security
and privacy policies. How will the stub resolver know the recursive server
is not lying ?
b) How will the client know the policy statement is issued by a resolver
deployed by the network administrator or by an attacker ?
c) I don't see any discussion in the draft explaining how the client
determines the future DHCP configuration options are coming from a trusted
source. If the source cannot be trusted, endpoint can be configured to use
a malicious resolver server compromising the endpoint security and privacy,
and future DHCP configuration options will not be helpful (DHCP clients
typically have no secure and trusted relationships to DHCP servers).
d) What type of DNS information is self-published ?
e) What type of decisions will the stub resolver make based on the features
advertised by the recursive resolver ?
f) What is the need for both new RRtype and new well-known URI ?
g) Why isn't the information the resolver will publish discussed in this
document itself ?
h) An on-path attacker can modify the response to return NXDOMAIN response.
How is this attack prevented ?
Looks like DNSSEC validating client is mandatory to detect fake
NXDOMAIN response.
i) If the server certificate cannot be validated, why will the client trust
the resolver information provided by server whose identify cannot be
validated ?
The draft does not look ready for adoption.
Cheers,
-Tiru
On Fri, 2 Aug 2019 at 20:34, Tim Wicinski <tjw.i...@gmail.com> wrote:
>
> This draft has come up and has had a lot of discussion. Mostly
> positive, some desiring more details on the information
> that could be returned. If the working group adopts the draft,
> this can all be worked out.
>
> This starts a Call for Adoption for draft-sah-resolver-information
>
> The draft is available here:
> https://datatracker.ietf.org/doc/draft-sah-resolver-information/
>
> Please review this draft to see if you think it is suitable for adoption
> by DNSOP, and comments to the list, clearly stating your view.
>
> Please also indicate if you are willing to contribute text, review, etc.
>
> This call for adoption ends: 16 August 2019
>
> Thanks,
> tim wicinski
> DNSOP co-chair
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
