|
|
Subscribe / Log in / New account

A QUIC look at HTTP/3

A QUIC look at HTTP/3

Posted Mar 16, 2020 7:47 UTC (Mon) by josh (subscriber, #17465)
In reply to: A QUIC look at HTTP/3 by pizza
Parent article: A QUIC look at HTTP/3

That's not at all what I mean, no.

I'm asking if anyone has built a scheme similar to Certificate Transparency that requires DNSSEC record changes to be published in an indelible "DNS Transparency" log in order to be considered valid. That way, if a DNS provider *does* attempt to publish a different record for 30 seconds in order to get a certificate issued to them, there's a record of them having done so. Browsers and DNSSEC-enabled resolvers could then slowly transition to requiring such records when resolving domains.

Bonus if the Certificate Transparency logs for domains using DNSSEC start recording the DNS Transparency records received when resolving the domain, as well. Now that we have ACME for automated certificate issuance, imagine if we could require that a certificate also certifies the current DNSSEC record for the domain. Steps like those would make the potential misuse of DNSSEC by a registry or TLD visible, rather than surreptitious.

to post comments

A QUIC look at HTTP/3

Posted Mar 16, 2020 7:48 UTC (Mon) by josh (subscriber, #17465) [Link]

(A quick search suggests that unfortunately, there are at least some folks in the DNS standardization process who don't understand the value provided by Certificate Transparency, and thus don't understand the value proposition that DNS Transparency would provide.)

A QUIC look at HTTP/3

Posted Mar 16, 2020 11:57 UTC (Mon) by pizza (subscriber, #46) [Link] (7 responses)

I don't understand how that is supposed to work, as it still requires that one trusts their DNS providers.

Remember that DNS (and thus, DNSSEC) record changes are driven by the zone owner, and can be done at any time, on a complete routine basis.

How exactly is a third party to know that any given DNS record for example.com changed without constant polling, and more importantly, determine if any given change is malicious or not?

...As for the DNSSEC signing keys for a given zone, sure, the update has to be pushed to the registrar, and that can be recorded in a write-only log somewhere -- But if a malicious registrar changes the signing key, it can also change everything else, including the log it publishes.

At worst, this proposal still better than what we have today -- Hostile actors have to do _more_ to compromise a certificate than the current CA model. Even in the face of malicious resolvers (compromised hostspot or national firewall) it's still a net improvement over the current status quo, which requires explicitly trusting *everyone* to not fraudulently (if not maliciously) issue certificates, in favour of only having to trust the DNS and TLD zone operators.

A QUIC look at HTTP/3

Posted Mar 16, 2020 15:03 UTC (Mon) by josh (subscriber, #17465) [Link] (2 responses)

The DNS Transparency logs would be maintained by a third party, separate from the DNS provider, just as the Certificate Transparency logs are maintained by third parties, separate from the CAs.

The logs would record every record change, or perhaps just every record change of the domain itself if the domain gets to provide its own subdomain records.

And you'd figure out if they're malicious in much the same way you do with CA transparency: if a change occurs that didn't come from the domain owner.

A QUIC look at HTTP/3

Posted Mar 16, 2020 16:23 UTC (Mon) by pizza (subscriber, #46) [Link] (1 responses)

(Let me preface this by saying that I'm not trying to be contrary; I genuinely don't understand the threat model your proposed DNS transparency thingey is meant to protect against)

> The logs would record every record change, or perhaps just every record change of the domain itself if the domain gets to provide its own subdomain records.

So.. you're advocating for a completely parallel system that's independent of the trust model of the existing one?

How is this "DNS transparency" party trustworthy where the existing DNS trust model is not?

Won't this require, in order to be effective, every client resolver to independently push the results of their lookups to this third party? Or download an ever-growing global log? And what's to prevent those from being intercepted?

> And you'd figure out if they're malicious in much the same way you do with CA transparency: if a change occurs that didn't come from the domain owner.

In the CA model, *every CA* is technically capable of issuing a valid certificate for any domain, and publishing the certificate is done by each individual service/server. Under the DNSSEC model, only the domain owner can *publish* a certificate for their domain, meaning there is no longer a distinct "issuance" step. As those third party CA issuers are no longer part of the trust model, there is no longer a need to independently audit them and what they do.

The threat model for DNSSEC is quite different, and requires a different approach -- there are only really three vectors, which I rank in their real-world relevance today:

1) Resolvers
2) Registrars (and TLD/root operators)
3) Zone owners themselves

(CAs already have all three of those threat vectors, and add a fourth)

If the zone owner/operator is compromised, then they can push "legitimate" updates and nobody will ever be the wiser.

Similarly, if the registrar, TLD, or root operator is compromised to the point where they maliciously serve different stuff for short periods of time or to specific users, we're all pretty much screwed as their trustworthiness underpins everything else.

(That said, DNSSEC's trust model only requires you to ultimately trust the root server keys. Those change very infrequently, and can be trivially pinned in client resolvers, not unlike the existing CAcert bundle..)

This leaves only (1) as a serious threat, and one that's actively in use today. DNSSEC was designed to mitigate that. Of course, it's not perfect -- Hostile resolvers just strip out DNSSEC from what they serve to their clients, as there's nothing widely deployed that "requires" DNSSEC as a prerequisite. Meanwhile, anything more elaborate than that (ie serving hostile stuff with valid DNSSEC signatures) would require compromising the client in advance (eg by substituting a different root cert bundle, or disabling use of DNSSEC validation)

(And this "DNS transparency" entity won't do anything to mitigate (1))

A QUIC look at HTTP/3

Posted Mar 17, 2020 8:04 UTC (Tue) by josh (subscriber, #17465) [Link]

See the parallel replies from roc and mjg59, which explain Certificate Transparency in more detail.

A QUIC look at HTTP/3

Posted Mar 16, 2020 20:05 UTC (Mon) by roc (subscriber, #30627) [Link] (3 responses)

Chrome requires that certificates come with signatures proving they have been registered with a trusted Certificate Transparency log. So effectively CT is mandatory if you want general users to connect to your Web site.
https://chromium.googlesource.com/chromium/src/+/master/n...

A QUIC look at HTTP/3

Posted Mar 16, 2020 21:43 UTC (Mon) by pizza (subscriber, #46) [Link] (2 responses)

That's great! I guess it's a good thing my CA automatically does that.

(Which makes me wonder, if someone were to convince my CA to issue a certificate for another domain via fraudulent means, wouldn't that still end up registered/signed with the Transparency log, and thus be considered valid by Chrome?)

Meanwhile, this still doesn't change the fact that this entire class of problem is due to the very loose coupling between independent parts/models -- ie trust, certificate publishing/distribution, and naming. If you tightly couple all three into the same system, one solely controlled by the domain owner, attacks that rely on that loose coupling go away completely.

(If I'm wrong or hopelessly naive here, please show me, preferably using small words, as I'm clearly missing something fundamental..)

Sure, this relies on trusting your domain registrar, the TLD operators, and the root server operators... but CAs already trust DNS to help them determine that you control the domain you say you do. End-users already trust DNS to point at your server before they can even retrieve that Transparency-attested certificate. If we can't trust the core DNS operators, we're already completely, utterly hosed.

A QUIC look at HTTP/3

Posted Mar 17, 2020 0:48 UTC (Tue) by mjg59 (subscriber, #23239) [Link] (1 responses)

> Which makes me wonder, if someone were to convince my CA to issue a certificate for another domain via fraudulent means, wouldn't that still end up registered/signed with the Transparency log, and thus be considered valid by Chrome?

It would, but anyone would be able to spot that that happened. CT doesn't absolutely prevent a malicious CA from doing harm, but it prevents them doing so invisibly.

Logs

Posted Mar 18, 2020 12:44 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

Mmm. This is entirely true if you're Google, and otherwise it's an ambition not a reality because the complete CT system, which closes the loop, remains a work in progress.

If you're Google you're fine because the CT policy actually in place today goes like this: At least one log you use must be Google's. Google built all the early CT logs, and were first to deploy SCT requirements in Chrome, so this isn't a deliberate ploy but it's true anyhow. This gives Google certainty that they know what's up.

But for anybody else the concern then arises, what if Google (and any other logs used) are conspiring against me?

To fix that you need to close the loop. An SCT is only a _promise_ and is not the fact of logging itself. Clients would need to (have somebody on their behalf) check the logs to see that those promises were fulfilled in a timely manner. They also need multi-perspective in order to validate that the log they're shown is the only log that exists. Otherwise log operators can bifurcate the log and show a version with a problem certificate in it to the victim, while showing only logs without that certificate to everybody else.

And this latter work is all unfinished. It's probably fine, but then we said that about a lot of things which once we had CT turned out not to be fine at all. Won't see what you didn't look for, right?

A QUIC look at HTTP/3

Posted Mar 19, 2020 4:11 UTC (Thu) by flussence (guest, #85566) [Link] (1 responses)

After a few minutes thinking about it, it doesn't sound *conceptually* impossible. But it's practically impossible because of the logistics and current architecture. DNS is extremely high-volume, combined with a much higher rate of churn than certificates, and geared for small writes with limited side effects.

Asking any one of the dynamic DNS providers on the net to publish transparency records (or even basic DNSSEC ones for that matter) when they're hosting over a million subdomains isn't going to fly any time soon. Sometimes a 30 second TTL is a legitimate use case.

A QUIC look at HTTP/3

Posted Mar 19, 2020 19:11 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

I would guess that you can set up a CT-like system for the DNSSEC public keys for domains. Something like: "*.somedomain.com -> pubkey".

This way if CIA comes a-knocking to the DNS registrar to impersonate "joe.somedomain.com", they would have to publish a new record with CIA's pubkey.

DNSSEC keys don't change very often, so the rate of change would be manageable.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds