Re: [Add] ddr - SPKI question and comment on SNI section
Tommy Pauly <tpauly@apple.com> Fri, 10 June 2022 18:51 UTC
Return-Path: <tpauly@apple.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4728DC14CF14 for <add@ietfa.amsl.com>; Fri, 10 Jun 2022 11:51:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.854
X-Spam-Level:
X-Spam-Status: No, score=-2.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.745, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rn0jihHjmXCL for <add@ietfa.amsl.com>; Fri, 10 Jun 2022 11:51:40 -0700 (PDT)
Received: from ma1-aaemail-dr-lapp03.apple.com (ma1-aaemail-dr-lapp03.apple.com [17.171.2.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D5F7C14CF09 for <add@ietf.org>; Fri, 10 Jun 2022 11:51:40 -0700 (PDT)
Received: from pps.filterd (ma1-aaemail-dr-lapp03.apple.com [127.0.0.1]) by ma1-aaemail-dr-lapp03.apple.com (8.16.0.42/8.16.0.42) with SMTP id 25AIdC9q018243; Fri, 10 Jun 2022 11:51:37 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=BxczoaPILBYJkGZmmtOamhcbhCQ1rR8W/seLUutZUvo=; b=gLsOqTMFKImck8V6jzGO92X3CaLDOJA44r8YTLHK4zAb0TDj/Dc9L3puPf1Gd/DwMpbG JHATCMc3ClN/7bvbetcOpP0+5tSnpB+AuL74D/z75I3qK7ZWyDf6fDzJa5QnYhGxkB3T utSui87OQcUxHrdGyGHbj3t1fraWoSAIEE2FSXoSQ4qYJ+A0pE33QaWdHjpj2CPZL8V1 8u8Lreh/Jx62KZ2cxaGkQZohkgEteXgs2uEHEhrGXNAsgylEhzAO1Yf9vflbh6DvTUde B80qqwzx5yIghVvwN3kgRHccAr8aK/oJZmPbjMdck6sgIcozVNeUwiQb5RY8fVGVupkc zA==
Received: from rn-mailsvcp-mta-lapp02.rno.apple.com (rn-mailsvcp-mta-lapp02.rno.apple.com [10.225.203.150]) by ma1-aaemail-dr-lapp03.apple.com with ESMTP id 3gg6cxehu1-9 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 10 Jun 2022 11:51:37 -0700
Received: from rn-mailsvcp-mmp-lapp03.rno.apple.com (rn-mailsvcp-mmp-lapp03.rno.apple.com [17.179.253.16]) by rn-mailsvcp-mta-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) with ESMTPS id <0RD9002EBZ20L220@rn-mailsvcp-mta-lapp02.rno.apple.com>; Fri, 10 Jun 2022 11:51:36 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp03.rno.apple.com by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) id <0RD900D00YSVOO00@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Fri, 10 Jun 2022 11:51:36 -0700 (PDT)
X-Va-A:
X-Va-T-CD: 07f155a49924e9797243596ea8efbbc8
X-Va-E-CD: 863bccfd4f3b88182041ade6d551090d
X-Va-R-CD: 9e113ea898a42a24e68525b1d35fc3de
X-Va-CD: 0
X-Va-ID: ddfc6a08-be68-4a5d-a7ce-70a259cf4991
X-V-A:
X-V-T-CD: 07f155a49924e9797243596ea8efbbc8
X-V-E-CD: 863bccfd4f3b88182041ade6d551090d
X-V-R-CD: 9e113ea898a42a24e68525b1d35fc3de
X-V-CD: 0
X-V-ID: ce805052-8f1b-497e-bdf3-3c7ab8179ecd
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.874 definitions=2022-06-10_07:2022-06-09, 2022-06-10 signatures=0
Received: from smtpclient.apple (unknown [17.234.120.149]) by rn-mailsvcp-mmp-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.18.20220407 64bit (built Apr 7 2022)) with ESMTPSA id <0RD9002E6Z20X100@rn-mailsvcp-mmp-lapp03.rno.apple.com>; Fri, 10 Jun 2022 11:51:36 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <9733E069-CCD3-4E07-812E-B603819DD71E@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_03EE34A5-6142-4372-B4FD-48F58F0EF043"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3720.0.4.1.4\))
Date: Fri, 10 Jun 2022 11:51:35 -0700
In-reply-to: <CADZyTknbTihDjB715fqoyLueFHF-CwM5YjHghZwXQNpagyEMKw@mail.gmail.com>
Cc: ADD Mailing list <add@ietf.org>
To: Daniel Migault <mglt.ietf@gmail.com>
References: <CADZyTknbTihDjB715fqoyLueFHF-CwM5YjHghZwXQNpagyEMKw@mail.gmail.com>
X-Mailer: Apple Mail (2.3720.0.4.1.4)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517, 18.0.874 definitions=2022-06-10_07:2022-06-09, 2022-06-10 signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/7QaW7k7qczjFpVPbA-FyghCmTA8>
Subject: Re: [Add] ddr - SPKI question and comment on SNI section
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jun 2022 18:51:44 -0000
Hi Daniel, > On Jun 10, 2022, at 9:12 AM, Daniel Migault <mglt.ietf@gmail.com> wrote: > > Hi, > > We are considering different ways to configure DoE clients. > > RFC 7858 indicates the use of SPKI Fingerprints in an analogous manner to that described in RFC7469. I am wondering if anyone is aware of implementation considering SPKI Fingerprints for or if such usage is not something we would like to deprecate. > > Additionally, I was wondering how DoE can be performed without an hostname and its associated SNI and went through 6.3. What does “DoE” refer to in this context? > > 6.3. Server Name Handling > > """ > When performing discovery using resolver IP addresses, clients MUST use the IP address as the URI host for DoH requests. > """ > The text can be read as when ddr is performed as described in section 4, DoH > request place the IP address in the URI. > I think the text is willing to say when ddr requests are performed using DoH, > but once ddr is done, the hostname provided by ddr must be placed in the URI, but I think that could be clarified. It says that if you use the mechanism with resolver.arpa, as defined in Section 4, your DoH URI needs to use the IP address as the hostname. If, on the other hand, you use the discovery by name in Section 5 (which doesn’t say what transport you use, it’s just a case where you are configured with a resolver name instead of an address), this requirement doesn’t apply or make sense. > > > """ > Note that since IP addresses are not supported by default in the TLS SNI, > resolvers that support discovery using IP addresses will need to be configured > to present the appropriate TLS certificate when no SNI is present for both DoT > and DoH. > """ > > I am wondering what "will need" means MUST or SHOULD ? It’s a statement of fact for how certificates work, not trying to add extra normative language. We could make this a MUST, but I don’t think that is necessary here. > > As I see it, SNI causes an issue for client only configured with an IP address when they are willing to perform DDR over an encrypted DNS. In this later case, it seems that a user that checks if the IP supports DoE to discover the assigned DoE seems a bit like an opportunistic (pre)-discovery - obviously different from section 4.3. Discovery in DDR, in either method, assumes you are starting with some DNS configuration that you are willing to use. This is unencrypted or encrypted — that doesn’t matter. You can certainly send DDR queries over an encrypted resolver, but those aren’t about validating that you can use that encrypted resolver — you should only send those if you already trust that encrypted resolver. Instead, they would be done to discover alternative protocols, or to look up designated resolvers for other resolver names. > In addition, when the TLS session can be established, there is no obvious rea > sons to proceed further to ddr. Again, it’s not about bootstrapping its own connection. > The way I perceive the section on SNI is to provide some recommendations on the resolver side to handle more possible scenario. It might also be good to add the client perspective and recommend that clients be configured with the host name to increase the chance of a working SNI - and this extension should be enabled by the client. The section on SNI is just clarifying that you can’t use an IP address as an SNI, and that you shouldn’t try to use resolver.arpa if you used that to discover, but instead leave off the SNI. > > There are cases where multiple unencrypted DNS resolvers (with different IP addresses) share a designated encrypted DNS. My reading of section 4.2 is that this case is covered properly. I am raising the use case just in case someone sees an issue somewhere. Yes, you could have different unencrypted resolvers all point to the same encrypted DNS server as long as that server has a cert that covers those IP addresses. You could also have one unencrypted resolver point to multiple encrypted resolvers on different IP addresses, as long as each has a cert that covers the unencrypted resolver’s address. Thanks, Tommy > > -- > Daniel Migault > Ericsson > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add
- [Add] ddr - SPKI question and comment on SNI sect… Daniel Migault
- Re: [Add] ddr - SPKI question and comment on SNI … Tommy Pauly
- Re: [Add] ddr - SPKI question and comment on SNI … Ben Schwartz
- Re: [Add] ddr - SPKI question and comment on SNI … Daniel Migault