Re: [dane] Behavior in the face of no answer?

Nicholas Weaver <nweaver@icsi.berkeley.edu> Tue, 15 May 2012 16:06 UTC

Return-Path: <nweaver@icsi.berkeley.edu>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CFC221F89AF for <dane@ietfa.amsl.com>; Tue, 15 May 2012 09:06:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.465
X-Spam-Level:
X-Spam-Status: No, score=-2.465 tagged_above=-999 required=5 tests=[AWL=0.134, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6D5CDYk5g6s5 for <dane@ietfa.amsl.com>; Tue, 15 May 2012 09:06:32 -0700 (PDT)
Received: from rock.ICSI.Berkeley.EDU (rock.ICSI.Berkeley.EDU [192.150.186.19]) by ietfa.amsl.com (Postfix) with ESMTP id C693721F8993 for <dane@ietf.org>; Tue, 15 May 2012 09:06:32 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 4CAE92C4017; Tue, 15 May 2012 09:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ICSI.Berkeley.EDU
Received: from rock.ICSI.Berkeley.EDU ([127.0.0.1]) by localhost (maihub.ICSI.Berkeley.EDU [127.0.0.1]) (amavisd-new, port 10024) with LMTP id liblnUZCYXxt; Tue, 15 May 2012 09:06:32 -0700 (PDT)
Received: from gala.icir.org (gala [192.150.187.49]) (Authenticated sender: nweaver) by rock.ICSI.Berkeley.EDU (Postfix) with ESMTP id 095F82C4002; Tue, 15 May 2012 09:06:32 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=us-ascii
From: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <20120515155515.GH20521@mail.yitter.info>
Date: Tue, 15 May 2012 09:06:31 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2C1EFBF9-D29F-4BBA-A003-95BFCF9111E4@icsi.berkeley.edu>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <643D87CD-D01E-47B8-82E5-D3F57D50C80B@vpnc.org> <alpine.LFD.2.02.1205142229552.10990@bofh.nohats.ca> <CABcZeBMS9cJ3m6JwJED7XAqdsF=zbTUUU_o3-opiZvqMyr7mdw@mail.gmail.com> <20120515111318.GZ20521@mail.yitter.info> <CABcZeBNE9jeWejY=bsV6U0v8Ar04mw7ENpHwDEBqniUQdS2WXg@mail.gmail.com> <20120515145506.GC20521@mail.yitter.info> <20120515155515.GH20521@mail.yitter.info>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
X-Mailer: Apple Mail (2.1257)
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2012 16:06:33 -0000

On May 15, 2012, at 8:55 AM, Andrew Sullivan wrote:
> I am currently calling these cases "constraint assertions in the DNS"
> because I don't have a nicer name.  I think those calling for funny
> handling of normal DNS conditions like error messages have identified
> a fundamental need in constraint-assertion cases, because if one
> cannot receive a message about the existence of such a constraint
> assertion, one has a problem.  
> 
> This doesn't leave me more certain of what to say in the draft, but at
> least I have a clearer idea of what's at issue.  Does anyone else
> think this way of thinking about the difference is helpful?


Yes.  

It say either "Hard Failure" or "Annoy the @#)(*#@ User Failure" on inability to fetch a proper DNSSEC validating record when one is expected.


Because the TLS system in practice already has a constraint system, Certificate Revocation Lists, which say "Despite the certificate being valid, don't use these certificates".  The CRL check is a "fail open" (proceed if unable to contact the CRL server), its now viewed as useless and is being discontinued at least in Chrome, and I'd expect other browsers to follow suit.


Since the existing "add constraint" system is now considered useless because of the "fail open" nature, any new constraint system MUST be either "fail closed" or "fail annoying" if it can't get the necessary records from DNS.