Re: [dane] New version of tls-dnssec-chain draft (-02)
ietf-dane@dukhovni.org Fri, 11 December 2015 04:41 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6381A6F49 for <dane@ietfa.amsl.com>; Thu, 10 Dec 2015 20:41:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CZuGhmMTaWrH for <dane@ietfa.amsl.com>; Thu, 10 Dec 2015 20:41:19 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 704971A6F41 for <dane@ietf.org>; Thu, 10 Dec 2015 20:41:19 -0800 (PST)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 2A615283E83; Fri, 11 Dec 2015 04:41:18 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: ietf-dane@dukhovni.org
In-Reply-To: <CAHPuVdUh9rW=TT-+pjLha753VTUqc3Yjgz10dK9Xapxm3wtOCg@mail.gmail.com>
Date: Thu, 10 Dec 2015 23:25:07 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <23F61F03-764D-4138-9FEF-3A99820C0278@dukhovni.org>
References: <CAHPuVdXgCHb4UfXi3smFOsQxN8nRSzd2c17xr_TOF=snSBHVJg@mail.gmail.com> <20151109045334.GU18315@mournblade.imrryr.org> <CAHPuVdU4dVYrcw93arL3_274WQDd+yUK7oCfdZEy8MiQFVTT7Q@mail.gmail.com> <20151128070913.GJ18315@mournblade.imrryr.org> <CAHPuVdUh9rW=TT-+pjLha753VTUqc3Yjgz10dK9Xapxm3wtOCg@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/1i-LMT-6O86iWLDmKEBOZjQEq6I>
Cc: dane@ietf.org
Subject: Re: [dane] New version of tls-dnssec-chain draft (-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2015 04:41:21 -0000
> On Dec 10, 2015, at 9:05 PM, Shumon Huque <shuque@gmail.com> wrote: > > > Which brings us back to the message format, if it is just a stream > > of RRsets (rather than a stream of DNS messages), what binds the > > NSEC/NSEC3 records to the associated wildcard response? > > > > ; ANSWER: > > ; *._tcp.example.com IN CNAME _dane.example.com. > > _25._tcp.example.com. IN CNAME _dane.example.com. > > _dane.example.com. IN TLSA 3 1 1 ... > > ; AUTHORITY > > ; This, or equivalent NSEC3 record > > *._tcp.example.com. IN NSEC example.com. CNAME > > > > In what order should these RRsets appear? How are the NSEC (or > > worse NSEC3) records to be associated with the wildcard (first) > > answer in a stream of records that is not broken down into the > > usual query/answer/authority/additional format if they are not > > explicitly grouped with the packet in question? (Broader search > > for suitable NSEC3 records across all the returned RRsets?) > > For the current 'ordered RRset' version of this spec, the wildcard > case is underspecified. The simplest thing would be to specify that > the NSEC/NSEC3 record (and associated RRSIG) appears right after the > wildcard TLSA record. > > Note that there is a semantic mismatch between DNS wildcards and > wildcards in X.509 certificate DNS names - the X.509 wildcard > covers all possible names, whereas the DNS wildcard covers all names > except those explicitly named in the zone. Some one possible > simplification would be to say that for wildcard TLSA records this > TLS extension only supports the X.509 wildcard semantics, and > exclude the NSEC records. This would require 'tweaking' the DNSSEC > validation algorithm to not perform the 'no closer match' proof > for wildcard records. I might actually be leaning in this direction > now to keep things simple. Doing incorrect validation of DNSSEC wildcards is not a good idea. These are defaults, that are quite deliberately inapplicable in the presence of real records. If a user has a specific TLSA record for port 443, and a different wildcard covering other ports, attackers MUST NOT be able to substitute the wildcard TLSA RRset for the more specific one for port 443. Do not confuse these with the X.509 wildcards. The authority (NSEC/NSEC3) records that provide closest-encloser proofs are not optional. -- Viktor.
- [dane] New version of tls-dnssec-chain draft (-02) Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … ietf-dane
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni