[dane] WGLC: DANE-SRV (Terminology and "SRV Query" feedback)
Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 06 December 2014 23:20 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99C11A1B68 for <dane@ietfa.amsl.com>; Sat, 6 Dec 2014 15:20:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qwMRAi4jH5YI for <dane@ietfa.amsl.com>; Sat, 6 Dec 2014 15:20:57 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ADE31A1B5B for <dane@ietf.org>; Sat, 6 Dec 2014 15:20:56 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C46CD282BC4; Sat, 6 Dec 2014 23:20:54 +0000 (UTC)
Date: Sat, 06 Dec 2014 23:20:54 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141206232054.GI285@mournblade.imrryr.org>
References: <20141201013357.GF285@mournblade.imrryr.org> <547BC8F9.1070605@andyet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <547BC8F9.1070605@andyet.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/4eWSqxwE1cCeX3CAxflOLqwX3KE
Subject: [dane] WGLC: DANE-SRV (Terminology and "SRV Query" feedback)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Dec 2014 23:21:00 -0000
On Sun, Nov 30, 2014 at 06:48:41PM -0700, Peter Saint-Andre - &yet wrote: [ I'm splitting it into a few messages to keep it manageable, and in any case some of my comments are still pencil marks on a print-out, not yet transcribed. ] This message covers sections 2 ("Terminology") and 3.1 ("SRV Query"). General comment (copied verbatim from abstract and introduction feedback): The draft frequently talks about "hostnames", where what is really meant is a transport endpoint (port, transport protocol, host). With PKIX-EE or DANE-EE certificate usages, TLSA records are more precise than the Web PKI and can associate different, non-interchangeable key material with distinct services on a single host. So in many places I will be suggesting replacing statements about "hostnames" with statements about "transport endpoints". 2. Terminology: General comment, this section is a bit too short I think. More terms should perhaps be defined. I will propose a not necessarily comprehensive list. Add a suitable definition of "transport endpoint" (or some other name if the imprecision noted below is objectionable): Transport Endpoint: In this document, a triple which combines * A DNS hostname which abstracts a set of IPv4 and/or IPv6 addresses. * A transport protocol (TCP or UDP) * A port number which specifies a TCP or UDP service deployed at the addresses associated with the hostname. DANE TLSA records associate key material with transport endpoints. Because this definition of a transport endpoint uses a hostname and not a network address, strictly speaking what we have is an indirect reference to a set of related TCP or UDP endpoints. Likely a good idea to paste in some relevant definitions from the SRV RFCs (e.g. "service domain"). Section 3.1 "SRV Query" first paragraph, bottom of page 3/top of page 4 (refine the words "helpful summary"): OLD: <t>When the client makes an SRV query, a successful result will typically be a list of one or more SRV records (or possibly a chain of CNAME / DNAME aliases leading to such a list). Implementers need to be aware that unsuccessful results can occur because of various DNS-related errors; a helpful summary can be found in section 2.1 of <xref target="I-D.ietf-dane-smtp-with-dane"/>.</t> New: <t>When the client makes an SRV query, a successful result will typically be a list of one or more SRV records (or possibly a chain of CNAME / DNAME aliases leading to such a list). Implementers need to be aware that unsuccessful results can occur because of various DNS-related errors; guidance on avoiding downgrade attacks can be found in section 2.1 of <xref target="I-D.ietf-dane-smtp-with-dane"/>.</t> Next paragraph (since the terminology section claims definitions of "secure", ... from 4035, quote from 4035, not 4033). Be more precise about aliases. I think the text about the AD bit is should either be deleted or expanded (a lot), the application may be doing its own validation, and the AD is the irrelevant, or some discussion is needed about when AD-bits might be trustworthy. OLD: <t>For this specification to apply, the entire DNS RRset that is returned MUST be "secure" according to DNSSSEC validation (<xref target="RFC4033"/> section 5). In the case of aliases, the whole chain of CNAME and DNAME RRsets MUST be secure as well. This corresponds to the AD bit being set in the response(s); see <xref target="RFC4035"/> section 3.2.3.</t> NEW: <t>For this specification to apply, the entire DNS RRset that is returned MUST be "secure" according to DNSSSEC validation (<xref target="RFC4035"/> section 4.3). In case the answer is obtained via a chain of CNAME and/or DNAME aliases, the whole chain of CNAME and DNAME RRsets MUST also be secure. Next paragraph (number 3 of section 3.1) Again drop AD-bit discussion and improve wording. OLD: <t>If the the entire RRset is "insecure", this protocol has not been correctly deployed. The client SHOULD fall back to its non-DNSSEC, non-DANE behavior (this corresponds to the AD bit being unset). If the entire RRset is "bogus", the client MUST abort the attempt.</t> NEW: <t>If the lookup result is "insecure", this protocol does not apply. The client SHOULD fall back to its non-DNSSEC, non-DANE behavior. If the SRV lookup fails (including the case that the RRset is "bogus"), the client MUST abort its to contact the desired service. </t> Next (number 4 of section 3.1) SRV lookup returns candidate "Transport endpoints", not hostnames, mention requirement for secure CNAME/DNAME indirection once more. OLD: <t>In the successful case, the client now has an authentic list of target server host names with weight and priority values. It performs server ordering and selection using the weight and priority values without regard to the presence or absence of DNSSEC or TLSA records. It also takes note of the DNSSEC validation status of the SRV response for use when checking certificate names (see <xref target="tls"/>). The client can now proceed to making address queries on the target server host names as described in the next section.</t> NEW: <t>When the lookup returns a "secure" RRset, perhaps via a chain of "secure" CNAME/DNAME records, the client now has an authentic list of target transport enpdoints with weight and priority values. It performs server ordering and selection using the weight and priority values without regard to the presence or absence of DNSSEC or TLSA records. It also takes note of the DNSSEC validation status of the SRV response for use when checking certificate names (see <xref target="tls"/>). The client can now proceed to making address queries on the target server host names as described in the next section.</t> -- Viktor.
- Re: [dane] WGLC: DANE-SRV Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV Peter Saint-Andre - &yet
- [dane] WGLC: DANE-SRV (Abstract and introduction … Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV Stephen Farrell
- Re: [dane] WGLC: DANE-SRV Peter Saint-Andre - &yet
- Re: [dane] WGLC: DANE-SRV (Abstract and introduct… Michael J. Sheldon
- Re: [dane] WGLC: DANE-SRV (Abstract and introduct… Viktor Dukhovni
- [dane] WGLC: DANE-SRV (Terminology and "SRV Query… Viktor Dukhovni
- [dane] WGLC: DANE-SRV ("Address Queries" and "TLS… Viktor Dukhovni
- [dane] WGLC: DANE-SRV feedback on 3.4 through res… Viktor Dukhovni