IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Ondrej Mikle <ondrej.mikle@nic.cz> Sun, 06 May 2012 01:18 UTC

Return-Path: <ondrej.mikle@nic.cz>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A859421F84EB for <dane@ietfa.amsl.com>; Sat, 5 May 2012 18:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XhV3SSNxkhNu for <dane@ietfa.amsl.com>; Sat, 5 May 2012 18:18:51 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by ietfa.amsl.com (Postfix) with ESMTP id D8EDC21F84D8 for <dane@ietf.org>; Sat, 5 May 2012 18:18:50 -0700 (PDT)
Received: from [192.168.0.100] (ip-94-113-0-21.net.upcbroadband.cz [94.113.0.21]) by mail.nic.cz (Postfix) with ESMTPSA id CF3DE13F7B7 for <dane@ietf.org>; Sun, 6 May 2012 03:18:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1336267128; bh=s3SkJXjz7OOJyuflYW8cVY/LLSzIkbkjgdjlE6SiW84=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=ZT5j4AWOojj5ZpJqx5txd4EV41cqg1IVD8eRQCq6CQrvZNqv+FiHdJtmcv0xdJmwY rJPJIplf54CoYgukCkdpIAUZBB2aW7Fq0rwkW5deCrls2oJEV2mXwb0tMtqP6b5MHy oZurrl9gdRzoo3exPXHy6ftjKoZ40becjMftSsQg=
Message-ID: <4FA5D178.8030405@nic.cz>
Date: Sun, 06 May 2012 03:18:48 +0200
From: Ondrej Mikle <ondrej.mikle@nic.cz>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: dane@ietf.org
References: <20120504023602.GA4683@mail.yitter.info> <CABcZeBO93n_C5detefBcOjAoswe2inGKDj65gQPDQmREyGnhAw@mail.gmail.com> <20120504112922.GB4929@mail.yitter.info> <CABcZeBPTTa07iUHo9XL5WrHGMYHwaQzs6xYtiF25O4Jek8E3RQ@mail.gmail.com> <20120504144426.GD4929@mail.yitter.info> <CABcZeBOM_0L42Rng75AsVda9u4G=FH8=OB8Qg=nQpL-BzRoBuQ@mail.gmail.com> <3FF36EBA-F8B1-4D66-BA00-E8E36A7E449D@kumari.net> <CABcZeBP2iRLa76rSXu4A0OwFxP=tqK1ShZ6wv=6wnaEC6uad+w@mail.gmail.com> <CAMfhd9XYS=9SGotCTwa7NJU4L8WFys2rDVsQZxn4a0wz+NxS3Q@mail.gmail.com> <6015A12B-8CA9-426B-9AFF-32CD4211DAB5@vpnc.org> <20120504165311.GB7394@mail.yitter.info>
In-Reply-To: <20120504165311.GB7394@mail.yitter.info>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.96.5 at mail
X-Virus-Status: Clean
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 May 2012 01:18:51 -0000

On 05/04/2012 06:53 PM, Andrew Sullivan wrote:
> On Fri, May 04, 2012 at 09:32:32AM -0700, Paul Hoffman wrote:
>>
>> My preference is that the spec discuss the issue, propose hard-fail
>> as an option, and explain that without hard-fail the benefits for
>> usage 0 and 1 can be circumvented but that the client is no worse
>> off than without DANE. It's important to emphasize that this is
>> about usage 0 and 1, and that a different security analysis applies
>> to types 2 and 3 (well, 3 certainly; I need to think about 2).
> 
> I agree with this.
> 
>> I would prefer that we not require hard fail while assuming some
>> implementers will not follow our requirement,
> 
> I also strongly agree with this.

I also agree with the above points.

I'll chime in with some data: we've been collecting data (with Ralph Holz) on
behavior of various authoritative NS (about 15 RR types for each domain, with
DNSSEC enabled).

>From the ongoing scan, out of 70M currently finished .com domains, SERVFAILs
appeared for ~8.6M distinct domains. My interpretation of such high percentage
is that those are forgotten/unmaintained domains (for comparison, percentage for
.cz TLD is < 1%). We'll cross-check the failing answers against lists such as
Alexa top 1M (to see how "relevant" they are) and do a rescan of the failures.

>From the preliminary data it follows that no vendor of a TLS client would honor
hard-fail if it was a "MUST" (though I don't like the possible downgrade attacks).

Another goal of the scan is to find statistics on average/maximum size of
DNSSEC-stapled structure (as Jim Schaad asked -
https://www.ietf.org/mail-archive/web/dane/current/msg04694.html), which is
heavily influenced by number of zones traversed by CNAMEs/DNAMEs (ask away if
you're interested in other stats).

Ondrej Mikle

v2.8.7 | Report a Bug | By Email