Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt

Mark Andrews <marka@isc.org> Thu, 06 February 2014 05:24 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46F2A1A0365 for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 21:24:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.436
X-Spam-Level:
X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fRHGZyoO4GJS for <dane@ietfa.amsl.com>; Wed, 5 Feb 2014 21:23:59 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id C587A1A029D for <dane@ietf.org>; Wed, 5 Feb 2014 21:23:59 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id BA27B2383BF; Thu, 6 Feb 2014 05:23:46 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id F0E6916000C; Thu, 6 Feb 2014 05:24:25 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id B91C3160008; Thu, 6 Feb 2014 05:24:25 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 108C7E872C0; Thu, 6 Feb 2014 16:23:43 +1100 (EST)
To: Andrew Sullivan <ajs@anvilwalrusden.com>
From: Mark Andrews <marka@isc.org>
References: <20140106212911.12960.24322.idtracker@ietfa.amsl.com> <A1C41700-578C-45C1-9A66-ACC051970F47@gmail.com> <58D91468-4295-4AEB-A5F4-3C796CBF047A@vpnc.org> <20140205210516.GN278@mournblade.imrryr.org> <alpine.LFD.2.10.1402052254590.13653@bofh.nohats.ca> <20140206042311.GF21114@mx1.yitter.info> <20140206043138.GT278@mournblade.imrryr.org> <20140206044440.GI21114@mx1.yitter.info>
In-reply-to: Your message of "Wed, 05 Feb 2014 23:44:40 -0500." <20140206044440.GI21114@mx1.yitter.info>
Date: Thu, 06 Feb 2014 16:23:43 +1100
Message-Id: <20140206052343.108C7E872C0@rock.dv.isc.org>
Cc: dane@ietf.org
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 05:24:01 -0000

In message <20140206044440.GI21114@mx1.yitter.info>fo>, Andrew Sullivan writes:
> On Thu, Feb 06, 2014 at 04:31:38AM +0000, Viktor Dukhovni wrote:
> > I must plead ignorance of the obstacle, what do you have in mind?
> 
> I am repeatedly informed by my man pages, RFC 3493, and every web
> browser implementer I've ever spoken to that getting the TTL on an RR
> coming to you from the system resolver is hard.  I'd be more delighted
> than I can express to be misinformed, so if you know otherwise please
> say so.

And I say BS.  If you are using a layer above the resolver
(gethostbyname, getaddrinfo) yes it may be hard but for TLSA *there
is no layer above the resolver*.

libresolv/libbind have provided access to the TTL since the 1980's.

Even Microsoft Windows programmers don't have a excuse as DnsQuery
returns the ttl in its results.

http://msdn.microsoft.com/en-us/library/windows/desktop/ms682016(v=vs.85).aspx

> There is a new API (more a meta-api) that Paul Hoffman worked on
> (http://www.vpnc.org/getdns-api/) that I think we should all embrace
> partly for the above reason, but we're not even at 0-day with that yet
> AFAICT.  
> 
> > If learning DNS TTLs along with the RRset data is problematic,
> > application caches should have reasonably short maximum lifetimes.
> 
> I recognise the basic impulse in what you're saying, but it gives me
> pause.  Timing attacks involving DNS and the browser "pinning" policy
> have always struck me as plausible (and ISTR a demonstration, but I'm
> darned if I can come up with it now).  But using this sort of trick
> for actual certificate stuff appears to make the target of any
> pinning-timing attack more valuable.  Is that a problem?  (That's not
> a rhetorical question.  I'm an idiot.)
> 
> [I get your other argument about lifetimes.  Not trying to ignore,
> just accepting.]
> 
> A
> 
> -- 
> Andrew Sullivan
> ajs@anvilwalrusden.com
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org