[dane] WGLC: DANE-SRV ("Address Queries" and "TLSA queries" feedback)
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 14 December 2014 22:45 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11CFC1A0250 for <dane@ietfa.amsl.com>; Sun, 14 Dec 2014 14:45:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9LFCQHIl3Zvc for <dane@ietfa.amsl.com>; Sun, 14 Dec 2014 14:45:03 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62AF31A01F6 for <dane@ietf.org>; Sun, 14 Dec 2014 14:45:03 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B4C21284AD5; Sun, 14 Dec 2014 22:45:01 +0000 (UTC)
Date: Sun, 14 Dec 2014 22:45:01 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Sender: dane <dane-bounces@ietf.org>
To: dane@ietf.org
Message-ID: <20141214224501.GI25666@mournblade.imrryr.org>
References: <20141201013357.GF285@mournblade.imrryr.org> <547BC8F9.1070605@andyet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <547BC8F9.1070605@andyet.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/ClxfuXaC4CRie79plUXKttywqG0
Subject: [dane] WGLC: DANE-SRV ("Address Queries" and "TLSA queries" feedback)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Dec 2014 22:45:05 -0000
On Sun, Nov 30, 2014 at 06:48:41PM -0700, Peter Saint-Andre - &yet wrote:
[ I'm splitting it into a few messages to keep it manageable, and
in any case some of my comments are still pencil marks on a
print-out, not yet transcribed. ]
This message covers sections 3.2 ("Address Queries") and 3.3 ("TLSA Queries").
General comment (copied verbatim from abstract and introduction
feedback):
The draft frequently talks about "hostnames", where what is
really meant is a transport endpoint (port, transport protocol,
host). With PKIX-EE or DANE-EE certificate usages, TLSA records
are more precise than the Web PKI and can associate different,
non-interchangeable key material with distinct services on a
single host. So in many places I will be suggesting replacing
statements about "hostnames" with statements about "transport
endpoints".
3.2. Address Queries
Clients that support only v4 or only v6 need not make queries for
an address type they can't use.
OLD:
<t>For each SRV target server host name, the client makes A and AAAA
queries, performs DNSSEC validation on the address (A or AAAA) response,
and continues as follows based on the results:
NEW:
<t>For each SRV target server host name, the client makes A and/or AAAA
queries, performs DNSSEC validation on the address (A or AAAA) response,
and continues as follows based on the results:
The term "usable" is not applicable in the context of address
queries. TLSA queries should be made if either the A or AAAA
response is secure (e.g., sometimes the absence of "AAAA" is
"insecure" due to opt-out, while the "A" records are "secure").
When the zone containing the host's A/AAAA records is unsigned,
queries for TLSA are more likely to fail than to unexpectedly
produce "secure" results. This is not to say that they are in
fact likely to "fail".
OLD:
<list style="symbols">
<t>If the response is "secure" and usable, the client MUST perform a TLSA
query for that target server host name as described in the
next section.</t>
<t>If the response is "insecure", the client MUST NOT perform a
TLSA query for that target server host name; the TLSA query will
most likely fail.</t>
<t>If the response is "bogus" or "indeterminate", the client
MUST NOT connect to this target server; instead it uses the next
most appropriate SRV target.</t>
</list></t>
NEW:
<list style="symbols">
<t>If either of the A or AAAA RRsets is "secure", the client MUST
perform a TLSA query for that target service endpoint as described
in the next section.</t>
<t>If both RRsets are "insecure", the client MUST NOT perform a
TLSA query for that target; such TLSA queries are very
unlikely to produce "secure" results and have been observed
to spuriously fail even though no TLSA records are present.</t>
<t>To defend against downgrade attacks, if address record
lookup fails (this includes both the "bogus" and RFC 4035
"indeterminate" validation status) the client MUST NOT
connect to this target service endpoint; instead it uses the next
most appropriate SRV target.</t>
</list></t>
3.3. TLSA Queries
Perhaps a better split:
OLD:
<t>For example, the following SRV record for IMAP (see <xref target='RFC6186'/>)
leads to the TLSA query shown below:</t>
<t><figure><artwork><![CDATA[
_imap._tcp.example.com. 86400 IN SRV 10 0 9143 imap.example.net.
_9143._tcp.imap.example.net. IN TLSA ?
]]></artwork></figure></t>
NEW:
<t>For example, the following SRV record for IMAP (see <xref target='RFC6186'/>)</t>
<t><figure><artwork><![CDATA[
_imap._tcp.example.com. 86400 IN SRV 10 0 9143 imap.example.net.
]]></artwork></figure></t>
<t>leads to the TLSA query shown below:</t>
<t><figure><artwork><![CDATA[
_9143._tcp.imap.example.net. IN TLSA ?
]]></artwork></figure></t>
--
Viktor.
- Re: [dane] WGLC: DANE-SRV Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV Peter Saint-Andre - &yet
- [dane] WGLC: DANE-SRV (Abstract and introduction … Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV Stephen Farrell
- Re: [dane] WGLC: DANE-SRV Peter Saint-Andre - &yet
- Re: [dane] WGLC: DANE-SRV (Abstract and introduct… Michael J. Sheldon
- Re: [dane] WGLC: DANE-SRV (Abstract and introduct… Viktor Dukhovni
- [dane] WGLC: DANE-SRV (Terminology and "SRV Query… Viktor Dukhovni
- [dane] WGLC: DANE-SRV ("Address Queries" and "TLS… Viktor Dukhovni
- [dane] WGLC: DANE-SRV feedback on 3.4 through res… Viktor Dukhovni