[dane] WGLC: DANE-SRV ("Address Queries" and "TLSA queries" feedback)

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 14 December 2014 22:45 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11CFC1A0250 for <dane@ietfa.amsl.com>; Sun, 14 Dec 2014 14:45:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9LFCQHIl3Zvc for <dane@ietfa.amsl.com>; Sun, 14 Dec 2014 14:45:03 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62AF31A01F6 for <dane@ietf.org>; Sun, 14 Dec 2014 14:45:03 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B4C21284AD5; Sun, 14 Dec 2014 22:45:01 +0000 (UTC)
Date: Sun, 14 Dec 2014 22:45:01 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Sender: dane <dane-bounces@ietf.org>
To: dane@ietf.org
Message-ID: <20141214224501.GI25666@mournblade.imrryr.org>
References: <20141201013357.GF285@mournblade.imrryr.org> <547BC8F9.1070605@andyet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <547BC8F9.1070605@andyet.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/ClxfuXaC4CRie79plUXKttywqG0
Subject: [dane] WGLC: DANE-SRV ("Address Queries" and "TLSA queries" feedback)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Dec 2014 22:45:05 -0000

On Sun, Nov 30, 2014 at 06:48:41PM -0700, Peter Saint-Andre - &yet wrote:

[ I'm splitting it into a few messages to keep it manageable, and
  in any case some of my comments are still pencil marks on a
  print-out, not yet transcribed. ]

This message covers sections 3.2 ("Address Queries") and 3.3 ("TLSA Queries").

General comment (copied verbatim from abstract and introduction
feedback):

    The draft frequently talks about "hostnames", where what is
    really meant is a transport endpoint (port, transport protocol,
    host).  With PKIX-EE or DANE-EE certificate usages, TLSA records
    are more precise than the Web PKI and can associate different,
    non-interchangeable key material with distinct services on a
    single host.  So in many places I will be suggesting replacing
    statements about "hostnames" with statements about "transport
    endpoints".

3.2. Address Queries

  Clients that support only v4 or only v6 need not make queries for 
  an address type they can't use.

  OLD:

    <t>For each SRV target server host name, the client makes A and AAAA
     queries, performs DNSSEC validation on the address (A or AAAA) response,
     and continues as follows based on the results:

  NEW:

    <t>For each SRV target server host name, the client makes A and/or AAAA
     queries, performs DNSSEC validation on the address (A or AAAA) response,
     and continues as follows based on the results:

  The term "usable" is not applicable in the context of address
  queries.  TLSA queries should be made if either the A or AAAA
  response is secure (e.g., sometimes the absence of "AAAA" is
  "insecure" due to opt-out, while the "A" records are "secure").

  When the zone containing the host's A/AAAA records is unsigned,
  queries for TLSA are more likely to fail than to unexpectedly
  produce "secure" results.  This is not to say that they are in
  fact likely to "fail".

  OLD:

     <list style="symbols">
      <t>If the response is "secure" and usable, the client MUST perform a TLSA
       query for that target server host name as described in the
       next section.</t>
      <t>If the response is "insecure", the client MUST NOT perform a
       TLSA query for that target server host name; the TLSA query will
       most likely fail.</t>
      <t>If the response is "bogus" or "indeterminate", the client
       MUST NOT connect to this target server; instead it uses the next
       most appropriate SRV target.</t>
    </list></t>

  NEW:

     <list style="symbols">
      <t>If either of the A or AAAA RRsets is "secure", the client MUST
       perform a TLSA query for that target service endpoint as described
       in the next section.</t>
      <t>If both RRsets are "insecure", the client MUST NOT perform a
       TLSA query for that target; such TLSA queries are very
       unlikely to produce "secure" results and have been observed
       to spuriously fail even though no TLSA records are present.</t>
      <t>To defend against downgrade attacks, if address record
       lookup fails (this includes both the "bogus" and RFC 4035
       "indeterminate" validation status) the client MUST NOT
       connect to this target service endpoint; instead it uses the next
       most appropriate SRV target.</t>
    </list></t>

3.3. TLSA Queries

  Perhaps a better split:

  OLD:

    <t>For example, the following SRV record for IMAP (see <xref target='RFC6186'/>)
    leads to the TLSA query shown below:</t>

    <t><figure><artwork><![CDATA[
_imap._tcp.example.com. 86400 IN SRV 10 0 9143 imap.example.net.

_9143._tcp.imap.example.net. IN TLSA ?
     ]]></artwork></figure></t>

  NEW:

    <t>For example, the following SRV record for IMAP (see <xref target='RFC6186'/>)</t>

    <t><figure><artwork><![CDATA[
_imap._tcp.example.com. 86400 IN SRV 10 0 9143 imap.example.net.
     ]]></artwork></figure></t>

    <t>leads to the TLSA query shown below:</t>

    <t><figure><artwork><![CDATA[
_9143._tcp.imap.example.net. IN TLSA ?
     ]]></artwork></figure></t>

-- 
	Viktor.