[dane] WGLC: DANE-SRV ("Address Queries" and "TLSA queries" feedback)
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 14 December 2014 22:45 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11CFC1A0250 for <dane@ietfa.amsl.com>; Sun, 14 Dec 2014 14:45:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9LFCQHIl3Zvc for <dane@ietfa.amsl.com>; Sun, 14 Dec 2014 14:45:03 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62AF31A01F6 for <dane@ietf.org>; Sun, 14 Dec 2014 14:45:03 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B4C21284AD5; Sun, 14 Dec 2014 22:45:01 +0000 (UTC)
Date: Sun, 14 Dec 2014 22:45:01 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Sender: dane <dane-bounces@ietf.org>
To: dane@ietf.org
Message-ID: <20141214224501.GI25666@mournblade.imrryr.org>
References: <20141201013357.GF285@mournblade.imrryr.org> <547BC8F9.1070605@andyet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <547BC8F9.1070605@andyet.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/ClxfuXaC4CRie79plUXKttywqG0
Subject: [dane] WGLC: DANE-SRV ("Address Queries" and "TLSA queries" feedback)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Dec 2014 22:45:05 -0000
On Sun, Nov 30, 2014 at 06:48:41PM -0700, Peter Saint-Andre - &yet wrote: [ I'm splitting it into a few messages to keep it manageable, and in any case some of my comments are still pencil marks on a print-out, not yet transcribed. ] This message covers sections 3.2 ("Address Queries") and 3.3 ("TLSA Queries"). General comment (copied verbatim from abstract and introduction feedback): The draft frequently talks about "hostnames", where what is really meant is a transport endpoint (port, transport protocol, host). With PKIX-EE or DANE-EE certificate usages, TLSA records are more precise than the Web PKI and can associate different, non-interchangeable key material with distinct services on a single host. So in many places I will be suggesting replacing statements about "hostnames" with statements about "transport endpoints". 3.2. Address Queries Clients that support only v4 or only v6 need not make queries for an address type they can't use. OLD: <t>For each SRV target server host name, the client makes A and AAAA queries, performs DNSSEC validation on the address (A or AAAA) response, and continues as follows based on the results: NEW: <t>For each SRV target server host name, the client makes A and/or AAAA queries, performs DNSSEC validation on the address (A or AAAA) response, and continues as follows based on the results: The term "usable" is not applicable in the context of address queries. TLSA queries should be made if either the A or AAAA response is secure (e.g., sometimes the absence of "AAAA" is "insecure" due to opt-out, while the "A" records are "secure"). When the zone containing the host's A/AAAA records is unsigned, queries for TLSA are more likely to fail than to unexpectedly produce "secure" results. This is not to say that they are in fact likely to "fail". OLD: <list style="symbols"> <t>If the response is "secure" and usable, the client MUST perform a TLSA query for that target server host name as described in the next section.</t> <t>If the response is "insecure", the client MUST NOT perform a TLSA query for that target server host name; the TLSA query will most likely fail.</t> <t>If the response is "bogus" or "indeterminate", the client MUST NOT connect to this target server; instead it uses the next most appropriate SRV target.</t> </list></t> NEW: <list style="symbols"> <t>If either of the A or AAAA RRsets is "secure", the client MUST perform a TLSA query for that target service endpoint as described in the next section.</t> <t>If both RRsets are "insecure", the client MUST NOT perform a TLSA query for that target; such TLSA queries are very unlikely to produce "secure" results and have been observed to spuriously fail even though no TLSA records are present.</t> <t>To defend against downgrade attacks, if address record lookup fails (this includes both the "bogus" and RFC 4035 "indeterminate" validation status) the client MUST NOT connect to this target service endpoint; instead it uses the next most appropriate SRV target.</t> </list></t> 3.3. TLSA Queries Perhaps a better split: OLD: <t>For example, the following SRV record for IMAP (see <xref target='RFC6186'/>) leads to the TLSA query shown below:</t> <t><figure><artwork><![CDATA[ _imap._tcp.example.com. 86400 IN SRV 10 0 9143 imap.example.net. _9143._tcp.imap.example.net. IN TLSA ? ]]></artwork></figure></t> NEW: <t>For example, the following SRV record for IMAP (see <xref target='RFC6186'/>)</t> <t><figure><artwork><![CDATA[ _imap._tcp.example.com. 86400 IN SRV 10 0 9143 imap.example.net. ]]></artwork></figure></t> <t>leads to the TLSA query shown below:</t> <t><figure><artwork><![CDATA[ _9143._tcp.imap.example.net. IN TLSA ? ]]></artwork></figure></t> -- Viktor.
- Re: [dane] WGLC: DANE-SRV Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV Peter Saint-Andre - &yet
- [dane] WGLC: DANE-SRV (Abstract and introduction … Viktor Dukhovni
- Re: [dane] WGLC: DANE-SRV Stephen Farrell
- Re: [dane] WGLC: DANE-SRV Peter Saint-Andre - &yet
- Re: [dane] WGLC: DANE-SRV (Abstract and introduct… Michael J. Sheldon
- Re: [dane] WGLC: DANE-SRV (Abstract and introduct… Viktor Dukhovni
- [dane] WGLC: DANE-SRV (Terminology and "SRV Query… Viktor Dukhovni
- [dane] WGLC: DANE-SRV ("Address Queries" and "TLS… Viktor Dukhovni
- [dane] WGLC: DANE-SRV feedback on 3.4 through res… Viktor Dukhovni