Re: [dane] An AD bit discussion (correction)
Viktor Dukhovni <viktor1dane@dukhovni.org> Thu, 27 February 2014 21:26 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 963B61A0228 for <dane@ietfa.amsl.com>; Thu, 27 Feb 2014 13:26:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id djMunRrf8lTi for <dane@ietfa.amsl.com>; Thu, 27 Feb 2014 13:26:17 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) by ietfa.amsl.com (Postfix) with ESMTP id 6E5911A035B for <dane@ietf.org>; Thu, 27 Feb 2014 13:26:17 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 54D402AAC73; Thu, 27 Feb 2014 21:26:14 +0000 (UTC)
Date: Thu, 27 Feb 2014 21:26:14 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140227212614.GY21390@mournblade.imrryr.org>
References: <20140227031628.B4A1610765F9@rock.dv.isc.org> <20140227034723.GA73861@mx1.yitter.info> <20140227041753.3509810773A8@rock.dv.isc.org> <20140227044213.GO21390@mournblade.imrryr.org> <alpine.LFD.2.10.1402270015320.6180@bofh.nohats.ca> <20140227054617.GP21390@mournblade.imrryr.org> <530F3A64.2000001@redhat.com> <20140227164014.GT21390@mournblade.imrryr.org> <20140227164201.GU21390@mournblade.imrryr.org> <530F9A3D.3070008@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <530F9A3D.3070008@redhat.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/CnOZKZW6bs3XTg-PFxA12Bhjf5o
Subject: Re: [dane] An AD bit discussion (correction)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2014 21:26:20 -0000
On Thu, Feb 27, 2014 at 09:04:13PM +0100, Petr Spacek wrote: > Of course, there are applications with special requirements but easy > cases could be (we hope) handled in crypto library and special case > over appropriate APIs. > > The discussion ended with statement that we need to solve API for > resolvers first and then we can open discussion about DANE in NSS > again. > > <<< --- We are here :-) Almost, because some of the DANE requirements are not set in stone. For example, interaction with CNAME records is not yet a done deal. Likewise digest agility, support for multiple peer names, semantics of CU=3, ... Early implementations are raising issues that clarify or extend the standard, and so even if the resolver API were a solved problem, it would be a bit early to bake a complete DANE implementation, including all the policy issues around TLSA records, into a TLS toolkit. It is a good time to be thinking about how to validate certificate chains via a given set of TLSA records and get the basics right (subtle enough in itself, that almost every implementation I've seen has serious flaws). So progress can be made by implementing code in such toolkits: - To validate a remote server's certificate chain against a set of TLSA records provided by the application - To integrate this with name checks (off for CU=3) that support multiple application-provided names. - To think about the semantics of "IN TLSA 2 1 0" and whether such bare keys in DNS are usable without a corresponding chain element in the server TLS "certificate message". - To think about how to support digest agility - To provide an API for applications that want to do their own DNS lookups, and pass them to the librarary, rather than asking the TLS library to perform DNS lookups. > This is long-term goal and adding application-controlled policies > for DANE goes in opposite direction. That is the reason why we are > trying to move 'policy logic' to system level/library level and do > not pollute applications with policy processing. (We have to at > least *try* that.) For the simplest applications that have a single secure hostname, and want to use some shiny new simplified API, which promises DANE as a default enabled connection security mechanism, sure we can assume there's a role for that. Complications arise quickly if needs of more complex applications are not anticipated and one need to be careful of complex dependency chains if the crypto library depends on DNSSEC libraries which in turn depend on crypto libraries. > That is exactly the point. We don't want to configure everything > again and again per-application, we want system-wide configuration. Yes. > The intent is to avoid adding more and more application specific > knobs because it will be hard to get rid of them in future. (There > are exceptions - as always.) I vote for a stub resolver whose configuration combines a list of recursive resolvers with a trust predicate that specifies whether the AD bit should be passed to stub resolver applications. I further vote for a way to query this predicate and to set the recursor list, all via an extended libresolv. > >>Yes, that's why I am recommending adoption of BSD libresolv, which > >>is a superset of the traditional libresolv, and offers more of what > >>is required to support DANE. In particular, just having res_setservers() > >>and res_nsearch()/res_nquery would be major progress. > > Again, we are not interested in a single library but in a general > approach. Please consider that vanilla Fedora distro contains > 40 > 000 packages. I can name 5 different DNS libraries I use daily *only > from top of my head*. Then add the requisite functionality to each of the relevant libraries. But for your simple application API you only need to care about the DNS libraries used by: OpenSSL (if any) GnuTLS (if any) NSS (if any) you can help direct those toolkits at the preferred DNS library, at which point behaviour of other DNS libraries is less important. > We want to open DNSSEC/DANE potential for all of them, not only > some small subset. I would recommend a bit of focus at the outset. > Of course, this idea (nameserver whitelisting/AD bit masking) has to > be widely adopted in rest of the ecosystem otherwise we can give it > up right now. We don't want and can't go against the whole world. I am still not sold on "whitelisting", as opposed to "blessing" a configuration as a whole, but this is not critical. Yes work with library designers to come to agreement on the approach. > I'm glad that we agree on that. Do you have some specific proposal > in your mind? You have proposed new option in /etc/resolv.conf, > something like > > resolvers_trusted = no/yes, right? Something like that, without suggesting any particular name. > What behavior is 'the best' in your opinion? Would it be okay to > always set AD bit to 0 if option "resolvers_trusted" is set to "no"? That would be fine. Fail closed. If some DHCP client unaware of the new predicate generates a resolv.conf file, it should I think be considered insecure. > Are you okay with default "no"? (If the new option is not present.) Yes. I am of course not the entirety of this group (even if lately I am responsible for ~50% of the traffic). So perhaps this view is not widely held. > I agree. What do you think about AD bit masking configured > system-wide? Please keep in mind that this needs to be universal > behavior implement-able even in old glibc resolver and any other DNS > library. Fine by me, I prefer it in fact, provided the administrator can unmask it, and an application can find out whether the masking is taking place. > The problem is that our glibc maintainer explicitly refused to > change default behavior (i.e. mask AD bit until admin white-lists > given resolver in /etc/resolv.conf) because it could break some > (potentially) existing applications. That is a reason why we > invented "init_trusted()" concept. I think he's wrong. Precisely because applications might be using the AD bit, it *should* be masked when unsafe. Polluting the library with useless initializers (and still no resolver context as with res_ninit(), ...) would be lame. > Could you give us some detailed thoughts about compatibility? Go ahead, PLEASE, break Postfix DANE support on systems using insecure upstead resolvers on which the administrator does not arrange for the right predicate in /etc/resolv.conf. I want the AD bit to be more than blind faith. -- Viktor.
- Re: [dane] An AD bit discussion Paul Wouters
- [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Ondřej Surý
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Olafur Gudmundsson
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Wiley, Glen
- Re: [dane] An AD bit discussion James Cloos
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Andreas Schulze
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Andrew Sullivan
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Paul Wouters
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion Tony Finch
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion (correction) Petr Spacek
- Re: [dane] An AD bit discussion (+concerns from g… Petr Spacek
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- Re: [dane] An AD bit discussion (+concerns from g… Viktor Dukhovni
- Re: [dane] An AD bit discussion Viktor Dukhovni
- Re: [dane] An AD bit discussion (correction) Viktor Dukhovni
- [dane] Proposal: AD bit handling in stub-resolver… Petr Spacek
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Simo Sorce
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Simo Sorce
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] An AD bit discussion Michael Richardson
- Re: [dane] Proposal: AD bit handling in stub-reso… Viktor Dukhovni
- Re: [dane] An AD bit discussion Florian Weimer
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Petr Spacek
- Re: [dane] An AD bit discussion Mark Andrews
- Re: [dane] An AD bit discussion Petr Spacek