IETF Logo Mail Archive

[dane] Behavior in the face of no answer?

Eric Rescorla <ekr@rtfm.com> Thu, 03 May 2012 21:56 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0021521F84DA for <dane@ietfa.amsl.com>; Thu, 3 May 2012 14:56:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3EgRM2kQ5S7 for <dane@ietfa.amsl.com>; Thu, 3 May 2012 14:56:07 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 49B2E21F84D5 for <dane@ietf.org>; Thu, 3 May 2012 14:56:07 -0700 (PDT)
Received: by vcbfo1 with SMTP id fo1so1975298vcb.31 for <dane@ietf.org>; Thu, 03 May 2012 14:56:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:from:date:message-id:subject:to :content-type:x-gm-message-state; bh=RcDYMEAriRYQnpQdskGBurx8ePMvnWdKngQFhjwW0ng=; b=gErkLtPa3j2OeclfJn5uBCJBgvgEASCBxwjkNGB5k2pUCAVhqSOUre1wcvK5MrFpKv E14+Gz/ax75IhBj5T0O4VtjNjmb26MxheuLuuqMlhJdBY1NlyB3+B/Eeul2XRXpLx4tz qyK0R4h5EaW27Ke+6lcO//RoIH3VKwXVgIlrB6zpN7xJAtTKRE/T65NncVDGQggAvbQQ Z9IXDzmktRsS8t2LddnO9RzTdtHCuSbUEEOSwM6YQeovkEqv8NfFsTxzwwX3+MtJVTKn 1uULrPN9cgdwkwSrlQambRyJExI02vXi6hdCkz8UX2ZtBJFhrL1Dtb8aj/CZ9Y6oKcpr QCDg==
Received: by 10.52.172.194 with SMTP id be2mr1766198vdc.60.1336082166664; Thu, 03 May 2012 14:56:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.19.233 with HTTP; Thu, 3 May 2012 14:55:24 -0700 (PDT)
X-Originating-IP: [205.248.100.252]
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 3 May 2012 14:55:24 -0700
Message-ID: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com>
To: dane@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQnGIJNknOd+uDq/F8cu55CiK0YUz+Y/zlvsvH9KDeTPKEpayrNpCy0eRTEqIl3cB1+MvdKO
Subject: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2012 21:56:08 -0000

I've been reading -20 and I'm not sure I understand the behavior that section
4.1 is supposed to say. Consider the following case:

I am trying to connect for the first time to https://www.example.com/,
which is signed. I go to retrieve the TLSA record, but when I do so,
the request times out. What do I do? There seem to be two options:

(a) Treat this as a hard failure and abort the connection.
(b) Treat this as if I have an empty TLSA response and continue with ordinary
TLS.

I claim that the right response from a security perspective is clearly (a): hard
fail. If you agree with me, then jump to "2. DOCUMENT TEXT" below. If not, keep
reading.


1. SECURITY ANALYSIS
The basic security setting in which CA constraints and service certificate
constraints are useful is one in which:

(a) The attacker has a valid certificate for the target domain, but not
the same as the certificate issued to the real server.
(b) The attacker has enough control of the network to get the victim
to connect to his server.

Generally, (b) means that the attacker is on-path to the client or the
server.

What makes DANE work is that it provides an independent cryptographically
verifiable check on the server certificate, thus excluding the attacker's
certificate. Even if the attacker can force traffic to him, then, the
certificate
won't be acceptable. If the attacker can force you to ignore the
information in DANE, then DANE offers minimal security guarantees.
If clients treat TLSA RR requests without responses (i.e., timeouts) as
if they were empty TLSA responses and continue with TLS as usual,
then any attacker who can block DNS responses (i.e., anyone who
is on-path to the victim, at least) can downgrade you to ordinary TLS.
So, I think it follows that non-responses (or SERVFAILS or any other
resolver error) must be treated as hard failures and cause aborts.

Note that the security context for DANE is different from
that of many DNS contexts, because in many such contexts,
non-response means you just don't resolve so you fail hard
anyway. But here, you fail to a weaker security position.

2. DOCUMENT TEXT
As I said above, I find the document kind of hard to read on this point.
S 4.1 refers to the RFC 4033 definitions and says that Bogus must
be hard-failed and that Insecure and Indeterminate must be treated
as if there were empty TLSA sets and you continue with TLS. So,
the question is whether non-response is Bogus or not. Here's
what 4033 says (http://tools.ietf.org/html/rfc4033#section-5)

 Bogus: The validating resolver has a trust anchor and a secure
      delegation indicating that subsidiary data is signed, but the
      response fails to validate for some reason: missing signatures,
      expired signatures, signatures with unsupported algorithms, data
      missing that the relevant NSEC RR says should be present, and so
      forth.

But in this case we don't have an invalid response, but instead a
non-response, so its not clear to me this falls into Bogus.

I'm not steeped in all the DNSSEC lore, so maybe there is a wide
agreement that nonresponse == bogus, but I don't get that clearly
out of the document. IMO, DANE would benefit from stating this
clearly.

-Ekr

v2.8.7 | Report a Bug | By Email