Re: [dane] New version of tls-dnssec-chain draft (-02)
Shumon Huque <shuque@gmail.com> Fri, 11 December 2015 05:10 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 526031A854C for <dane@ietfa.amsl.com>; Thu, 10 Dec 2015 21:10:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D0g1KRgHVyvf for <dane@ietfa.amsl.com>; Thu, 10 Dec 2015 21:10:20 -0800 (PST)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1E8E1A854B for <dane@ietf.org>; Thu, 10 Dec 2015 21:10:19 -0800 (PST)
Received: by qgea14 with SMTP id a14so184855427qge.0 for <dane@ietf.org>; Thu, 10 Dec 2015 21:10:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=VQ/bPvFH/Ll2wYe13Gz3zb+a3xn9t1bPmKNuzCLqJmg=; b=fJAsooKp6DQ6bmFuarxY0OXufzCk8kHqQjwiMRiMUDxtMfh4xS9QQ0CbiYAWQRN87l h+FLL1cj3NmoFNq7gygO+2C188C4POKgkoTZJB+omaYS5pI+jrTxOuOLQ8z4DWk6twZW ogPioDtpXD+FfFrU3XIULth8C23f9otq6xvKTCK639mVqBlMb7MuM3xqFxl9uZeLL4fs UJmiX82n1F7jk0PKcF79yKwCeSpyOllXRFm8z2yHQYNUkAO5ytPsahSeOwPxwRMf8JwN HYT879/RNhf2F4LzBzkXaCuTlPH2nltC8HriQ9blw8LdB4ScWwSA2Iw70xCkTlqIOa2/ c5bg==
MIME-Version: 1.0
X-Received: by 10.140.129.198 with SMTP id 189mr12330183qhb.10.1449810619008; Thu, 10 Dec 2015 21:10:19 -0800 (PST)
Received: by 10.140.87.117 with HTTP; Thu, 10 Dec 2015 21:10:18 -0800 (PST)
In-Reply-To: <23F61F03-764D-4138-9FEF-3A99820C0278@dukhovni.org>
References: <CAHPuVdXgCHb4UfXi3smFOsQxN8nRSzd2c17xr_TOF=snSBHVJg@mail.gmail.com> <20151109045334.GU18315@mournblade.imrryr.org> <CAHPuVdU4dVYrcw93arL3_274WQDd+yUK7oCfdZEy8MiQFVTT7Q@mail.gmail.com> <20151128070913.GJ18315@mournblade.imrryr.org> <CAHPuVdUh9rW=TT-+pjLha753VTUqc3Yjgz10dK9Xapxm3wtOCg@mail.gmail.com> <23F61F03-764D-4138-9FEF-3A99820C0278@dukhovni.org>
Date: Fri, 11 Dec 2015 00:10:18 -0500
Message-ID: <CAHPuVdUkH7L5FgNnxPWNczRfN3noGp5V5zE9CYGR-u-AQr8fLw@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
Content-Type: multipart/alternative; boundary="001a1134f4b0f00ca5052698565c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/GXqIkLRueO5w-KgMaRh7MxI0BnU>
Cc: "<dane@ietf.org>" <dane@ietf.org>
Subject: Re: [dane] New version of tls-dnssec-chain draft (-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2015 05:10:22 -0000
On Thu, Dec 10, 2015 at 11:25 PM, <ietf-dane@dukhovni.org> wrote: > > > On Dec 10, 2015, at 9:05 PM, Shumon Huque <shuque@gmail.com> wrote: > > > > > Which brings us back to the message format, if it is just a stream > > > of RRsets (rather than a stream of DNS messages), what binds the > > > NSEC/NSEC3 records to the associated wildcard response? > > > > > > ; ANSWER: > > > ; *._tcp.example.com IN CNAME _dane.example.com. > > > _25._tcp.example.com. IN CNAME _dane.example.com. > > > _dane.example.com. IN TLSA 3 1 1 ... > > > ; AUTHORITY > > > ; This, or equivalent NSEC3 record > > > *._tcp.example.com. IN NSEC example.com. CNAME > > > > > > In what order should these RRsets appear? How are the NSEC (or > > > worse NSEC3) records to be associated with the wildcard (first) > > > answer in a stream of records that is not broken down into the > > > usual query/answer/authority/additional format if they are not > > > explicitly grouped with the packet in question? (Broader search > > > for suitable NSEC3 records across all the returned RRsets?) > > > > For the current 'ordered RRset' version of this spec, the wildcard > > case is underspecified. The simplest thing would be to specify that > > the NSEC/NSEC3 record (and associated RRSIG) appears right after the > > wildcard TLSA record. > > > > Note that there is a semantic mismatch between DNS wildcards and > > wildcards in X.509 certificate DNS names - the X.509 wildcard > > covers all possible names, whereas the DNS wildcard covers all names > > except those explicitly named in the zone. Some one possible > > simplification would be to say that for wildcard TLSA records this > > TLS extension only supports the X.509 wildcard semantics, and > > exclude the NSEC records. This would require 'tweaking' the DNSSEC > > validation algorithm to not perform the 'no closer match' proof > > for wildcard records. I might actually be leaning in this direction > > now to keep things simple. > > Doing incorrect validation of DNSSEC wildcards is not a good idea. > These are defaults, that are quite deliberately inapplicable in > the presence of real records. If a user has a specific TLSA > record for port 443, and a different wildcard covering other ports, > attackers MUST NOT be able to substitute the wildcard TLSA RRset > for the more specific one for port 443. Do not confuse these > with the X.509 wildcards. > I wasn't confusing anything, rather considering ways to avoid the presence of NSEC records in the chain, as a possible simplification. Presumably the server operator knows what records are in their zone and can judge the risks for themselves, but I know it isn't ideal. Another option, also not ideal, would be to exclude wildcard TLSA records from using this mechanism. Anyway, let's see how the discussion about RRsets vs messages and the use of DNSSEC libraries goes. If we end up shunting everything to a full validation library this is all moot. Shumon.
- [dane] New version of tls-dnssec-chain draft (-02) Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … ietf-dane
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni