Re: [dane] New version of tls-dnssec-chain draft (-02)
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 10 November 2015 19:35 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D7C21B3DAB for <dane@ietfa.amsl.com>; Tue, 10 Nov 2015 11:35:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ParrB467Qk4 for <dane@ietfa.amsl.com>; Tue, 10 Nov 2015 11:35:34 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 637CB1B3DA2 for <dane@ietf.org>; Tue, 10 Nov 2015 11:35:25 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 26C91284D70; Tue, 10 Nov 2015 19:35:24 +0000 (UTC)
Date: Tue, 10 Nov 2015 19:35:24 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20151110193523.GP18315@mournblade.imrryr.org>
References: <CAHPuVdXgCHb4UfXi3smFOsQxN8nRSzd2c17xr_TOF=snSBHVJg@mail.gmail.com> <20151109045334.GU18315@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20151109045334.GU18315@mournblade.imrryr.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/GuhaJjfSkIgj_uLaAzUorKst7rA>
Subject: Re: [dane] New version of tls-dnssec-chain draft (-02)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 19:35:37 -0000
On Mon, Nov 09, 2015 at 04:53:34AM +0000, Viktor Dukhovni wrote:
> I still think this should support and use DNS compression.
>
> Each RRset in the chain is composed of a sequence of wire format DNS
> resource records. The format of the resource record is described in
> RFC 1035 [RFC1035], Section 3.2.1. The resource records SHOULD be
> presented in the canonical form and ordering as described in RFC 4034
> [RFC4034].
>
> RRs within the RRset are ordered canonically, by treating the RDATA
> portion of each RR as a left-justified unsigned octet sequence in
> which the absence of an octet sorts before a zero octet.
>
> Here, I'd like to lift both the restriction on the order and
> canonical form. In which case, the server can return the
> records in exactly the form it obtained them from its own DNS
> server, likely not canonically ordered, and quite possibly with
> compression!
An alternative, (given that the server is expected to cache the
extension and the server-side processing cost is presumably ammortized
over multiple requests) is to collapse all the relevant RRsets into
a single ("recompressed" by the server) DNS packet in which the
initial TLSA RRset (preceded by any CNAME/DNAME and related RRSIG
records that lead to this RRset) and its RRSIG appear in the "answer"
section, while all the other records, (relevant RRSIG, DNSKEY and
DS records of parent zones) are in the "additional" section.
This single DNS "jumbo" packet can be picked apart and processed
by a suitable DNS library that has existing code to process DNS
packets with multiple RRsets (in multiple sections), in this case,
as though the reply came from a root server, so that all the
additional records are "in bailiwick".
Of course the library might still need new code to support DANE
processing in this new way, but there's a chance it might "just
work", if all the RRsets are imported before any are verified.
--
Viktor.
- [dane] New version of tls-dnssec-chain draft (-02) Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … ietf-dane
- Re: [dane] New version of tls-dnssec-chain draft … Shumon Huque
- Re: [dane] New version of tls-dnssec-chain draft … Viktor Dukhovni