IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Yoav Nir <ynir@checkpoint.com> Fri, 04 May 2012 21:02 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 615E121F847E for <dane@ietfa.amsl.com>; Fri, 4 May 2012 14:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.352
X-Spam-Level:
X-Spam-Status: No, score=-10.352 tagged_above=-999 required=5 tests=[AWL=0.247, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rcfPdxpv8rxc for <dane@ietfa.amsl.com>; Fri, 4 May 2012 14:02:50 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 7189121F847C for <dane@ietf.org>; Fri, 4 May 2012 14:02:50 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q44L2Vsi029148; Sat, 5 May 2012 00:02:44 +0300
X-CheckPoint: {4FA451A2-8-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sat, 5 May 2012 00:02:30 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Adam Langley <agl@imperialviolet.org>
Date: Sat, 5 May 2012 00:02:33 +0300
Thread-Topic: [dane] Behavior in the face of no answer?
Thread-Index: Ac0qOTes5LQJh05ATY6/rGA7ycvepw==
Message-ID: <13B3A487-2C93-4958-8FE6-63132742181E@checkpoint.com>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <0526D60A-3F1B-4C55-9796-256BC2556AAB@vpnc.org> <20120503223745.GC1804@mail.yitter.info> <CABcZeBMFV8oiZJfAY1fZ_0bBQWa=q6aBL65AS+W5gBuKmPnwOg@mail.gmail.com> <20120504021044.GB4560@mail.yitter.info> <B25C977F-6B4E-458C-879D-A36EDB94DA75@icsi.berkeley.edu> <20120504023602.GA4683@mail.yitter.info> <CABcZeBO93n_C5detefBcOjAoswe2inGKDj65gQPDQmREyGnhAw@mail.gmail.com> <20120504112922.GB4929@mail.yitter.info> <CABcZeBPTTa07iUHo9XL5WrHGMYHwaQzs6xYtiF25O4Jek8E3RQ@mail.gmail.com> <20120504144426.GD4929@mail.yitter.info> <CABcZeBOM_0L42Rng75AsVda9u4G=FH8=OB8Qg=nQpL-BzRoBuQ@mail.gmail.com> <3FF36EBA-F8B1-4D66-BA00-E8E36A7E449D@kumari.net> <CABcZeBP2iRLa76rSXu4A0OwFxP=tqK1ShZ6wv=6wnaEC6uad+w@mail.gmail.com> <CAMfhd9XYS=9SGotCTwa7NJU4L8WFys2rDVsQZxn4a0wz+NxS3Q@mail.gmail.com>
In-Reply-To: <CAMfhd9XYS=9SGotCTwa7NJU4L8WFys2rDVsQZxn4a0wz+NxS3Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11ae4d7cc4d232b4b8f4e7dae71f168237c961ba9b
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dane@ietf.org" <dane@ietf.org>
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 21:02:51 -0000

On May 4, 2012, at 7:18 PM, Adam Langley wrote:

> On Fri, May 4, 2012 at 12:08 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>> Before we discuss how to proceed, I think it would be useful to get agreement
>> on the security analysis. I claim that for Usages 0 and 1, treating
>> TLSA non-response
>> as if no TLSA records exist means that DANE adds minmal/no security
>> value for those
>> usages.
> 
> I believe that you're completely correct.
> 
> Browsers are not going to enable DANE hard fail in the short or medium
> term because of the fraction of clients that have broken DNS and can't
> fetch the records.
<snip />
> However, browsers are not the world. Other clients, which may benefit
> from a smaller, more controlled, deployment may be able to enforce
> DANE hard-fail and see security benefits.
> 
> I would personally suggest that the spec requires hard fail, or at
> least discusses the fact that, without hard-fail, the security
> benefits are moot. Implementations frequently ignore requirements in
> specs, but rarely add to them!

I disagree. I would hate for this group to publish a spec with a MUST level requirement that we fully expect all browsers to ignore. At best this should be a SHOULD with an explanation that not doing this eliminates usages 0 and 1. 

I can think of a heuristic for this. Suppose we have to domain names, one with a valid TLSA record, the other without. The browser could query the DNS for a TLSA record for both of these, and if both answers are received, then TLSA works. In that case, a timeout can rightfully become a hard fail. If no response is received to either query, then either the DNS is broken or the attack is already going on. In that case the user should be warned with the likelier of the two - that the DNS seems to be broken, and certain kinds of attack are possible.

Yoav

v2.8.7 | Report a Bug | By Email