[dane] srv-09 comments

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 16 February 2015 17:01 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E476B1A1B66 for <dane@ietfa.amsl.com>; Mon, 16 Feb 2015 09:01:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fFZvEU1wHOTq for <dane@ietfa.amsl.com>; Mon, 16 Feb 2015 09:01:28 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEE881A1EF1 for <dane@ietf.org>; Mon, 16 Feb 2015 09:01:24 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 75DE3282D5F; Mon, 16 Feb 2015 17:01:23 +0000 (UTC)
Date: Mon, 16 Feb 2015 17:01:23 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150216170123.GR1260@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/HNxzrHGxpOaqUZoUouMwzk5SfP4>
Subject: [dane] srv-09 comments
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2015 17:01:30 -0000

[ Note, I've read only the changes from -08, not the whole document. ]

Section 3.4 (Impact on TLA Usage) second bullet:

  Revert change from -08 to -09.  The -08 language:

    If the TLSA response is "insecure", then the client SHALL proceed ...

  was correct, the -09 language opens the door to downgrade attacks:

    If the TLSA lookup fails, then the client SHALL proceed as if the ... 

Section 3.1 (Srv Query):

  Quote:

    If the lookup result is "insecure" (or no SRV records are located),
    this protocol does not apply and the client SHOULD fall back to its
    non-DNSSEC, non-DANE (and possibly non-SRV) behavior.  If the SRV
    lookup fails because the RRset is "bogus", the client MUST abort its
    attempt to connect to the desired service.

  Note that *any* SRV lookup error, not just "bogus" needs to
  trigger connection failure.  Timeout, SRVFAIL, ... all of these
  are potential downgrade attacks.  Here, error is in the sense of
  section 2.1.1 of the SMTP draft (NXDOMAIN either "secure" or
  "insecure" is NOT an error).

  In light of that, the parenthetical comment "(or no SRV records
  are located)" should perhaps be made more precise.

    (or the lookup result is a denial of existence, whether "secure" or
     "insecure", but is not a lookup error)

  Also please update your xml2rfc reference cache, the SMTP draft
  reference should be to version 13.

-- 
	Viktor.