Re: [dane] Lukewarm discussion: DANE for opportunistic TLS protocols

Paul Wouters <paul@nohats.ca> Fri, 21 February 2014 16:00 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CD701A0279 for <dane@ietfa.amsl.com>; Fri, 21 Feb 2014 08:00:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.548
X-Spam-Level:
X-Spam-Status: No, score=-2.548 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.548] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A-bhQ_KEGaDy for <dane@ietfa.amsl.com>; Fri, 21 Feb 2014 08:00:04 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 02BDA1A01D3 for <dane@ietf.org>; Fri, 21 Feb 2014 08:00:03 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 5730E800AF; Fri, 21 Feb 2014 10:59:59 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1392998399; bh=3dEkbShCUVIpVVyJ8cn8o4E9pbEyaj1yXF69dWckkS0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=hFuWm7j19iti1M+td6jDfsfaRrLP28Q1YXiiyUCc3eI08aO8njaHcZNPTPAM5ImCD TJtsThtR1gdnHMSZLHWZj+LPVCKll8cXi/j0n5Regeose7uCGu5JosBDha6fDZFTk0 nQ0DX0QtPrxAERQuvitIg7cBKj+51Nm82eHxf2p8=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s1LFxwSs015473; Fri, 21 Feb 2014 10:59:59 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Fri, 21 Feb 2014 10:59:58 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
In-Reply-To: <DE057EDD-22E0-4268-8C81-A276761C0F97@icsi.berkeley.edu>
Message-ID: <alpine.LFD.2.10.1402211058100.3311@bofh.nohats.ca>
References: <20140214200002.GK278@mournblade.imrryr.org> <m37g8x2trc.fsf@carbon.jhcloos.org> <B06F0F91-7200-4ACF-BBB5-7BDC942DBFB8@vpnc.org> <CAMm+LwiDQwPy0uj4ja=ngnwuAzqNLC28JV=4hk-Bu5F8UTdX8A@mail.gmail.com> <DE057EDD-22E0-4268-8C81-A276761C0F97@icsi.berkeley.edu>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/L0R6yTqxuy4BXUVjPhw-sR1IYds
Cc: "<dane@ietf.org>" <dane@ietf.org>
Subject: Re: [dane] Lukewarm discussion: DANE for opportunistic TLS protocols
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2014 16:00:06 -0000

On Fri, 21 Feb 2014, Nicholas Weaver wrote:

> The only disadvantage is that on the server side you need to get this data fairly frequently, since the timeout may be fast (first expiring RRSIG on the chain of validation from . to the DANE record), which means the very rarely updating certificate store model common to web servers isn't appropriate, but that's no real-big-deal.

huh? If I put a 9999999 rrsig timeout on my TLSA signature, once you
fetched it, it is pretty irrelevant that somewhere upstream an rrsig
expired.

Are you suggesting resolvers should throw away chains of dns from the
cache once a single rrsig expires?

Paul