Re: [dane] Behavior in the face of no answer?

Paul Wouters <paul@cypherpunks.ca> Fri, 04 May 2012 20:52 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0038A21F854E for <dane@ietfa.amsl.com>; Fri, 4 May 2012 13:52:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.535
X-Spam-Level:
X-Spam-Status: No, score=-0.535 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HOST_MISMATCH_COM=0.311, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCxO469BwfVG for <dane@ietfa.amsl.com>; Fri, 4 May 2012 13:52:56 -0700 (PDT)
Received: from letoams.cypherpunks.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) by ietfa.amsl.com (Postfix) with ESMTP id 20F7A21F854D for <dane@ietf.org>; Fri, 4 May 2012 13:52:55 -0700 (PDT)
Received: by letoams.cypherpunks.ca (Postfix, from userid 500) id 6AEE8855F9; Fri, 4 May 2012 16:52:55 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by letoams.cypherpunks.ca (Postfix) with ESMTP id 5555A855F8; Fri, 4 May 2012 16:52:55 -0400 (EDT)
Date: Fri, 4 May 2012 16:52:55 -0400 (EDT)
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Andrew Sullivan <ajs@anvilwalrusden.com>
In-Reply-To: <20120504202121.GJ7394@mail.yitter.info>
Message-ID: <alpine.LFD.2.02.1205041642370.8015@bofh.nohats.ca>
References: <20120504023602.GA4683@mail.yitter.info> <CABcZeBO93n_C5detefBcOjAoswe2inGKDj65gQPDQmREyGnhAw@mail.gmail.com> <20120504112922.GB4929@mail.yitter.info> <CABcZeBPTTa07iUHo9XL5WrHGMYHwaQzs6xYtiF25O4Jek8E3RQ@mail.gmail.com> <20120504144426.GD4929@mail.yitter.info> <CABcZeBOM_0L42Rng75AsVda9u4G=FH8=OB8Qg=nQpL-BzRoBuQ@mail.gmail.com> <20120504165512.GC7394@mail.yitter.info> <CABcZeBO4zRSa=JexqZ8uw7o26tM4SZk2GDivTAWD5ZF1pZR9Og@mail.gmail.com> <20120504194132.GF7394@mail.yitter.info> <alpine.LFD.2.02.1205041553030.7798@bofh.nohats.ca> <20120504202121.GJ7394@mail.yitter.info>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 20:52:57 -0000

On Fri, 4 May 2012, Andrew Sullivan wrote:

> This isn't "will cause TLSA not to work", it's
> "can't use TLS at all on that system".

But you cannot tell the difference between maliciously "not supporting"
and "pretending to not support so you will not request TLSA".

> I have no idea whether there
> are such configurations in the wild, but they're pefectly acceptable
> under the standards we have.  It seems to me, therefore, that one
> needs to be able to turn off TLSA use under such circumstances, if
> we're going to say that such failures must "fail hard".

These can certainly happen. But an application or device can then use
its own validating resolver. This only becomes a problem when there is
both a broken old DNS deployment, AND additional firewalling preventing
one from bypassing that old DNS deployment. I'm willing to call those
networks "broken by design", and I'm fine with hard failing. But I don't
have to man a support desk.

This does assume that if an application that wants to support TLSA would
have to have a validating resolver built in to fall back to, along with
a root key. Alternatively, the local policy could be that if generic
DNSSEC is failing (eg a query to the a root server for a root zone record
fails to come back with proper RRSIG/NSEC* records) that no attempts to
use TLSA are done. But that is a local policy decision, one that I would
override to hard fail (but my father probably would be ok with)

Paul