Re: [dane] srv-09 comments
⌘ Matt Miller <mamille2@cisco.com> Mon, 16 February 2015 21:48 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 483ED1A88B2 for <dane@ietfa.amsl.com>; Mon, 16 Feb 2015 13:48:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.818
X-Spam-Level:
X-Spam-Status: No, score=-11.818 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, TVD_PH_BODY_ACCOUNTS_PRE=2.393, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgB4AgBfaZ7V for <dane@ietfa.amsl.com>; Mon, 16 Feb 2015 13:48:28 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8BA91A0354 for <dane@ietf.org>; Mon, 16 Feb 2015 13:48:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3233; q=dns/txt; s=iport; t=1424123302; x=1425332902; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=0OeBr6H1Db2oTkMt/b+QW57I0TtT4PKchV1kM11gziA=; b=iU+ENh2JWOcJ3zc4S8wLEfztNEI0bbEwYzHphjFZn78vf9Q4lPHEJk4t mwauRjrfkDAHZNlsVSt8mEZr6crQEtec+wOX4srlUCjWuy0cal/EO6A1H AlCK01/wX55H975WIJGwRL+dZ2eZkRSTW8TEZE37cBbJgpFV9jE83C9Ux Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BmBQAEZeJU/5tdJa1bgwZSWgSCf781hXkCgRhDAQEBAQEBfIQNAQEEI1URCxgCAgUMCgsCAgkDAgECAUUGDQYCAQGIKbcNlwQBAQEBAQEBAwEBAQEBAQEBFgSBIYlrhDo6CoJegUIFijqIVYVggRiFN4kAgz4iggEBHIFwT4FEfwEBAQ
X-IronPort-AV: E=Sophos;i="5.09,590,1418083200"; d="scan'208";a="124078719"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-1.cisco.com with ESMTP; 16 Feb 2015 21:48:22 +0000
Received: from xhc-aln-x09.cisco.com (xhc-aln-x09.cisco.com [173.36.12.83]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t1GLmKVG001114 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <dane@ietf.org>; Mon, 16 Feb 2015 21:48:20 GMT
Received: from [10.129.24.61] (10.129.24.61) by xhc-aln-x09.cisco.com (173.36.12.83) with Microsoft SMTP Server (TLS) id 14.3.195.1; Mon, 16 Feb 2015 15:48:19 -0600
Message-ID: <54E265A3.8040201@cisco.com>
Date: Mon, 16 Feb 2015 14:48:19 -0700
From: ⌘ Matt Miller <mamille2@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: dane@ietf.org
References: <20150216170123.GR1260@mournblade.imrryr.org> <54E22A70.8050705@cisco.com> <20150216180813.GT1260@mournblade.imrryr.org>
In-Reply-To: <20150216180813.GT1260@mournblade.imrryr.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.129.24.61]
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/YhukJ7Bt-4WVMShyVQqnIDo3CVE>
Subject: Re: [dane] srv-09 comments
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2015 21:48:30 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/16/15 11:08 AM, Viktor Dukhovni wrote: > On Mon, Feb 16, 2015 at 10:35:44AM -0700, ? Matt Miller wrote: > >> Thanks for the feedback! More inline ... >> >>> Section 3.4 (Impact on TLA Usage) second bullet: >>> >>> Revert change from -08 to -09. The -08 language: [...] >> >> The original language did not account for the lack of records, >> but I can see how this is too permissive. Perhaps the following >> is more acceptable (replacing the last two bullets in >> dane-srv-09)? >> >> o If the TLSA response is "bogus" or "indeterminate" (or the >> lookup fails for reasons other than no records), then the client >> MUST NOT connect to the target server (the client can still use >> other SRV targets). >> >> o If the TLSA response is "insecure" (or no TLSA records >> exist), then the client SHALL proceed as if the target server had >> no TLSA records. It MAY connect to the target server with or >> without TLS, subject to the policies of the application protocol >> or client implementation. > > Much better and basically correct, provided that it is clear that > "indeterminate" is the 4035 (not 4033) definition, and the phrase > "fails for reasons other than no records" is sufficiently clear to > the document's audience. It is a somewhat informal phrase... > > In the SMTP draft ([1] below my signature) "no records" (be it > NOERROR with ancount==0 or NXDOMAIN) is defined as a non-error (a > successful empty result). Your taxonomy is different, but my > guess is that the text is good enough. > > [ Is denial of existence of a success or a failure? How many > angels can dance on the head of a pin? ... ] > > ---- Question to the WG at large: > > Anyone see any room for confusion about the meaning of the proposed > text? ---- > >> The parenthetical is meant to account for the lack of SRV >> records, but I can see how that might be too permissive. Is the >> following more acceptable? >> >> If the SRV lookup fails because the RRset is "bogus" (or the >> lookup fails for reasons other than no records), the client MUST >> abort its attempt to connect to the desired service. If the >> lookup result is "insecure" (or no SRV records exist), this >> protocol does not apply and the client SHOULD fall back to its >> non-DNSSEC, non-DANE (and possibly non-SRV) behavior. > > Thanks. Looks fine, provided the "fails for reasons other than no > records" bit is clear enough to the world at large. > I'll submit -10 presently. Thanks again, - -- - - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJU4mWjAAoJEDWi+S0W7cO178sIAJO+FPG1S1IsU9Ubsfkojnyl z4wkU7JGolLJ4eZUY+YMndYWpYo2CpxIdyOWN/dSDzIAiVZmgcQk0/3Rf+Z2BUKw /EZXtpzXKLXhTK2qdM2Frb10UjUZ6pmuwZY6eVz00qPJrVqRJF+g9101YNS92gM5 npY1mBX9FWE2Kww9/HV98og6zKxUltlYGb4qhzpKWkLCQRXuWPLUHEKkJZulPpIU 22ECLP1RRp3cBdZwu+QjeKQZsfyj/fg56afVMEawOKdIKHYQXSWJ0tCkzkRq+mv6 6vwEOFnztHaQtFz7+DKOgHKpGpCuN3SfIQ3acmjxea4YbjEL57fbbSG3QYFvUYk= =XWQQ -----END PGP SIGNATURE-----
- Re: [dane] srv-09 comments Viktor Dukhovni
- [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments Olafur Gudmundsson
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments Paul Wouters
- Re: [dane] srv-09 comments Mark Andrews
- Re: [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments Mark Andrews