IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Eric Rescorla <ekr@rtfm.com> Thu, 03 May 2012 22:45 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89CBE21F873E for <dane@ietfa.amsl.com>; Thu, 3 May 2012 15:45:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.845
X-Spam-Level:
X-Spam-Status: No, score=-102.845 tagged_above=-999 required=5 tests=[AWL=0.132, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYoBKw7nPnsO for <dane@ietfa.amsl.com>; Thu, 3 May 2012 15:45:38 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vc0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id A1E2221F873C for <dane@ietf.org>; Thu, 3 May 2012 15:45:38 -0700 (PDT)
Received: by vcbfo1 with SMTP id fo1so2002696vcb.31 for <dane@ietf.org>; Thu, 03 May 2012 15:45:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=r/cb0XV7HSqTr1Ic8I17BN2K06auq5dMQ4V1Es3yVQ8=; b=NAq7/vVjRwG2aD/mVDwulN0FPvlsJDNZHyWUzaI13hh4OXrx+OzMGDucY9N74+sWwc u1dtCRVVlZDUYPlAFfkWrxoCle7X2dI0i9XFyWolYpLmfEUdcV7268GR7opVBC8ysLpL KQ3Vx88blXPnNaaWfDDkk4Z4XIkq9DwZQKOgnGazmk6Bebbeueyo2qkzrAiXYBjV5jrw qfZ04OzLxIQUYrnCukR02T1xBQzvKOhN0V5xGUj34E/+ov4+fm0jGDAuZDp1w9h7zcEM tH9+kKK/dBuhTEFcwxVJPsi9/dRW4uskj/bxn3kxPqCYZPMGcpHfN9jVkRWktwCD00+8 vkSw==
Received: by 10.220.141.79 with SMTP id l15mr2363315vcu.48.1336085138106; Thu, 03 May 2012 15:45:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.19.233 with HTTP; Thu, 3 May 2012 15:44:57 -0700 (PDT)
X-Originating-IP: [74.95.2.169]
In-Reply-To: <20120503223745.GC1804@mail.yitter.info>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <0526D60A-3F1B-4C55-9796-256BC2556AAB@vpnc.org> <20120503223745.GC1804@mail.yitter.info>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 3 May 2012 15:44:57 -0700
Message-ID: <CABcZeBMFV8oiZJfAY1fZ_0bBQWa=q6aBL65AS+W5gBuKmPnwOg@mail.gmail.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkeuGOsF8YE67ThDZMV44UgtI93um8kgrgl/dx0+1Ri2Yhebky0xezvvmOamd5N4uWFlSKb
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2012 22:45:39 -0000

On Thu, May 3, 2012 at 3:37 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
> On Thu, May 03, 2012 at 03:20:47PM -0700, Paul Hoffman wrote:
>> >From the earlier thread on this topic, I do not think there is "wide agreement" on what is and is not bogus. RFC 4033 and 4035 don't even agree about it.
>>
>
> I'm not sure I agree about this.  There is a possible difference in
> 4033 and 4035 on the meaning of "indeterminate", but I don't know
> anyone who disagrees about "bogus": you ought to be able to validate
> it, and for some reason, you can't.  Whatever the reason is, it's
> bogus.
>
> In this case, what you're talking about is "didn't get an answer".
>
>>    o  If the DNSSEC validation state on the response to the request for
>>       the TLSA RRset is bogus, or if a response is not received or the
>>       response has no data, this MUST cause TLS not to be started or,
>>       if the TLS negotiation is already in progress, MUST cause the
>>       connection to be aborted.
>
> I get the analysis, but I feel rather uncomfortable with it.  If you
> can't get responses from the DNS, surely you have other problems, to
> begin with?

Well, I absolutely have a problem.... I'm under active attack :)

However, if you choose option (a) and hard fail, then all the attacker
can do is create a failure. However, if you choose option (b) then
the attacker is able to cause you to connect to his server even
though the domain operator is trying to serve you a DNSSEC-signed
DANE record which tells you not to accept that cert (if you
could only get that record).

-Ekr

v2.8.7 | Report a Bug | By Email