IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Mark Andrews <marka@isc.org> Wed, 16 May 2012 02:15 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 154CC11E80B5 for <dane@ietfa.amsl.com>; Tue, 15 May 2012 19:15:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.115
X-Spam-Level:
X-Spam-Status: No, score=-2.115 tagged_above=-999 required=5 tests=[AWL=0.484, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4Be3KUbuMj9 for <dane@ietfa.amsl.com>; Tue, 15 May 2012 19:15:18 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 51CF911E8095 for <dane@ietf.org>; Tue, 15 May 2012 19:15:18 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 7C99A5F9A30; Wed, 16 May 2012 02:15:03 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:210b:6ab2:ca5:2c98]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 6E9CE216C33; Wed, 16 May 2012 02:15:01 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 6E54A20A8104; Wed, 16 May 2012 12:14:59 +1000 (EST)
To: mrex@sap.com
From: Mark Andrews <marka@isc.org>
References: <201205151652.q4FGqFZP020706@fs4113.wdf.sap.corp>
In-reply-to: Your message of "Tue, 15 May 2012 18:52:15 +0200." <201205151652.q4FGqFZP020706@fs4113.wdf.sap.corp>
Date: Wed, 16 May 2012 12:14:59 +1000
Message-Id: <20120516021459.6E54A20A8104@drugs.dv.isc.org>
Cc: paul.hoffman@vpnc.org, dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2012 02:15:19 -0000

In message <201205151652.q4FGqFZP020706@fs4113.wdf.sap.corp>rp>, Martin Rex writes
:
> Eric Rescorla wrote:
> > 
> > > If an application has any indication that TLSA is in use (such as
> > > through a configuration setting), that application MUST not start a TLS
> > > connection or abort a TLS handshake if either of the two criteria above a
> re
> > > not met.
> > 
> > I feel like this is confusing. There are two senses in which TLSA might
> > be "in use". (1) The application is trying to retrieve it. (2) The DNS serv
> er
> > is serving it. We're clearly in the first case, and it's the second which
> > is unknown to us b/c under control of the attacker. Perhaps you
> > mean to say "Applicaions SHOULD offer a setting to allow users to
> > set strict TLSA checking, in which case..."
> 
> Similar to OCSP, any hard-fail requirement is going to create a
> significant usability issue, and at worst, cause users to fallback
> from a HTTPS-but-not-DANE-verifiable URL for a login page to
> a plain HTTP login page -- which is making things *MUCH* worse.

No. It is NOT similar to OCSP.  OSCP answers come from somewhere
else.  For 99.99% of TLSA answers they come from the *same* zone
as the address/CNAME/SRV records of the server you are connecting
to.  If you can get one you should to 99.99% be able to get the
answer to the other.

If you get a answer to the address query but not the TLSA query you
will almost certainly have a broken DNS proxy and if I was a web
browser vendor I would be putting up a big message saying:

	You appear to have a broken DNS proxy.  Please contact
	you DNS proxy vendor for a fix.  For more information
	click hear: http://browser.vendor/broken_DNS_proxy.html

> I do not believe in DANE hard-fail without a DNSSEC records stapling
> TLS extension (similar to the OCSP stapling TLS extension).
>  
> And as a fallback, browsers could use a TLSA & server-cert lock, i.e.
> memorizing information from the last visit of a site and using that
> to perform server endpoint identification in case that DNSSEC lookups
> fail when roaming.
> 
> 
> -Martin
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.8.7 | Report a Bug | By Email