Re: [dane] Behavior in the face of no answer?
Mark Andrews <marka@isc.org> Wed, 16 May 2012 02:15 UTC
Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 154CC11E80B5 for <dane@ietfa.amsl.com>;
Tue, 15 May 2012 19:15:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.115
X-Spam-Level:
X-Spam-Status: No, score=-2.115 tagged_above=-999 required=5 tests=[AWL=0.484,
BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4Be3KUbuMj9 for
<dane@ietfa.amsl.com>; Tue, 15 May 2012 19:15:18 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by
ietfa.amsl.com (Postfix) with ESMTP id 51CF911E8095 for <dane@ietf.org>;
Tue, 15 May 2012 19:15:18 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19])
(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN
"mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org
(Postfix) with ESMTPS id 7C99A5F9A30;
Wed, 16 May 2012 02:15:03 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown
[IPv6:2001:470:1f00:820:210b:6ab2:ca5:2c98]) (using TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by
bikeshed.isc.org (Postfix) with ESMTPSA id 6E9CE216C33;
Wed, 16 May 2012 02:15:01 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org
(Postfix) with ESMTP id 6E54A20A8104; Wed, 16 May 2012 12:14:59 +1000 (EST)
To: mrex@sap.com
From: Mark Andrews <marka@isc.org>
References: <201205151652.q4FGqFZP020706@fs4113.wdf.sap.corp>
In-reply-to: Your message of "Tue, 15 May 2012 18:52:15 +0200."
<201205151652.q4FGqFZP020706@fs4113.wdf.sap.corp>
Date: Wed, 16 May 2012 12:14:59 +1000
Message-Id: <20120516021459.6E54A20A8104@drugs.dv.isc.org>
Cc: paul.hoffman@vpnc.org, dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>,
<mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>,
<mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 May 2012 02:15:19 -0000
In message <201205151652.q4FGqFZP020706@fs4113.wdf.sap.corp>rp>, Martin Rex writes : > Eric Rescorla wrote: > > > > > If an application has any indication that TLSA is in use (such as > > > through a configuration setting), that application MUST not start a TLS > > > connection or abort a TLS handshake if either of the two criteria above a > re > > > not met. > > > > I feel like this is confusing. There are two senses in which TLSA might > > be "in use". (1) The application is trying to retrieve it. (2) The DNS serv > er > > is serving it. We're clearly in the first case, and it's the second which > > is unknown to us b/c under control of the attacker. Perhaps you > > mean to say "Applicaions SHOULD offer a setting to allow users to > > set strict TLSA checking, in which case..." > > Similar to OCSP, any hard-fail requirement is going to create a > significant usability issue, and at worst, cause users to fallback > from a HTTPS-but-not-DANE-verifiable URL for a login page to > a plain HTTP login page -- which is making things *MUCH* worse. No. It is NOT similar to OCSP. OSCP answers come from somewhere else. For 99.99% of TLSA answers they come from the *same* zone as the address/CNAME/SRV records of the server you are connecting to. If you can get one you should to 99.99% be able to get the answer to the other. If you get a answer to the address query but not the TLSA query you will almost certainly have a broken DNS proxy and if I was a web browser vendor I would be putting up a big message saying: You appear to have a broken DNS proxy. Please contact you DNS proxy vendor for a fix. For more information click hear: http://browser.vendor/broken_DNS_proxy.html > I do not believe in DANE hard-fail without a DNSSEC records stapling > TLS extension (similar to the OCSP stapling TLS extension). > > And as a fallback, browsers could use a TLSA & server-cert lock, i.e. > memorizing information from the last visit of a site and using that > to perform server endpoint identification in case that DNSSEC lookups > fail when roaming. > > > -Martin > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Tom Ritter
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Adam Langley
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Yoav Nir
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Yoav Nir
- Re: [dane] Behavior in the face of no answer? Ondrej Mikle
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Adam Langley
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? John Gilmore
- Re: [dane] Behavior in the face of no answer? Yoav Nir
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Scott Schmit
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Ondrej Mikle
- Re: [dane] Behavior in the face of no answer? Tony Finch
- Re: [dane] Behavior in the face of no answer? Ondrej Mikle
- Re: [dane] Behavior in the face of no answer? John Gilmore
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Hoffman
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Nicholas Weaver
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? Warren Kumari
- Re: [dane] Behavior in the face of no answer? John Gilmore
- Re: [dane] Behavior in the face of no answer? John Gilmore
- [dane] Network errors ARE attacks - on the end-to… John Gilmore
- Re: [dane] Behavior in the face of no answer? Mark Andrews
- Re: [dane] Behavior in the face of no answer? Martin Rex
- Re: [dane] Network errors ARE attacks - on the en… Martin Rex
- Re: [dane] Network errors ARE attacks - on the en… Yoav Nir
- Re: [dane] Network errors ARE attacks - on the en… Henry Story
- Re: [dane] Network errors ARE attacks - on the en… Henry Story
- Re: [dane] Network errors ARE attacks - on the en… SM
- Re: [dane] Network errors ARE attacks - on the en… Michael Richardson
- Re: [dane] Network errors ARE attacks - on the en… Andrew Sullivan
- Re: [dane] Behavior in the face of no answer? Eric Rescorla
- Re: [dane] Behavior in the face of no answer? Paul Wouters
- Re: [dane] Network errors ARE attacks - on the en… Mark Andrews
- Re: [dane] Network errors ARE attacks - on the en… Warren Kumari
- Re: [dane] Network errors ARE attacks - on the en… Phillip Hallam-Baker