Re: [dane] Behavior in the face of no answer?

Paul Wouters <paul@cypherpunks.ca> Tue, 15 May 2012 12:19 UTC

Date: Tue, 15 May 2012 08:19:24 -0400 (EDT)
From: Paul Wouters <paul@cypherpunks.ca>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
In-Reply-To: <20120515112154.GA20521@mail.yitter.info>
Message-ID: <alpine.LFD.2.02.1205150816001.14601@bofh.nohats.ca>
References: <CABcZeBMY26xrfvAx=UsYN2XnuONZ2vPy9tNwHQALudd=yQDvgA@mail.gmail.com> <643D87CD-D01E-47B8-82E5-D3F57D50C80B@vpnc.org> <alpine.LFD.2.02.1205142229552.10990@bofh.nohats.ca> <CABcZeBMS9cJ3m6JwJED7XAqdsF=zbTUUU_o3-opiZvqMyr7mdw@mail.gmail.com> <alpine.LFD.2.02.1205142352010.10990@bofh.nohats.ca> <20120515112154.GA20521@mail.yitter.info>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
Precedence: list

On Tue, 15 May 2012, Andrew Sullivan wrote:

>> warnings. It's really the same as disabling TLSA. Or else we're going to
>> have to teach browsers to remember previous TLSA state and only warn
>> when we knew the site used to publish TLSA, but now we are
>> indeterminate.
>
> Surely, that's just as bad an idea; the fact that the DNS used to
> contain a AAAA record is no guide to whether a site is supporting
> IPv6 today, by way of analogy.

Yes, it is as bad as the cert partrol plugin that tracks PKIX states
in a browser. But it's better then disabling TLSA at all in the face
of DNS errors (where we assume most errors are genuine network errors
and not attacks).

Paul

[dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Paul Hoffman
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Behavior in the face of no answer? Paul Hoffman
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Tom Ritter
Re: [dane] Behavior in the face of no answer? Warren Kumari
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Adam Langley
Re: [dane] Behavior in the face of no answer? Paul Hoffman
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Yoav Nir
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Yoav Nir
Re: [dane] Behavior in the face of no answer? Ondrej Mikle
Re: [dane] Behavior in the face of no answer? Warren Kumari
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Paul Hoffman
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Paul Hoffman
Re: [dane] Behavior in the face of no answer? Adam Langley
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Paul Hoffman
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? John Gilmore
Re: [dane] Behavior in the face of no answer? Yoav Nir
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Tony Finch
Re: [dane] Behavior in the face of no answer? Tony Finch
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Tony Finch
Re: [dane] Behavior in the face of no answer? Scott Schmit
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Ondrej Mikle
Re: [dane] Behavior in the face of no answer? Tony Finch
Re: [dane] Behavior in the face of no answer? Ondrej Mikle
Re: [dane] Behavior in the face of no answer? John Gilmore
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Paul Hoffman
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Paul Hoffman
Re: [dane] Behavior in the face of no answer? Warren Kumari
Re: [dane] Behavior in the face of no answer? Nicholas Weaver
Re: [dane] Behavior in the face of no answer? Warren Kumari
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Warren Kumari
Re: [dane] Behavior in the face of no answer? Warren Kumari
Re: [dane] Behavior in the face of no answer? John Gilmore
Re: [dane] Behavior in the face of no answer? John Gilmore
[dane] Network errors ARE attacks - on the end-to… John Gilmore
Re: [dane] Behavior in the face of no answer? Mark Andrews
Re: [dane] Behavior in the face of no answer? Martin Rex
Re: [dane] Network errors ARE attacks - on the en… Martin Rex
Re: [dane] Network errors ARE attacks - on the en… Yoav Nir
Re: [dane] Network errors ARE attacks - on the en… Henry Story
Re: [dane] Network errors ARE attacks - on the en… Henry Story
Re: [dane] Network errors ARE attacks - on the en… SM
Re: [dane] Network errors ARE attacks - on the en… Michael Richardson
Re: [dane] Network errors ARE attacks - on the en… Andrew Sullivan
Re: [dane] Behavior in the face of no answer? Eric Rescorla
Re: [dane] Behavior in the face of no answer? Paul Wouters
Re: [dane] Network errors ARE attacks - on the en… Mark Andrews
Re: [dane] Network errors ARE attacks - on the en… Warren Kumari
Re: [dane] Network errors ARE attacks - on the en… Phillip Hallam-Baker