[dane] Deployment considerations - Re: draft-ietf-dane-smime

Dan York <york@isoc.org> Mon, 20 October 2014 17:04 UTC

Return-Path: <york@isoc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 9394C1A6FED for <dane@ietfa.amsl.com>; Mon, 20 Oct 2014 10:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Xk-jwKnbgf5Y for <dane@ietfa.amsl.com>; Mon, 20 Oct 2014 10:04:40 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0089.outbound.protection.outlook.com []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 967411A1B07 for <dane@ietf.org>; Mon, 20 Oct 2014 09:52:27 -0700 (PDT)
Received: from BLUPR06MB243.namprd06.prod.outlook.com ( by BLUPR06MB866.namprd06.prod.outlook.com ( with Microsoft SMTP Server (TLS) id 15.0.1054.13; Mon, 20 Oct 2014 16:52:25 +0000
Received: from BLUPR06MB243.namprd06.prod.outlook.com ( by BLUPR06MB243.namprd06.prod.outlook.com ( with Microsoft SMTP Server (TLS) id 15.0.1054.13; Mon, 20 Oct 2014 16:52:21 +0000
Received: from BLUPR06MB243.namprd06.prod.outlook.com ([]) by BLUPR06MB243.namprd06.prod.outlook.com ([]) with mapi id 15.00.1054.004; Mon, 20 Oct 2014 16:52:21 +0000
From: Dan York <york@isoc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Thread-Topic: Deployment considerations - Re: [dane] draft-ietf-dane-smime
Thread-Index: AQHP2+CXduy9obN06UaH3lWvHXXI5ZwaKY4AgBgn4ICAAikmgIAEwWaAgAAIoACAABARAA==
Date: Mon, 20 Oct 2014 16:52:21 +0000
Message-ID: <BCC05ED4-DA78-40B6-A1DE-8CDFA3CBE04D@isoc.org>
References: <273F9612-13AF-4CB8-B15C-912AAD04C738@verisign.com> <CF875C06-E4DA-4DCA-A722-5FDEE04B3069@vpnc.org> <67BDE5B6-58C7-4E0B-8CB4-045E51027D85@ieca.com> <3473729E-BC37-48DB-9ACD-FB872CB666DE@vpnc.org> <FE426405-9658-41BD-BD3B-68D358CC3CEB@verisign.com> <63BF3336-C9B8-4D16-BEB7-D42EFBB7A113@vpnc.org>
In-Reply-To: <63BF3336-C9B8-4D16-BEB7-D42EFBB7A113@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BLUPR06MB243;UriScan:;
x-exchange-antispam-report-test: UriScan:;
x-forefront-prvs: 03706074BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(24454002)(189002)(199003)(377454003)(77096002)(2656002)(33656002)(54356999)(40100003)(92726001)(92566001)(76176999)(20776003)(85852003)(50986999)(80022003)(120916001)(19617315012)(99286002)(46102003)(122556002)(4396001)(99396003)(36756003)(85306004)(93886004)(95666004)(87936001)(110136001)(229853001)(15202345003)(76482002)(83716003)(106116001)(105586002)(101416001)(66066001)(230783001)(15975445006)(21056001)(31966008)(86362001)(97736003)(106356001)(82746002)(107046002)(19580395003)(16236675004)(19580405001)(64706001)(15395725005)(104396001); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR06MB243; H:BLUPR06MB243.namprd06.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:3; A:3; LANG:en;
Content-Type: multipart/alternative; boundary="_000_BCC05ED4DA7840B6A1DE8CDFA3CBE04Disocorg_"
MIME-Version: 1.0
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BLUPR06MB866;
X-OriginatorOrg: isoc.org
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/hJ5CSfEIO42tl9NGegw0PhO5TCo
Cc: "<dane@ietf.org>" <dane@ietf.org>
Subject: [dane] Deployment considerations - Re: draft-ietf-dane-smime
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 17:04:43 -0000

On Oct 20, 2014, at 11:54 AM, Paul Hoffman <paul.hoffman@vpnc.org<mailto:paul.hoffman@vpnc.org>> wrote:

On Oct 20, 2014, at 8:23 AM, Osterweil, Eric <eosterweil@verisign.com<mailto:eosterweil@verisign.com>> wrote:

, so necessarily coupling the RRs doesn’t seem to make sense.

It has so far in the WG. The WG asked us early on to make as few changes as possible to the TLSA definition.

This is a key point to me.  If we are to make DANE truly successful and get DANE-related records out there widely, they need to be *easily* deployed out there.  Right now, for a great number of people out there, their experience of adding DNS records is to go to their DNS hosting provider (or very often their DNS *registrar* that is also doing the DNS hosting for them) and enter in DNS records through some form of web interface.

One of the challenges we *already* face is to get those DNS hosting providers to add support for TLSA records.  I just went to the "domain manager" for an extremely larger registrar/hosting provider and looked at the list of DNS records that I can add as a user:  A, CNAME, MX, TXT, SPF, SRV, AAAA, NS.   No TLSA.  No option I saw to edit the zone file directly.

Until we can get that large DNS registrar/hosting provider to add support for TLSA records to the management GUI, all the people using them can't use DANE.    Given the zillion other things they want to do, I would suspect that it's going to take some good number of customers asking to get them to do so.   And that's just *one* DNS hosting provider.

I think it's going to be hard enough to get DNS hosting providers to add the TLSA record to their list of supported record types, let alone asking them to *also* add the SMIMEA record to the list of supported record types.  BUT... if SMIMEA is basically a renamed TLSA, then you can make that argument to them "it's just the same fields you have for TLSA but with a different name".  If they have already added TLSA support, adding SMIMEA can be just a case of re-using the code.   However, if SMIMEA adds more fields then it means the DNS hosting providers have to develop new code... and so the case has to be made to all of them about why they should add yet-another-record-type to their GUIs.

Personally, I think it would be great if every "DANE-like" usage would just use the TLSA record... then we have to only fight that battle once to get it added into configuration/management GUIs.    But if we are to create other TLSA-like records to have different names, let's at least please keep them the same so that we can get them all more easily deployed.

My 2 cents,

Dan York
Senior Content Strategist, Internet Society
york@isoc.org<mailto:york@isoc.org>   +1-802-735-1624
Jabber: york@jabber.isoc.org<mailto:york@jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork