IETF Logo Mail Archive

Re: [dane] Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-00.txt

Tony Finch <dot@dotat.at> Thu, 07 June 2012 19:13 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 431B711E80A3 for <dane@ietfa.amsl.com>; Thu, 7 Jun 2012 12:13:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.444
X-Spam-Level:
X-Spam-Status: No, score=-6.444 tagged_above=-999 required=5 tests=[AWL=0.155, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C3AOlv2jjR3v for <dane@ietfa.amsl.com>; Thu, 7 Jun 2012 12:13:21 -0700 (PDT)
Received: from ppsw-41.csi.cam.ac.uk (ppsw-41.csi.cam.ac.uk [131.111.8.141]) by ietfa.amsl.com (Postfix) with ESMTP id F2CD111E8072 for <dane@ietf.org>; Thu, 7 Jun 2012 12:13:20 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:34680) by ppsw-41.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1Sci8z-00019z-Rd (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 07 Jun 2012 20:13:17 +0100
Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1Sci8z-00009l-F5 (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Thu, 07 Jun 2012 20:13:17 +0100
Date: Thu, 07 Jun 2012 20:13:17 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Matt Miller <mamille2@cisco.com>, Peter Saint-Andre <stpeter@stpeter.im>
In-Reply-To: <DAFA7185-25CD-452A-A533-C5002B21C4CC@cisco.com>
Message-ID: <alpine.LSU.2.00.1206072004470.5807@hermes-2.csi.cam.ac.uk>
References: <20120606153712.8378.19976.idtracker@ietfa.amsl.com> <DAFA7185-25CD-452A-A533-C5002B21C4CC@cisco.com>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: IETF DANE WG list <dane@ietf.org>
Subject: Re: [dane] Fwd: I-D Action: draft-miller-xmpp-dnssec-prooftype-00.txt
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2012 19:13:22 -0000

This looks mostly good to me - it's going in pretty much the right
direction. By which I mean I am specifying basically the same
semantics for the MUA protocols :-)

The pragmatics of deployment are somewhat different between XMPP and
email, I think, since email deployments usually use certificates for the
server host names whereas XMPP deployments use certificates for the JID
domain. This might mean we have to specify different fallback behaviour. I
haven't pinned down the precise details yet.

Detailed comments and questions:


Section 4 (XMPP SRV + DNSSEC):

There is no mention of CNAME or DNAME indirections. They do not break the
model, provided the entire indirection chain is secure.

Bogus answers should be treated as security failures and cause the
client to abort. Insecure/indeterminate answers should be treated as
if DNSSEC were not present. At the moment the draft treats these the same.

Points 4,5,6: There is no need to check the security status of the SRV
target addresses, since the client is going to verify that the server's
certificate matches the SRV target host name.

Point 7: The client SHOULD check the source domain if the derived
domain doesn't match. Making the source check a MAY is too weak:
you don't want DNSSEC deployment to change a working configuration
into a broken one.


Section 5.1: What if the SRV records specify non-standard port numbers?
Or does "not been delegated" mean the same thing as "missing SRV records"?


Section 5.2: What port number should the client use in the TLSA query?
Should the setup be like this? (using a non-standard port for clarity)

_xmpp-client._tcp.im.example.com SRV 1 1 5555 im.example.com
_5555._tcp.im.example.com TLSA ...

Note that it is very unlikely for the SRV to be insecure but the TLSA to
be secure and therefore usable. Perhaps it would be simpler to specify
that DANE can't be used if the SRV record is not secure.


Section 5.3:

In this case the TLSA records should definitely be looked
up using the port numbers specified in the SRV records.
(That's what draft-ietf-dane-protocol section 3 says.)

The requirement to check the source domain if the TLSA records are
missing conflicts with section 4.

I wonder if there are situations where checking the source (as in 5.1)
can conflict with checking the target (as in 5.3). We need to be sure
that a service can easily change from one good configuration to
another good configuration without accidentally passing through a bad
configuration.


Section 5.4:

What is the point of omitting the name check in this case?
Alternatively, what is the point of including the name check in the
other DANE cases? My drafts say that name checks should still be
performed in the usual way, the idea being that DANE leads to
additional verification code paths rather than completely distinct
code paths.


Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Shannon, Rockall: North 6 to gale 8, backing northwest 5 to 7 later. Rough,
occasionally very rough in Shannon. Rain or showers. Moderate or good.

v2.23.0 | Report a Bug | By Email