IETF Logo Mail Archive

Re: [dane] Behavior in the face of no answer?

Martin Rex <mrex@sap.com> Thu, 03 May 2012 23:03 UTC

Return-Path: <mrex@sap.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0ABA11E8080 for <dane@ietfa.amsl.com>; Thu, 3 May 2012 16:03:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.123
X-Spam-Level:
X-Spam-Status: No, score=-10.123 tagged_above=-999 required=5 tests=[AWL=0.126, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q2i8yKDNEToY for <dane@ietfa.amsl.com>; Thu, 3 May 2012 16:03:43 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 0AFEB11E8079 for <dane@ietf.org>; Thu, 3 May 2012 16:03:42 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id q43N3aVH025855 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 4 May 2012 01:03:41 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201205032303.q43N3ZB7009975@fs4113.wdf.sap.corp>
To: ekr@rtfm.com (Eric Rescorla)
Date: Fri, 4 May 2012 01:03:35 +0200 (MEST)
In-Reply-To: <CABcZeBPiYtDQF-BxAGRMOinHhZL6ABJPvTyCF2USzpzL__jhrg@mail.gmail.com> from "Eric Rescorla" at May 3, 12 03:49:19 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: paul@nohats.ca, paul.hoffman@vpnc.org, dane@ietf.org
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2012 23:03:43 -0000

Eric Rescorla wrote:
> 
> On Thu, May 3, 2012 at 3:45 PM, Paul Wouters <paul@nohats.ca> wrote:
> > On Thu, 3 May 2012, Paul Hoffman wrote:
> > A response with no data, where there is a DNSSEC chain of trust, is
> > per definition bogus, as your response, even for 'no data' has to come
> > with the signed proof (NSEC/NSEC3)
> >
> > I would just leave out "or the response has no data"
> 
> I should probably mention that the analysis I am offering applies to any
> other non-cryptographically verifiable error case, such as ICMP
> errors, unverifiable SERVFAILs, etc. It's not clear to me if these
> are all treated as Bogus but in this context I claim they must
> be.


While I do agree with your analysis, I'm inclined to believe that
an unconditional hard-fail is as realistic for DANE as a hard-fail
is for OCSP response failures.  A non-marginal number of
TLS clients (WinXP using MSIE) is IMHO not even attempting OCSP
lookups at all.  And while I personally use FF 3.6, I have
OCSP purposely disabled and Certificate Patrol installed.

The difficulty with DNSSEC is that there are many firewalled networks
with either private DNS universes as well as NATed networks with DHCP and
local, DNSSEC-unaware recurive DNS resolvers, where a DANE hard-fail
approach might result in severe usability issues.

Is there any reliable data on the availability of 100% correctness
of DNSSEC records from places with full&transparent internet
connectivity to DNSSEC-capable recursive DNS resolvers?

-Martin

v2.8.7 | Report a Bug | By Email