Re: [dane] [Technical Errata Reported] RFC7672 (5395)

Paul Wouters <paul@nohats.ca> Mon, 18 June 2018 03:14 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BCE1130E1A for <dane@ietfa.amsl.com>; Sun, 17 Jun 2018 20:14:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pz2Q4ANGiXQa for <dane@ietfa.amsl.com>; Sun, 17 Jun 2018 20:14:56 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56D23124BE5 for <dane@ietf.org>; Sun, 17 Jun 2018 20:14:56 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 418GRb6Yg7z393; Mon, 18 Jun 2018 05:14:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1529291691; bh=uDKU/sods6m0hrhsOQ6poS4DygwWlvMVoqS6IUHMHYI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=YCWzuCK7UYZQ2BcyZZlrMuPzZ/yilV+vDS4XEQ1an/98MQuO92fGjSY8s6pKiifgX OeWzg7XNZMkxF8gxx63QfQgaAZ37Pg3zAxYMTmHfU3uob4nC8CdnWL213oSno05FB1 ivmc/OvBmfLQtvQlP87fBN+7KnYDNFOa9WOW/Noo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id qmJZ5A4vM-UJ; Mon, 18 Jun 2018 05:14:50 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 18 Jun 2018 05:14:48 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id F0F78B82C; Sun, 17 Jun 2018 23:14:47 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca F0F78B82C
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id E5D88402F27A; Sun, 17 Jun 2018 23:14:47 -0400 (EDT)
Date: Sun, 17 Jun 2018 23:14:47 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: RFC Errata System <rfc-editor@rfc-editor.org>
cc: ietf-dane@dukhovni.org, ietf@hardakers.net, kaduk@mit.edu, ekr@rtfm.com, ogud@ogud.com, warren@kumari.net, matt@mattmccutchen.net, dane@ietf.org
In-Reply-To: <20180616142946.51588B810A8@rfc-editor.org>
Message-ID: <alpine.LRH.2.21.1806172308260.24664@bofh.nohats.ca>
References: <20180616142946.51588B810A8@rfc-editor.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/pwafgWnWSw-515p_9squkM6phxE>
Subject: Re: [dane] [Technical Errata Reported] RFC7672 (5395)
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 03:14:59 -0000

On Sat, 16 Jun 2018, RFC Errata System wrote:

> Original Text
> -------------
>   DNS records that would be
>   classified "indeterminate" in the sense of [RFC4035] are simply
>   classified as "insecure".
>
> Corrected Text
> --------------
>   DNS records that would be
>   classified "indeterminate" in the sense of [RFC4033] are simply
>   classified as "insecure".

Whether original or corrected text, what it does here worried me more.

The RFC opens with:

 	Abstract

 	This memo describes a downgrade-resistant protocol [...]

Not really downgrade-resistant if I can just strip some RRSIGs from
the packets to make it fail open. So this text is confusing.

But it does make that clear in 2.1.2:

 	If any DNS queries used to locate
 	TLSA records fail (due to "bogus" or "indeterminate" records,
 	timeouts, malformed replies, SERVFAIL responses, etc.), then the SMTP
 	client MUST treat that server as unreachable and MUST NOT deliver the
 	message via that server.

I'm not sure if that's worth bringing into the errata. If we have the
errata as is, it might actually mislead developers into thiking they
must treet an indeterminate response as insecure and use it for TLSA.

Paul