Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt

"Wiley, Glen" <> Fri, 07 February 2014 02:12 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 034E61A059A for <>; Thu, 6 Feb 2014 18:12:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HMSYPnr_kAbj for <>; Thu, 6 Feb 2014 18:12:30 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id AD0281A0598 for <>; Thu, 6 Feb 2014 18:12:28 -0800 (PST)
Received: from ([]) (using TLSv1) by ([]) with SMTP ID DSNKUvRBCzdz1d/; Thu, 06 Feb 2014 18:12:28 PST
Received: from ( []) by (8.13.6/8.13.4) with ESMTP id s172CQnq008226 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 6 Feb 2014 21:12:26 -0500
Received: from ([::1]) by ([::1]) with mapi id 14.02.0342.003; Thu, 6 Feb 2014 21:12:26 -0500
From: "Wiley, Glen" <>
To: Andrew Sullivan <>, "" <>
Thread-Topic: [dane] I-D Action: draft-ietf-dane-smime-03.txt
Thread-Index: AQHPCyZpntlQewVS0Euo6EoCwtd7epp7QbWAgAAPnwCALFghgIAAcv8AgAAHWoCAAAJdAIAAA6QAgAET/IA=
Date: Fri, 7 Feb 2014 02:12:26 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dane] I-D Action: draft-ietf-dane-smime-03.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 Feb 2014 02:12:32 -0000

On 2/5/14 11:44 PM, "Andrew Sullivan" <> wrote:

>On Thu, Feb 06, 2014 at 04:31:38AM +0000, Viktor Dukhovni wrote:
>> I must plead ignorance of the obstacle, what do you have in mind?
>I am repeatedly informed by my man pages, RFC 3493, and every web
>browser implementer I've ever spoken to that getting the TTL on an RR
>coming to you from the system resolver is hard.  I'd be more delighted
>than I can express to be misinformed, so if you know otherwise please
>say so.
>There is a new API (more a meta-api) that Paul Hoffman worked on
>( that I think we should all embrace
>partly for the above reason, but we're not even at 0-day with that yet

We are very close to "0-day" for getdns :)

A few of us (NLNetLabs and Verisign) have been working on an open source
Implementation of the specification that we are planning to release prior
to IETF89.

The API provides pretty complete access to the RR data and includes
DNSSEC validation.  Per the spec the API can be used as a stub
Resolver (as with extant libc entry points) or as a recursive
Resolver (the default behavior per the spec).

>> If learning DNS TTLs along with the RRset data is problematic,
>> application caches should have reasonably short maximum lifetimes.
>I recognise the basic impulse in what you're saying, but it gives me
>pause.  Timing attacks involving DNS and the browser "pinning" policy
>have always struck me as plausible (and ISTR a demonstration, but I'm
>darned if I can come up with it now).  But using this sort of trick
>for actual certificate stuff appears to make the target of any
>pinning-timing attack more valuable.  Is that a problem?  (That's not
>a rhetorical question.  I'm an idiot.)
>[I get your other argument about lifetimes.  Not trying to ignore,
>just accepting.]
>Andrew Sullivan

Glen Wiley

Sr. Engineer
The Hive, Verisign, Inc.