Re: [dane] srv-09 comments
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 16 February 2015 18:08 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3FEF1A6FF9 for <dane@ietfa.amsl.com>; Mon, 16 Feb 2015 10:08:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.493
X-Spam-Level:
X-Spam-Status: No, score=0.493 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, TVD_PH_BODY_ACCOUNTS_PRE=2.393] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ML9QcpeyzP0 for <dane@ietfa.amsl.com>; Mon, 16 Feb 2015 10:08:21 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7D441A7008 for <dane@ietf.org>; Mon, 16 Feb 2015 10:08:19 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 4EA6C282D5F; Mon, 16 Feb 2015 18:08:13 +0000 (UTC)
Date: Mon, 16 Feb 2015 18:08:13 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150216180813.GT1260@mournblade.imrryr.org>
References: <20150216170123.GR1260@mournblade.imrryr.org> <54E22A70.8050705@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54E22A70.8050705@cisco.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/zAfo1ze-jLMerMV6-vS-e3YFXSE>
Subject: Re: [dane] srv-09 comments
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2015 18:08:23 -0000
On Mon, Feb 16, 2015 at 10:35:44AM -0700, ? Matt Miller wrote:
> Thanks for the feedback! More inline ...
>
> > Section 3.4 (Impact on TLA Usage) second bullet:
> >
> > Revert change from -08 to -09. The -08 language:
> > [...]
>
> The original language did not account for the lack of records, but I
> can see how this is too permissive. Perhaps the following is more
> acceptable (replacing the last two bullets in dane-srv-09)?
>
> o If the TLSA response is "bogus" or "indeterminate" (or the lookup
> fails for reasons other than no records), then the client MUST
> NOT connect to the target server (the client can still use other
> SRV targets).
>
> o If the TLSA response is "insecure" (or no TLSA records exist),
> then the client SHALL proceed as if the target server had no TLSA
> records. It MAY connect to the target server with or without
> TLS, subject to the policies of the application protocol or
> client implementation.
Much better and basically correct, provided that it is clear that
"indeterminate" is the 4035 (not 4033) definition, and the phrase
"fails for reasons other than no records" is sufficiently clear to
the document's audience. It is a somewhat informal phrase...
In the SMTP draft ([1] below my signature) "no records" (be it
NOERROR with ancount==0 or NXDOMAIN) is defined as a non-error (a
successful empty result). Your taxonomy is different, but my guess
is that the text is good enough.
[ Is denial of existence of a success or a failure? How many
angels can dance on the head of a pin? ... ]
----
Question to the WG at large:
Anyone see any room for confusion about the meaning of the
proposed text?
----
> The parenthetical is meant to account for the lack of SRV records, but
> I can see how that might be too permissive. Is the following more
> acceptable?
>
> If the SRV lookup fails because the RRset is "bogus" (or the lookup
> fails for reasons other than no records), the client MUST abort its
> attempt to connect to the desired service. If the lookup result is
> "insecure" (or no SRV records exist), this protocol does not apply
> and the client SHOULD fall back to its non-DNSSEC, non-DANE (and
> possibly non-SRV) behavior.
Thanks. Looks fine, provided the "fails for reasons other than no
records" bit is clear enough to the world at large.
--
Viktor.
[1] SMTP draft section 2.1.1 (middle of page 10):
There is an important non-failure condition we need to highlight in
addition to the obvious case of the DNS client obtaining a non-empty
"secure" or "insecure" RRset of the requested type. Namely, it is
not an error when either "secure" or "insecure" non-existence is
determined for the requested data. When a DNSSEC response with a
validation status that is either "secure" or "insecure" reports
either no records of the requested type or non-existence of the query
domain, the response is not a DNS error condition. The DNS client
has not been left without an answer; it has learned that records of
the requested type do not exist.
- Re: [dane] srv-09 comments Viktor Dukhovni
- [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments Olafur Gudmundsson
- Re: [dane] srv-09 comments ⌘ Matt Miller
- Re: [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments Paul Wouters
- Re: [dane] srv-09 comments Mark Andrews
- Re: [dane] srv-09 comments Viktor Dukhovni
- Re: [dane] srv-09 comments Mark Andrews