Re: [dnsext] Draft: RRTYPE B - Web Resource Integrity
James Addison <james@reciperadar.com> Mon, 20 November 2023 22:23 UTC
Return-Path: <james@reciperadar.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B40DC1524B3 for <dnsext@ietfa.amsl.com>; Mon, 20 Nov 2023 14:23:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reciperadar.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f5BYtj_YKhFA for <dnsext@ietfa.amsl.com>; Mon, 20 Nov 2023 14:23:41 -0800 (PST)
Received: from mail-yw1-x112d.google.com (mail-yw1-x112d.google.com [IPv6:2607:f8b0:4864:20::112d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F6F8C15154D for <dnsext@ietf.org>; Mon, 20 Nov 2023 14:23:41 -0800 (PST)
Received: by mail-yw1-x112d.google.com with SMTP id 00721157ae682-5cb68b8fa27so2967287b3.0 for <dnsext@ietf.org>; Mon, 20 Nov 2023 14:23:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=reciperadar.com; s=google; t=1700519020; x=1701123820; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=pXqpAlrQbIorJG7tfblySdIOHQqMkjOSkX+CcVCc+WU=; b=gt9dfX6ezwhwvkLOrJNjof/vZLt3y6BfhXZsrnw+xDHGftIKMqa0sXD9i6OWWnte2J x9U8PsTUYcxuRlaRrLNwYilkh+nx38HcojEcZzIqumYsLluhgD4L3OznSR3ZDW4agleC zQIoQ4uVkhJJyfZeId5MGFBiZndAPMOEWKnoP4iKhEKZxk6EyjXdjH4K4XGsrr6Tplgn LUjVJlJvBKXWtfA1l+XNrdpRnbqnqU25wi3iLeN/iCNtVrJQWMiTgUKXGxI6C+ZfuJdL dEEiOvQP2zg7ZOsxZ6gwzHZ76e/PEOfsKow540RhkQ2SXHprkYf7DuBheOXkvz0fpNAS sH1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700519020; x=1701123820; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pXqpAlrQbIorJG7tfblySdIOHQqMkjOSkX+CcVCc+WU=; b=ixIqrnd2oOMifzCHnTSr6AAfSj9NYIBygZR3hQhovljfR6G0VvF3d+3hFxtFFzQZj4 ssrBD0OaKTnkC1hOX5tOcpR2RwVQ9Ic2ABeC5xtrm3dg3kzcy1msi3LKWyoylBBS8cpg pxoSOv5XMl+KEy5/LWcgvIcrkLL4x1p0XkPJLJsk3AnHdFQxH8ahQygcNhFa97+r5cTI S8Gm5WvovfzUXslbyq9ip+ieoY67AfgfgQWOpnWPyaLn2x1+YDnxZlkgfeS+TqF3fRwt sJHTOT1RaffIVfWV2ul8jFzwQAY7p5Nn1cRu0eqNJi/ewVnBVe290pgub4faj+73v2uz ldng==
X-Gm-Message-State: AOJu0Yy5DCNNWqWLGU+F6fWBD7YBBUiUPaFXCKznTSIevBXO5IiKpQp5 oGCODKk1UWNoexaIjkUO7eWs1dm/2XBC/fwhwEMQD+t4iqXtap7fbvA=
X-Google-Smtp-Source: AGHT+IHE6vLpAoevAURTaQ2av77XTWIHPz5NdFvZpadUo39RfjpCOhPZ/eTpxToF8alXPTHTpjVZq1YKRYzJq5jjP+s=
X-Received: by 2002:a81:b1ca:0:b0:59c:aea:d877 with SMTP id p193-20020a81b1ca000000b0059c0aead877mr9462506ywh.40.1700519020218; Mon, 20 Nov 2023 14:23:40 -0800 (PST)
MIME-Version: 1.0
References: <CAF3AkiPt98c5By3M1qY=31qW4ESV9_TF7bzH+wdqz2iqzBB+6w@mail.gmail.com>
In-Reply-To: <CAF3AkiPt98c5By3M1qY=31qW4ESV9_TF7bzH+wdqz2iqzBB+6w@mail.gmail.com>
From: James Addison <james@reciperadar.com>
Date: Mon, 20 Nov 2023 22:23:31 +0000
Message-ID: <CAF3AkiP3A+Sbh8vt8Q4W8eOorS7tzQMcx7P0JXiXiwqyyLspPg@mail.gmail.com>
To: kre@munnari.oz.au
Cc: dnsext@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/-GNuTs9-giY0aNOj5kTY1asVogo>
Subject: Re: [dnsext] Draft: RRTYPE B - Web Resource Integrity
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Nov 2023 22:23:45 -0000
Thanks for the response, kre - I'll mention that I didn't receive your message by email, but noticed it on the web-based dnsext[.ietf.org] mailing list archive. Please find my comments inline: On Fri, 17 Nov 2023 02:15:36 -0000, kre wrote: > > The proposal seems to assume that two different objects (this proposed > new DNS resource, and the web page to which it refers) can be updated > synchronously somehow - the DNS doesn't do that, it takes a definitely > measurable period of time for any data in the DNS to be altered, old > copies are still present at secondary servers for some period after > the primary is updated, and caches all over the planet don't even look > for updates until the TTL on the last answer they had received expires. > > As described (and other than in local, single server, testing) this > scheme simply cannot work reliably. This timing problem is genuine, yes. > I'd expect that you'd want to allow at least 2 (perhaps more) of these > records to exist, and consider a page valid if any of them provides the > correct hash - that way the hash for an updated page can be installed, > then wait for that to have propogated (sum of secondary reload time, > plus TTL expiry) then update the page, then it should be safe to delete > the old entry. Allowing for more than 2 to co-exist might be needed > if two quick changes were needed to the web page, that is, a new version > while still waiting for the previous one to be ready to be installed, > but after its resource record is already in the DNS (haven't really > thought through all the possible scenarios, but someone needs to). This multi-record suggestion has a parallel in the HTML SubResource Integrity spec: it is valid to list multiple[1] hash values in an integrity attribute; the client is instructed to consider the fetched payload as valid if it matches _any_ of those hashes. So given a TTL of 3600 seconds, we could temporarily deploy a two-hash DNS B record containing both the current and updated hashes for a static site, subsequently deploy the updated site to the webserver(s), and eventually simplify to a new baseline state with a single-hash DNS B record again after 3600 seconds have expired. > I don't understand the purpose (that's just me, I don't follow much > security or web related stuff at all, and so anything which is those > two combined is guaranteed outside my area) - but why the insistence > on only covering the root page at a domain name? As I understand the > way many web servers overate, there is often no such page, and any > valid URL at the server must have some kind of path appended to the > domain name in the URL to receive a meaningful answer (that is, a > non-error reply of one form or other). I admit it is somewhat arbitrary to associate the record strictly with the root web path, and acknowledge that websites aren't required to serve meaningful content from that path. The goal of this record type is to provide an opt-in increase in trustworthiness for static HTML-based content served from domains, while maintaining the desirable ability to deploy that content in cost-effective and widely-available ways. The particular risk area that this record type attempts to mitigate is that of untrustworthy or compromised webservers for a given domain name. In the case of a TLS-secured session, negotiation and communication with an individual such host and the client may succeed; the DNS B integrity record provides an additional method to detect tampered content, and one that is outside of the immediate security boundary of the compromised host. In simplified terms, the record is an expect/checksum value that the client can use to confirm that the _initial_ access into a website (bearing in mind the fixed path) maintains integrity. From there, the website may or may offer navigation through a fully-connected graph of webpages, may or may not provide subresource integrity guarantees on content within the page and beyond, and may or may not link to content on other domains. An additional note / addendum: About the reasoning for a single, fixed root path: I don't see DNS as being a place to store large amounts of potentially-dynamic data, and would prefer to ignore all kinds of problems that I'd anticipate related to attempting to map a set of multiple URI paths to either one-or-more DNS record(s). Those in combination with the fact that a single-page HTML application _can_ be served from a single URL drew me towards idea of a single fixed path, for simplicity. [1] - https://www.w3.org/TR/2016/REC-SRI-20160623/#does-response-match-metadatalist
- [dnsext] Draft: RRTYPE B - Web Resource Integrity James Addison
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Mark Andrews
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Niall O'Reilly
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison
- Re: [dnsext] [Ext] Re: Draft: RRTYPE B - Web Reso… Edward Lewis
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Robert Edmonds
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Klaus Malorny
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Robert Elz
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison