Re: [dnsext] Draft: RRTYPE B - Web Resource Integrity
Robert Elz <kre@munnari.OZ.AU> Fri, 17 November 2023 02:15 UTC
Return-Path: <kre@munnari.OZ.AU>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD85CC14CE53 for <dnsext@ietfa.amsl.com>; Thu, 16 Nov 2023 18:15:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SOcvXV4jEJgK for <dnsext@ietfa.amsl.com>; Thu, 16 Nov 2023 18:15:35 -0800 (PST)
Received: from munnari.OZ.AU (munnari.coe.psu.ac.th [IPv6:2001:3c8:9009:181::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4A37C14CE2B for <dnsext@ietf.org>; Thu, 16 Nov 2023 18:15:31 -0800 (PST)
Received: from jacaranda.noi.kre.to (localhost [IPv6:::1]) by munnari.OZ.AU with ESMTP id 3AG8fhgJ026833; Thu, 16 Nov 2023 15:41:43 +0700 (ICT)
Received: from jacaranda.noi.kre.to (localhost [127.0.0.1]) by jacaranda.noi.kre.to (8.16.1/8.14.2) with ESMTP id 3AG8fTuR006784; Thu, 16 Nov 2023 15:41:29 +0700 (+07)
From: Robert Elz <kre@munnari.OZ.AU>
To: Mark Andrews <marka@isc.org>
cc: James Addison <james@reciperadar.com>, dnsext@ietf.org
In-Reply-To: <5F134EB1-7D9A-429D-B17E-06A43272BCDC@isc.org>
References: <5F134EB1-7D9A-429D-B17E-06A43272BCDC@isc.org> <CAF3AkiPt98c5By3M1qY=31qW4ESV9_TF7bzH+wdqz2iqzBB+6w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <25780.1700124089.1@jacaranda.noi.kre.to>
Date: Thu, 16 Nov 2023 15:41:29 +0700
Message-ID: <1180.1700124089@jacaranda.noi.kre.to>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/QSNSUy7I0mzA9rpTg7_pJfOTpmI>
Subject: Re: [dnsext] Draft: RRTYPE B - Web Resource Integrity
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2023 02:15:36 -0000
Beyond what Mark said, which I was going to include here, with less detail, but now don't have to - Thanks Mark... The proposal seems to assume that two different objects (this proposed new DNS resource, and the web page to which it refers) can be updated synchronously somehow - the DNS doesn't do that, it takes a definitely measurable period of time for any data in the DNS to be altered, old copies are still present at secondary servers for some period after the primary is updated, and caches all over the planet don't even look for updates until the TTL on the last answer they had received expires. As described (and other than in local, single server, testing) this scheme simply cannot work reliably. I'd expect that you'd want to allow at least 2 (perhaps more) of these records to exist, and consider a page valid if any of them provides the correct hash - that way the hash for an updated page can be installed, then wait for that to have propogated (sum of secondary reload time, plus TTL expiry) then update the page, then it should be safe to delete the old entry. Allowing for more than 2 to co-exist might be needed if two quick changes were needed to the web page, that is, a new version while still waiting for the previous one to be ready to be installed, but after its resource record is already in the DNS (haven't really thought through all the possible scenarios, but someone needs to). I don't understand the purpose (that's just me, I don't follow much security or web related stuff at all, and so anything which is those two combined is guaranteed outside my area) - but why the insistence on only covering the root page at a domain name? As I understand the way many web servers overate, there is often no such page, and any valid URL at the server must have some kind of path appended to the domain name in the URL to receive a meaningful answer (that is, a non-error reply of one form or other). kre
- [dnsext] Draft: RRTYPE B - Web Resource Integrity James Addison
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Mark Andrews
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Niall O'Reilly
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison
- Re: [dnsext] [Ext] Re: Draft: RRTYPE B - Web Reso… Edward Lewis
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Robert Edmonds
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Klaus Malorny
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Robert Elz
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison