Re: [dnsext] Draft: RRTYPE B - Web Resource Integrity
Mark Andrews <marka@isc.org> Thu, 16 November 2023 05:15 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A31B7C15108A for <dnsext@ietfa.amsl.com>; Wed, 15 Nov 2023 21:15:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="Z9l7TWPv"; dkim=pass (1024-bit key) header.d=isc.org header.b="dbZnVZ+c"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OUa7q0RR22E for <dnsext@ietfa.amsl.com>; Wed, 15 Nov 2023 21:15:41 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74D31C14F738 for <dnsext@ietf.org>; Wed, 15 Nov 2023 21:15:40 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 2651B3AB006; Thu, 16 Nov 2023 05:15:40 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 2651B3AB006
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1700111740; cv=none; b=UJHzhvyGPaSfVYpmg1YXLZv58UzW+ymu2ZS8eDGl+3ptAFurcof1ObZQrnR13YXM8q9t0vKIlGoD0nXihxDiHy+FTZTLnhZ+GVnwwW2KsU5dSTh+0Y7ZxU4uHrs3UlrqKc0dHXF3RhlN8YPHs1bDMbhCZfAOYQd+JJtc4bY6j+w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1700111740; c=relaxed/relaxed; bh=SGWOzpTi+3wF4ChnOpSf/KxCmrgYCtLtrxbc3GhgiS0=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=Lz6oQoBgtmdAGB4tiKEiQ1Nn/1+yb30XqfMRHwJ4spIEzb+KmfCihyURtAt6SzO8tc8qjyuoG2p0wQ5oIIoWBzbjwlYtTj3wyPbgpuuk0RleeG4RMpIVt0NfcqKf1nnTUIkLX6TU8IQ9Eg/5z/vAX6XOXll3LwyXPER8iMhbucg=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 2651B3AB006
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1700111740; bh=8JLzPPnojnFtee4DPq5tiBY4eXeiYQTd2t0zYWR85vo=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=Z9l7TWPv2YZSfR2R50A4siIKhZ8Rjw9dFsOp53JX4JM+6xVI1Hnm8jjlJsX7Oz6tM /M+D2QDaQXhnXfUg6rTCoMji3ZxQg6R8YpWi3GVuDEBUAhSrxGBTsK4mRynuI9sqF/ TELguTtmHNRNzLQfaMqx0rwY4oj4+Fz+OqpDD3RI=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 236ACAC01A3; Thu, 16 Nov 2023 05:15:40 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 01BA9AC05CD; Thu, 16 Nov 2023 05:15:40 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 01BA9AC05CD
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1700111740; bh=SGWOzpTi+3wF4ChnOpSf/KxCmrgYCtLtrxbc3GhgiS0=; h=Mime-Version:From:Date:Message-Id:To; b=dbZnVZ+chkmz1laFacWctGVIO3uwndGslDuj3WJr9sG4B+CIb35KL6yUSeQq7Nvo9 AZCEuLGowXM9fLpflinZHPBxGt3u+pyuIZnKbnRWJVyKnkW1CNSYNtR5UUeaSjNAD0 GUtF+s87kd4Qm+mzJcH9YGEFUHhzDTKiTMav3FHU=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id bU34c4u6Qka8; Thu, 16 Nov 2023 05:15:39 +0000 (UTC)
Received: from smtpclient.apple (n49-187-27-239.bla1.nsw.optusnet.com.au [49.187.27.239]) by zimbrang.isc.org (Postfix) with ESMTPSA id 3ACB1AC01A3; Thu, 16 Nov 2023 05:15:39 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAF3AkiPt98c5By3M1qY=31qW4ESV9_TF7bzH+wdqz2iqzBB+6w@mail.gmail.com>
Date: Thu, 16 Nov 2023 16:15:26 +1100
Cc: dnsext@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5F134EB1-7D9A-429D-B17E-06A43272BCDC@isc.org>
References: <CAF3AkiPt98c5By3M1qY=31qW4ESV9_TF7bzH+wdqz2iqzBB+6w@mail.gmail.com>
To: James Addison <james@reciperadar.com>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/TwHePBKB7LJ4r8l9TyT6tKiKQSc>
Subject: Re: [dnsext] Draft: RRTYPE B - Web Resource Integrity
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2023 05:15:45 -0000
This is insufficient to implement. Only the presentation format has been described. The wire format has not been described. Normally hashes and binary data are converted between base64 (presentation) and raw data for the wire format in DNS. See DNSKEY, RRSIG, TSIG, CERT, DOA, HIP, SINK as this reduces the record size. Additionally hash identifiers are normally just an octet preceding the hash with a registry for mappings to well known values as well as a few user defined values for testing. Alternatively a string followed by the raw data. Below are different potential wire formats of sha512-5sY7BUrKX/1p6j6PJECwN+7rX2ORqP/StA2iR7bI9C30aGT6wF4PAEum4mnyrsQNjl/whRZ9luAVANNz9Uqkqg= Octet 0000000 01 b1 8e c1 52 b2 97 ff 5a 7a 8f a3 c9 10 2c 0d 0000020 fb ba d7 d8 e4 6a 3f f4 ad 03 68 91 ed b2 3d 0b 0000040 7d 1a 19 3e b0 17 83 c0 12 e9 b8 9a 7c ab b1 03 0000060 63 String 0000000 06 73 68 61 32 35 36 b1 8e c1 52 b2 97 ff 5a 7a 0000020 8f a3 c9 10 2c 0d fb ba d7 d8 e4 6a 3f f4 ad 03 0000040 68 91 ed b2 3d 0b 7d 1a 19 3e b0 17 83 c0 12 e9 0000060 b8 9a 7c ab b1 03 63 ASCII/UTF8 0000000 73 68 61 32 35 36 2d 73 59 37 42 55 72 4b 58 2f 0000020 31 70 36 6a 36 50 4a 45 43 77 4e 2b 37 72 58 32 0000040 4f 52 71 50 2f 53 74 41 32 69 52 37 62 49 39 43 0000060 33 30 61 47 54 36 77 46 34 50 41 45 75 6d 34 6d 0000100 6e 79 72 73 51 4e 6a 6c 2f 77 68 52 5a 39 6c 75 0000120 41 56 41 4e 4e 7a 39 55 71 6b 71 67 3d Mark > On 15 Nov 2023, at 04:36, James Addison <james@reciperadar.com> wrote: > > A. Submission Date: N/A (draft / RFC) > > B.1 Submission Type: [x] New RRTYPE [ ] Modification to RRTYPE > B.2 Kind of RR: [x] Data RR [ ] Meta-RR > > C. Contact Information for submitter (will be publicly posted): > Name: James Addison Email Address: james@reciperadar.com > International telephone number: N/A > Other contact handles: N/A > > D. Motivation for the new RRTYPE application. > > W3C HTML allows website authors to optionally include Subresource > Integrity[1][2] (SRI) metadata within their markup. This enables > user-agents such as web browsers to check that the corresponding > content that they fetch matches the content intended by the website > author. > > A missing link in the integrity supply chain is the initial page-load: > the user-agent is provided with no integrity expectation about the > HTML page that itself contains the subresource integrity markup > attributes. > > The proposal here is to add a DNS B record type, to be used to publish > integrity metadata for the root index URI of a website on a given > domain record. > > Because in most cases a web user-agent already performs DNS A and/or > AAAA lookups to retrieve IP address(es) to request a web URI from, > adding a neighbouring RR type to provide integrity metadata may allow > for both human mental models and software code to adapt incrementally, > without significant changes to existing assumptions. > > E. Description of the proposed RR type. > > The proposed DNS RR type is a DNS 'B' record, intended to contain a > single metadata record in the format described by the W3C Content > Security Policy Level 2's definition of a hash-source[3] . In brief: > this is an ASCII format that is composed of a prefix that indicates a > known cryptographic hash method, followed by a single hyphen ('-') > character, followed by the base64-encoded hash of the content using > the specified algorithm. > > For example, the response to a 'dig' DNS lookup for the domain name > reciperadar.com might include the following: > > ;; ANSWER SECTION: > reciperadar.com. 3600 IN A 192.0.2.18 > reciperadar.com. 3600 IN B > sha512-5sY7BUrKX/1p6j6PJECwN+7rX2ORqP/StA2iR7bI9C30aGT6wF4PAEum4mnyrsQNjl/whRZ9luAVANNz9Uqkqg= > > The proposed record type does not allow integrity hashes to be > specified for multiple URIs on the domain where it is configured. > Only a single 'B' record may be configured for the domain, and the > integrity hash contained within it is published solely for use > validating content fetched from the root URI path ('/') of that > domain. > > A motivating use case is to provide integrity guarantees to > user-agents that fetch and load single-page web applications that are > deployed and distributed using webservers. Updates to such an > application should be preceded by an update to the DNS B record on > each domain they are distributed from. > > F. What existing RRTYPE or RRTYPEs come closest to filling that need > and why are they unsatisfactory? > > The existing A and AAAA record types provide a way for world-wide-web > user-agents to discover the IP address of server(s) to request webpage > content from. However, these record types do not provide integrity > expectations about the content that may subsequently be communicated > to the client. > > G. What mnemonic is requested for the new RRTYPE (optional)? > > N/A (guidance requested) > > H. Does the requested RRTYPE make use of any existing IANA registry > or require the creation of a new IANA subregistry in DNS > Parameters? If so, please indicate which registry is to be used > or created. If a new subregistry is needed, specify the > allocation policy for it and its initial contents. Also include > what the modification procedures will be. > > No. > > I. Does the proposal require/expect any changes in DNS > servers/resolvers that prevent the new type from being processed > as an unknown RRTYPE (see [RFC3597])? > > No; existing servers and resolvers should be able to replicate zone > data containing 'B' records without requiring any knowledge of the > semantics of the RRtype; the type describes a textual record providing > a communication channel to carry an integrity guarantee about web > content from the author to clients of that content, using DNS as the > distribution method. > > J. Comments: > > Although an anticipated use case is delivery of web applications from > a fixed root URI on a domain, websites composed of static content > could also use the ability to communicate integrity expectations to > clients out-of-band from HTTP/HTTPS protocols. > > Related specifications: > > 1. Transport layer security, which provides for in-band content > integrity guarantees within the context of a negotiated communication > session. > > 2. DNSSEC, which provides security assurances on the content of data > within a DNS zone. > > 3. The draft specification of HTTP message signatures > (draft-ietf-httpbis-message-signatures), which could provide for > integrity guarantees on portions of content communicated within HTTP > requests and responses. > > Each of these are orthogonal to the proposed DNS B RRType -- and to > each other -- and could be used in combination. > > [1] - https://www.w3.org/TR/2016/REC-SRI-20160623/ > > [2] - https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity > > [3] - https://www.w3.org/TR/CSP2/#hash_source > > _______________________________________________ > dnsext mailing list > dnsext@ietf.org > https://www.ietf.org/mailman/listinfo/dnsext -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [dnsext] Draft: RRTYPE B - Web Resource Integrity James Addison
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Mark Andrews
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Niall O'Reilly
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison
- Re: [dnsext] [Ext] Re: Draft: RRTYPE B - Web Reso… Edward Lewis
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Robert Edmonds
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Klaus Malorny
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Robert Elz
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison