[dnsext] Draft: RRTYPE B - Web Resource Integrity
James Addison <james@reciperadar.com> Tue, 14 November 2023 17:37 UTC
Return-Path: <james@reciperadar.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1276DC15108F for <dnsext@ietfa.amsl.com>; Tue, 14 Nov 2023 09:37:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reciperadar.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9nXGeeV_2Vx for <dnsext@ietfa.amsl.com>; Tue, 14 Nov 2023 09:36:58 -0800 (PST)
Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0983C14F747 for <dnsext@ietf.org>; Tue, 14 Nov 2023 09:36:58 -0800 (PST)
Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-5a82c2eb50cso61101867b3.2 for <dnsext@ietf.org>; Tue, 14 Nov 2023 09:36:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=reciperadar.com; s=google; t=1699983417; x=1700588217; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=i1K0bPVU80F+hBu6SWPUxcK0YL9SqSFl/Nvk0CuPQQs=; b=j3Q1M0rmpYZkALQN9rRDPvYmStxdEuiD3ZnYIiPy7UZgvdg/MB0t6xoEvwWNwWOJhz oOsLtzU2kidTF7PEK6XbwYvkMLScenLY7wD4E9OKcEUgbs1F1ptuijIIYvgQmPtN9pQO zb9P7AaLW183BwqdR55hbshW9NvNrvSjBiXQVpnTinwosvBuriyC9OpnqV4IqGAH2QEO uztakOw991meRiYZwg5pHjCdWd4DCQ3YjYlI7ID35bA3H4V/eze8l8R6QSLm01bSzA4t 9J59l15mEsFu3iHo60kDu8bAibV91os3ZHOhmC777TtaZX8A8fDVwanxkCIvJmsyAkZC UItQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699983417; x=1700588217; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=i1K0bPVU80F+hBu6SWPUxcK0YL9SqSFl/Nvk0CuPQQs=; b=Ka6MusvTsWT+BBNopFIbDJ/1H80KiaE95FkkM3vNUTsBhaRpxOo18vUL7N3K74vbkI AXFSUG/YCQxvXIbeHvjGHIld7IUdxeWCtZ8pcbtput3HctlaIMBLMyx8sbHkVQ8+nJRI a5vBSKk8kMbklQx3+67fXStgXA5lLVk6/4o+GoTfXRQpCmFuGSOE6HAO1OOLb41jhl79 N6PnW08M0iSUmvgUwJon0yePHHC95+hnTwlyMLiLwZMAPF7Pj+y6uFz4mX0zYmE9zmPK UmKYcTmk/EXqrE84xTtPW2wp1mjCapFaeQ/amyPQNlDoPqibgRqc/CGZjAlS+Rxfz44S P1BQ==
X-Gm-Message-State: AOJu0YwejhohxOBYrCo90wcF9SCD1ROgXUoj1ROjsyO88wfOlxDH3KMW JK/snLVXA1+M2dsFtB5DcSX3lAQy95Ky/76x/e7WlUk3weOHMI0vAMc=
X-Google-Smtp-Source: AGHT+IGp/S7nS5UNeT4ga4Gh/nXiWi9CFvqUrzO0zuBUI6RU2L+UiG3Lvze17It2H9e6L/m8re6YMWOmyWO2UTah688=
X-Received: by 2002:a81:92c5:0:b0:5af:5c55:8298 with SMTP id j188-20020a8192c5000000b005af5c558298mr8461308ywg.36.1699983417436; Tue, 14 Nov 2023 09:36:57 -0800 (PST)
MIME-Version: 1.0
From: James Addison <james@reciperadar.com>
Date: Tue, 14 Nov 2023 17:36:49 +0000
Message-ID: <CAF3AkiPt98c5By3M1qY=31qW4ESV9_TF7bzH+wdqz2iqzBB+6w@mail.gmail.com>
To: dnsext@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/vtbGXqBKSKzBqYAAE1VMhATiuw4>
Subject: [dnsext] Draft: RRTYPE B - Web Resource Integrity
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2023 17:38:13 -0000
A. Submission Date: N/A (draft / RFC) B.1 Submission Type: [x] New RRTYPE [ ] Modification to RRTYPE B.2 Kind of RR: [x] Data RR [ ] Meta-RR C. Contact Information for submitter (will be publicly posted): Name: James Addison Email Address: james@reciperadar.com International telephone number: N/A Other contact handles: N/A D. Motivation for the new RRTYPE application. W3C HTML allows website authors to optionally include Subresource Integrity[1][2] (SRI) metadata within their markup. This enables user-agents such as web browsers to check that the corresponding content that they fetch matches the content intended by the website author. A missing link in the integrity supply chain is the initial page-load: the user-agent is provided with no integrity expectation about the HTML page that itself contains the subresource integrity markup attributes. The proposal here is to add a DNS B record type, to be used to publish integrity metadata for the root index URI of a website on a given domain record. Because in most cases a web user-agent already performs DNS A and/or AAAA lookups to retrieve IP address(es) to request a web URI from, adding a neighbouring RR type to provide integrity metadata may allow for both human mental models and software code to adapt incrementally, without significant changes to existing assumptions. E. Description of the proposed RR type. The proposed DNS RR type is a DNS 'B' record, intended to contain a single metadata record in the format described by the W3C Content Security Policy Level 2's definition of a hash-source[3] . In brief: this is an ASCII format that is composed of a prefix that indicates a known cryptographic hash method, followed by a single hyphen ('-') character, followed by the base64-encoded hash of the content using the specified algorithm. For example, the response to a 'dig' DNS lookup for the domain name reciperadar.com might include the following: ;; ANSWER SECTION: reciperadar.com. 3600 IN A 192.0.2.18 reciperadar.com. 3600 IN B sha512-5sY7BUrKX/1p6j6PJECwN+7rX2ORqP/StA2iR7bI9C30aGT6wF4PAEum4mnyrsQNjl/whRZ9luAVANNz9Uqkqg= The proposed record type does not allow integrity hashes to be specified for multiple URIs on the domain where it is configured. Only a single 'B' record may be configured for the domain, and the integrity hash contained within it is published solely for use validating content fetched from the root URI path ('/') of that domain. A motivating use case is to provide integrity guarantees to user-agents that fetch and load single-page web applications that are deployed and distributed using webservers. Updates to such an application should be preceded by an update to the DNS B record on each domain they are distributed from. F. What existing RRTYPE or RRTYPEs come closest to filling that need and why are they unsatisfactory? The existing A and AAAA record types provide a way for world-wide-web user-agents to discover the IP address of server(s) to request webpage content from. However, these record types do not provide integrity expectations about the content that may subsequently be communicated to the client. G. What mnemonic is requested for the new RRTYPE (optional)? N/A (guidance requested) H. Does the requested RRTYPE make use of any existing IANA registry or require the creation of a new IANA subregistry in DNS Parameters? If so, please indicate which registry is to be used or created. If a new subregistry is needed, specify the allocation policy for it and its initial contents. Also include what the modification procedures will be. No. I. Does the proposal require/expect any changes in DNS servers/resolvers that prevent the new type from being processed as an unknown RRTYPE (see [RFC3597])? No; existing servers and resolvers should be able to replicate zone data containing 'B' records without requiring any knowledge of the semantics of the RRtype; the type describes a textual record providing a communication channel to carry an integrity guarantee about web content from the author to clients of that content, using DNS as the distribution method. J. Comments: Although an anticipated use case is delivery of web applications from a fixed root URI on a domain, websites composed of static content could also use the ability to communicate integrity expectations to clients out-of-band from HTTP/HTTPS protocols. Related specifications: 1. Transport layer security, which provides for in-band content integrity guarantees within the context of a negotiated communication session. 2. DNSSEC, which provides security assurances on the content of data within a DNS zone. 3. The draft specification of HTTP message signatures (draft-ietf-httpbis-message-signatures), which could provide for integrity guarantees on portions of content communicated within HTTP requests and responses. Each of these are orthogonal to the proposed DNS B RRType -- and to each other -- and could be used in combination. [1] - https://www.w3.org/TR/2016/REC-SRI-20160623/ [2] - https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity [3] - https://www.w3.org/TR/CSP2/#hash_source
- [dnsext] Draft: RRTYPE B - Web Resource Integrity James Addison
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Mark Andrews
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Niall O'Reilly
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison
- Re: [dnsext] [Ext] Re: Draft: RRTYPE B - Web Reso… Edward Lewis
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Robert Edmonds
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Klaus Malorny
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… Robert Elz
- Re: [dnsext] Draft: RRTYPE B - Web Resource Integ… James Addison