IETF Logo Mail Archive

[dnsext] Draft: RRTYPE B - Web Resource Integrity

James Addison <james@reciperadar.com> Tue, 14 November 2023 17:37 UTC

Return-Path: <james@reciperadar.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1276DC15108F for <dnsext@ietfa.amsl.com>; Tue, 14 Nov 2023 09:37:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=reciperadar.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I9nXGeeV_2Vx for <dnsext@ietfa.amsl.com>; Tue, 14 Nov 2023 09:36:58 -0800 (PST)
Received: from mail-yw1-x1131.google.com (mail-yw1-x1131.google.com [IPv6:2607:f8b0:4864:20::1131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0983C14F747 for <dnsext@ietf.org>; Tue, 14 Nov 2023 09:36:58 -0800 (PST)
Received: by mail-yw1-x1131.google.com with SMTP id 00721157ae682-5a82c2eb50cso61101867b3.2 for <dnsext@ietf.org>; Tue, 14 Nov 2023 09:36:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=reciperadar.com; s=google; t=1699983417; x=1700588217; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=i1K0bPVU80F+hBu6SWPUxcK0YL9SqSFl/Nvk0CuPQQs=; b=j3Q1M0rmpYZkALQN9rRDPvYmStxdEuiD3ZnYIiPy7UZgvdg/MB0t6xoEvwWNwWOJhz oOsLtzU2kidTF7PEK6XbwYvkMLScenLY7wD4E9OKcEUgbs1F1ptuijIIYvgQmPtN9pQO zb9P7AaLW183BwqdR55hbshW9NvNrvSjBiXQVpnTinwosvBuriyC9OpnqV4IqGAH2QEO uztakOw991meRiYZwg5pHjCdWd4DCQ3YjYlI7ID35bA3H4V/eze8l8R6QSLm01bSzA4t 9J59l15mEsFu3iHo60kDu8bAibV91os3ZHOhmC777TtaZX8A8fDVwanxkCIvJmsyAkZC UItQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699983417; x=1700588217; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=i1K0bPVU80F+hBu6SWPUxcK0YL9SqSFl/Nvk0CuPQQs=; b=Ka6MusvTsWT+BBNopFIbDJ/1H80KiaE95FkkM3vNUTsBhaRpxOo18vUL7N3K74vbkI AXFSUG/YCQxvXIbeHvjGHIld7IUdxeWCtZ8pcbtput3HctlaIMBLMyx8sbHkVQ8+nJRI a5vBSKk8kMbklQx3+67fXStgXA5lLVk6/4o+GoTfXRQpCmFuGSOE6HAO1OOLb41jhl79 N6PnW08M0iSUmvgUwJon0yePHHC95+hnTwlyMLiLwZMAPF7Pj+y6uFz4mX0zYmE9zmPK UmKYcTmk/EXqrE84xTtPW2wp1mjCapFaeQ/amyPQNlDoPqibgRqc/CGZjAlS+Rxfz44S P1BQ==
X-Gm-Message-State: AOJu0YwejhohxOBYrCo90wcF9SCD1ROgXUoj1ROjsyO88wfOlxDH3KMW JK/snLVXA1+M2dsFtB5DcSX3lAQy95Ky/76x/e7WlUk3weOHMI0vAMc=
X-Google-Smtp-Source: AGHT+IGp/S7nS5UNeT4ga4Gh/nXiWi9CFvqUrzO0zuBUI6RU2L+UiG3Lvze17It2H9e6L/m8re6YMWOmyWO2UTah688=
X-Received: by 2002:a81:92c5:0:b0:5af:5c55:8298 with SMTP id j188-20020a8192c5000000b005af5c558298mr8461308ywg.36.1699983417436; Tue, 14 Nov 2023 09:36:57 -0800 (PST)
MIME-Version: 1.0
From: James Addison <james@reciperadar.com>
Date: Tue, 14 Nov 2023 17:36:49 +0000
Message-ID: <CAF3AkiPt98c5By3M1qY=31qW4ESV9_TF7bzH+wdqz2iqzBB+6w@mail.gmail.com>
To: dnsext@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/vtbGXqBKSKzBqYAAE1VMhATiuw4>
Subject: [dnsext] Draft: RRTYPE B - Web Resource Integrity
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2023 17:38:13 -0000

A. Submission Date: N/A (draft / RFC)

B.1 Submission Type:  [x] New RRTYPE  [ ] Modification to RRTYPE
B.2 Kind of RR:  [x] Data RR  [ ] Meta-RR

C. Contact Information for submitter (will be publicly posted):
   Name: James Addison              Email Address: james@reciperadar.com
   International telephone number: N/A
   Other contact handles: N/A

D. Motivation for the new RRTYPE application.

W3C HTML allows website authors to optionally include Subresource
Integrity[1][2] (SRI) metadata within their markup.  This enables
user-agents such as web browsers to check that the corresponding
content that they fetch matches the content intended by the website
author.

A missing link in the integrity supply chain is the initial page-load:
the user-agent is provided with no integrity expectation about the
HTML page that itself contains the subresource integrity markup
attributes.

The proposal here is to add a DNS B record type, to be used to publish
integrity metadata for the root index URI of a website on a given
domain record.

Because in most cases a web user-agent already performs DNS A and/or
AAAA lookups to retrieve IP address(es) to request a web URI from,
adding a neighbouring RR type to provide integrity metadata may allow
for both human mental models and software code to adapt incrementally,
without significant changes to existing assumptions.

E. Description of the proposed RR type.

The proposed DNS RR type is a DNS 'B' record, intended to contain a
single metadata record in the format described by the W3C Content
Security Policy Level 2's definition of a hash-source[3] .  In brief:
this is an ASCII format that is composed of a prefix that indicates a
known cryptographic hash method, followed by a single hyphen ('-')
character, followed by the base64-encoded hash of the content using
the specified algorithm.

For example, the response to a 'dig' DNS lookup for the domain name
reciperadar.com might include the following:

;; ANSWER SECTION:
reciperadar.com.    3600    IN    A    192.0.2.18
reciperadar.com.    3600    IN    B
sha512-5sY7BUrKX/1p6j6PJECwN+7rX2ORqP/StA2iR7bI9C30aGT6wF4PAEum4mnyrsQNjl/whRZ9luAVANNz9Uqkqg=

The proposed record type does not allow integrity hashes to be
specified for multiple URIs on the domain where it is configured.
Only a single 'B' record may be configured for the domain, and the
integrity hash contained within it is published solely for use
validating content fetched from the root URI path ('/') of that
domain.

A motivating use case is to provide integrity guarantees to
user-agents that fetch and load single-page web applications that are
deployed and distributed using webservers.  Updates to such an
application should be preceded by an update to the DNS B record on
each domain they are distributed from.

F. What existing RRTYPE or RRTYPEs come closest to filling that need
   and why are they unsatisfactory?

The existing A and AAAA record types provide a way for world-wide-web
user-agents to discover the IP address of server(s) to request webpage
content from.  However, these record types do not provide integrity
expectations about the content that may subsequently be communicated
to the client.

G. What mnemonic is requested for the new RRTYPE (optional)?

N/A (guidance requested)

H. Does the requested RRTYPE make use of any existing IANA registry
   or require the creation of a new IANA subregistry in DNS
   Parameters?  If so, please indicate which registry is to be used
   or created.  If a new subregistry is needed, specify the
   allocation policy for it and its initial contents.  Also include
   what the modification procedures will be.

No.

I. Does the proposal require/expect any changes in DNS
   servers/resolvers that prevent the new type from being processed
   as an unknown RRTYPE (see [RFC3597])?

No; existing servers and resolvers should be able to replicate zone
data containing 'B' records without requiring any knowledge of the
semantics of the RRtype; the type describes a textual record providing
a communication channel to carry an integrity guarantee about web
content from the author to clients of that content, using DNS as the
distribution method.

J. Comments:

Although an anticipated use case is delivery of web applications from
a fixed root URI on a domain, websites composed of static content
could also use the ability to communicate integrity expectations to
clients out-of-band from HTTP/HTTPS protocols.

Related specifications:

1. Transport layer security, which provides for in-band content
integrity guarantees within the context of a negotiated communication
session.

2. DNSSEC, which provides security assurances on the content of data
within a DNS zone.

3. The draft specification of HTTP message signatures
(draft-ietf-httpbis-message-signatures), which could provide for
integrity guarantees on portions of content communicated within HTTP
requests and responses.

Each of these are orthogonal to the proposed DNS B RRType -- and to
each other -- and could be used in combination.

[1] - https://www.w3.org/TR/2016/REC-SRI-20160623/

[2] - https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

[3] - https://www.w3.org/TR/CSP2/#hash_source

v2.23.0 | Report a Bug | By Email