IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-rebs-dnsop-svcb-dane-00.txt

Ben Schwartz <bemasc@google.com> Mon, 13 December 2021 15:05 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AC963A03C9 for <dnsop@ietfa.amsl.com>; Mon, 13 Dec 2021 07:05:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id euyh4OZPf3W9 for <dnsop@ietfa.amsl.com>; Mon, 13 Dec 2021 07:05:09 -0800 (PST)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E9663A040B for <dnsop@ietf.org>; Mon, 13 Dec 2021 07:05:09 -0800 (PST)
Received: by mail-ua1-x930.google.com with SMTP id o1so29690179uap.4 for <dnsop@ietf.org>; Mon, 13 Dec 2021 07:05:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=epTNI1C/oW713O9seUshTj2q5cGMrlGM9mOt4X6UTfs=; b=hJK0XC45jYLjH4gdYImDdBnuCUvsH1ukzjKAhimt+zAMEUm7E6SS+UAhNnGff2w9tU uPVBNe/Ppp+Qgn9dyeabb6HlZlqxly+W29uEGKWRDlfoM6pdUnymPhMkVdyjwJqmv+6H SfqlC2W/GjChWOY9YO2cx+bqQCfAAzU6TXeBxg3xGdxKPAlOJdCZopAozTbjQKYZl0fk 0HYeu/U8r+GemKczVXBxkMJPYlC86M/tgHnpfFpx695LstFpIM6+ZdWXSk+OS0sx4tUu Wea7j+qfDJdXP4a3TWzcY+Ua48gxV4+SvHcX6Y1rXVJpO2UdO5FIkUGVf0/lHlcQy6fJ 8BxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=epTNI1C/oW713O9seUshTj2q5cGMrlGM9mOt4X6UTfs=; b=6wVtahV6aRAXevc+B4+ytUY8wa4XFLKmpeJYw55xWs4pNxrEBDbjr4Y3Q76pp64NUP OfBrqlZ0eKG9t8gSqeYwrIro4EpJt/GzZwFggR2DuREQt+6JukWXynrkudABnjkNZK1D uBzvWBE17yiemP8rxR4SxCrPm0HDtI/f3qDwWjo05lKhfFJOAQn4UWnQrvaqrlZI1mhw bilR2eOmiCFa7a+PJM/A0OrVFRVlkwK5Giy+G9ROC51LcIYIZgug3VLc8E4LOt3WFiXa a17LEx5LeCk1+kI87t0RStqOpiWcGsTXIsd93Ll35WG/N3IVVH0ageZ07wlnV4Kvmfr3 oFpQ==
X-Gm-Message-State: AOAM531u6JwTIm8m7NryPRcbBx8jSRGuS4NiZGQJO8JCHEb31EaLKquo Szy+T0t6cCzijOmzHm8DLl4ppY+7JxjigP511QOrlqMcZG8pTw==
X-Google-Smtp-Source: ABdhPJy9Hx9MMB8BD0nYQYzgnY8IUEPiJvF0pnd5++pAjPr8M0YNaIQAnB9JV9QHKBcpJaHzOGSHLCfTi/Kch1A5f7s=
X-Received: by 2002:ab0:36fa:: with SMTP id x26mr41718067uau.15.1639407906569; Mon, 13 Dec 2021 07:05:06 -0800 (PST)
MIME-Version: 1.0
References: <163908832760.8339.4135304026578566025@ietfa.amsl.com> <CAHbrMsCbN8+2UCQLCYKvp5RZ_v+srMha5xU25A9Q9F=ASna9xA@mail.gmail.com> <F9919030-4B37-42DE-BE7B-73BAAFDC5433@dukhovni.org>
In-Reply-To: <F9919030-4B37-42DE-BE7B-73BAAFDC5433@dukhovni.org>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 13 Dec 2021 10:04:55 -0500
Message-ID: <CAHbrMsDT5-u6n1tJnSjd9X1vMyyp5HcNrvL4NB3Quzi_p5nWfQ@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ea3ba205d308656b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1GG_DINcaOEXoF8P6trEvQvPnbs>
Subject: Re: [DNSOP] New Version Notification for draft-rebs-dnsop-svcb-dane-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Dec 2021 15:05:15 -0000

On Fri, Dec 10, 2021 at 12:58 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> > On 9 Dec 2021, at 5:32 pm, Ben Schwartz <bemasc@google.com> wrote:
> >
> > This is a very small draft explaining how to do DANE with SVCB, mostly
> following the pattern of DANE-SRV.  It also updates DANE for use with QUIC.
> >
> > Please review.
>
> Initial observations:
>
> 1.  While DANE certificate validation as described in RFCs 7671,7672 and
> 7673
>     is fine in SMTP, IMAP, XMPP, ... for HTTP (and perhaps some other
> applications)
>     skipping validation of the target name with DANE-EE(3) records
> introduces a "UKS"
>     (i.e. "Unknown Key Share") issue, that would definitely be a concern
> for "h3".
>
>     https://datatracker.ietf.org/doc/html/draft-barnes-dane-uks-00
>
>     Thus, unless "UKS" is known to not be a concern, applications should
> also
>     validate the target name against the server certificate even with
> DANE-EE(3).
>

This is interesting, but I think it's orthogonal.  That vulnerability
analysis applies equally before and after this draft.

I'd be happy to add a reference to draft-barnes-dane-uks to the text, but
since that draft expired several years ago, I think we would need a new or
updated draft first.

2.  In 7671 CNAME chasing for the target zone is more detailed than in this
> draft.
>
>         * Either every record in a chain of CNAMEs leading to an unaliased
> target
>           is "secure" (DNSSEC-signed and validated), and there's an
> associated
>           TLSA record for the end of the chain.  In which case that's used.
>
>         * Or else, the TLSA record lookup is performed at the initial
> unaliased
>           target.
>
>     There are no "middle of chain" TLSA lookups, or TLSA lookups at the
> end of a
>     chain that is not end-to-end secure.
>

Yes, the intent is to incorporate that behavior by reference without
restating it.  I've proposed an adjustment to this text for improved
clarity: https://github.com/bemasc/svcb-dane/pull/3/files.

More generally, the goal is to be able to treat each connection attempt
with exactly the same logic, whether or not SVCB is used.  SVCB produces a
TargetName, which (if securely resolved) can then be passed into the RFC
7671 machine exactly as if it were the original name.

3.  Are the targets of SVCB/HTTPS records allowed to be CNAME aliases?


Yes: Section 3 of draft-ietf-dnsop-svcb-https-08 says "the TargetName MAY
be the owner of a CNAME record".


>   Experience
>     since 7672 was written shows that TLSA records at CNAME-expanded
> targets are
>     rare, and supporting these correctly is complex.  Also the original
> target
>     owners can, if they wish explicitly redirect their TLSA records to
> point at
>     the TLSA records expected at the expanded name.


>     So perhaps adding CNAME-expansion into 7672/7671 was a mistake.
> There's
>     an opportunity here to not repeat it if that's the case.


I can see the appeal of the CNAME-expansion behavior, but it also strikes
me as an awkward compromise.

Diverging from RFC 7671 here seems a bit unfortunate.  I would prefer to
Update RFC 7671 to deprecate the complex CNAME behavior, but I'm not sure
whether that's really possible now.

There are also some nontrivial privacy implications due to the effect on
SNI.


>   Mind you aliased
>     MX exchange names are a violation of RFC5321 (one that's tolerated by
> many
>     MTAs, some obliviously, because they just look up IP addresses without
> taking
>     steps to exclude possible CNAME expansion along the way).
>
> 4.  If there are opportunistic applications in scope for this draft, they
> may
>     want to follow the advice of 7672 to only check for TLSA records if the
>     target zone is determined to be signed after first performing the IP
> (v4/v6)
>     address lookup.


This doesn't seem like a very good optimization.  For optimal latency, the
client would issue any queries as soon as it can.

  Here a related CNAME detail comes into scope, the target
>     zone may be signed, but the CNAME expanded zone with the IPs might not.
>
>     Therefore, if HTTPS/SVCB targets are allowed to be aliased, the client
>     would have to issue an explicit "CNAME query" in the address lookup
>     comes back as an "insecure" answer via CNAME/DNAME expansion.  This
>     assumes that the client is delegating DNSSEC-validation to a local
> recursive
>     resolver and trusting its "AD" bit.


Let me try to understand.  RFC 4035 says:

> a recursive name server MAY set the AD bit when a response includes
unsigned CNAME RRs if those CNAME RRs demonstrably could have been
synthesized from an authentic DNAME RR that is also included in the response

Are you referring to the case where the recursive resolver does _not_ do
this?  In that case, the client cannot simply fail when AD=0, because it
would break compatibility with DNAME.

This is interesting, but it seems like a generic problem with DNAME and the
AD bit, not a problem specific to DANE or to this draft.

  If the client is doing its own DNSSEC
>     validation, its DNS library will know whether the origin of the CNAME
> chain
>     is secure or not, and this information may be available to the client
> without
>     a follow-up explicit type "CNAME" lookup (to suppress CNAME expansion).
>
> --
>         Viktor.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email