Re: [DNSOP] HSTS on receiving a signed HTTPS record (was: Questions / concerns with draft-ietf-dnsop-svcb-https ...)
Ben Schwartz <bemasc@google.com> Wed, 07 September 2022 20:58 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C7AC1526E2 for <dnsop@ietfa.amsl.com>; Wed, 7 Sep 2022 13:58:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.606
X-Spam-Level:
X-Spam-Status: No, score=-17.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4gs5fhgOvGw0 for <dnsop@ietfa.amsl.com>; Wed, 7 Sep 2022 13:58:20 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B741AC1526E0 for <dnsop@ietf.org>; Wed, 7 Sep 2022 13:58:20 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id bj14so9198722wrb.12 for <dnsop@ietf.org>; Wed, 07 Sep 2022 13:58:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=CHbGe5StdpLryxuGLBvOo+t+oQ/8zA4tlQkYM+MBLNs=; b=MJV5Pz0EEqWaXWjQe/wDeVu/nFkytb+y71amA1yr7XVEWpJmeJlAz2Sc9BHl7ZNcdA 0zX3/Ksf3eaJok7T85iEfDUqVEZMu074eBFqFrPmI7xD9nBqS5PKuUQ6Uu5w5n+DstFL th5Maloto0AiQ6bigcxNIR4u8/1HItIJK1TPS2sbMmcquVgrxo8HkUYOHO7oTcRUy4ho s8ua3hhII6u9vdxqbdk9DxRaip54ngNK48zRPMt+u17KxWRTDxJj9OUTSlYH0Rwsx1HX +mCyqLvi36e8ZYPBDV5bzKBeiJn+JT5Hjts9tMmPsV7jeeID3Z42JU5QQT1HA5HzXp2N +CXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=CHbGe5StdpLryxuGLBvOo+t+oQ/8zA4tlQkYM+MBLNs=; b=0ufFl49J0ANhm8TyDiqjqAvpzFJ4dfK65e6nbaeeLfhXtpaAsaGF5yPMOxSu2X8+65 uDUnxrvX1ZKjFsPHMYTT2kuxjupfAoA+JkzYatnXGlgbekrD7y35tQqotHugYPo+ZPU9 2i5x57IuE2lrF/CExIGkK8L5oU0Zq2uzlrxMMETZNG/NVRN9vgnQgdO8v/beH89dfO60 b5uRDP5H4Z41TIrOFrBs49XgCnOT/VMGquxp/9SamJGvrvC6vVfkBLKSG8Ef7EKhWjKm h/FDgpX1WjJ2hgq2qoSn9i7VKYVGaC5cFpDIVWpQm1leolP8KiAdPV3DM8pU6IuKlhqy I0QA==
X-Gm-Message-State: ACgBeo3GC6qiN/d74/W2QseM85HaLUG/VMLSPNKOEa9pU+03zNazUKVg tTm8lMAUg1gz6CzW2YXKraWcXF45hsovRMHPKFGdmsJDojw=
X-Google-Smtp-Source: AA6agR7NNeUi9i6o93xFluxn+pgR/WGy1PxPhpudQsGlDuIsEZ2Lu5zdYQZHqvbtHy/uk2CKQLxSmAOZPUzAPqDKnZA=
X-Received: by 2002:adf:f4cf:0:b0:228:63bd:da33 with SMTP id h15-20020adff4cf000000b0022863bdda33mr3177060wrp.181.1662584299063; Wed, 07 Sep 2022 13:58:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAHw9_iKZJndu1100LBU3TiuhF9ACb0As2deA1oZWD2eA46tBbA@mail.gmail.com> <CAH1iCiqryY=u6MN2mkf7krHLmc7TQkoDaXe0k=ZZ+0e9uiMb-Q@mail.gmail.com> <YwaQrnoA3hifxCQW@straasha.imrryr.org> <CAMOjQcEcKQSWvb_LqmfkGwZ2dt_561jLZxHTMuMO0pMy2s9mbw@mail.gmail.com> <CAH1iCirnWdDY0p2-grQKN3PQWOM=JLevxbNskFFEzGwHvisGZA@mail.gmail.com> <B024358C-77FD-4E63-8E18-1CBCEA6C6B14@icann.org> <CAH1iCiry3VDS+dM+wEkPH5a_TSt5pEddxPjKOhL9_M20e_dR0A@mail.gmail.com> <8B970775-22CF-403B-9B8A-84DCC0932D76@icann.org> <CAHbrMsC_RO1J6qp_yOWOc3P4zpZ-cOCB6adXRwjoSQP7_yrWug@mail.gmail.com> <CAH1iCiqzeZORDmbE+XMs1wt6YZKYFZWnsnrvN8fbLHpFXEfDfw@mail.gmail.com> <CAHbrMsDSbDapPFFfhU1iyi5BpEjb8NA7WXz+1pu78dGnuVkNzg@mail.gmail.com> <CAH1iCiojyT47nvNqeCkz8X4ueY0y_fp11BNEoV6WMuWx639_Dg@mail.gmail.com> <CAH1iCipRjnvs71iiK1aaMKj98P65-NqKSL4+XfmMA_MsU9_JNg@mail.gmail.com> <fb2efcf3-649d-400a-bcb1-cdb0c8e70d09@betaapp.fastmail.com> <CAMOjQcGPNJ5ez-ZE9TVD=_7skbRsA9nKrVtCUq1E3yT_dUd5Pg@mail.gmail.com> <CAH1iCioh8OyZ1LDmtZaves_AsE7xnayiAJS_1rxNT0pgf2nBNg@mail.gmail.com> <CAMOjQcGKV+GRt24KFWFk=h591koQWnRFK7CPCAKCQF65SP1_=Q@mail.gmail.com>
In-Reply-To: <CAMOjQcGKV+GRt24KFWFk=h591koQWnRFK7CPCAKCQF65SP1_=Q@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 07 Sep 2022 16:57:51 -0400
Message-ID: <CAHbrMsDCnKbdTiLZow_irk2VCNvc8J3NJOOdaPbo3W-JRqMxXg@mail.gmail.com>
To: Eric Orth <ericorth=40google.com@dmarc.ietf.org>
Cc: Brian Dickson <brian.peter.dickson@gmail.com>, Martin Thomson <mt@lowentropy.net>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000941bee05e81c921e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8ipZmIn8PwhT9G7vGlYM4TtP8Vw>
Subject: Re: [DNSOP] HSTS on receiving a signed HTTPS record (was: Questions / concerns with draft-ietf-dnsop-svcb-https ...)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2022 20:58:23 -0000
I believe the proposed change here is moot. The point of the current "MUST NOT" is just a reminder that this logic does not require doing anything unsafe. A DNSSEC signature on the HTTPS record would not enable any substantial improvements to the pseudo-HSTS upgrade. Also, HTTP specifications generally do not rely on DNSSEC. If there is appetite for exploring possible enhancements to HTTP that rely on DNSSEC, I think this would be better addressed in a general "DNSSEC-Enhanced HTTP" document. (However, I think it would not be wise to publish such a document until such time as end-to-end DNSSEC is reasonably prevalent in the HTTP ecosystem.) On Wed, Aug 31, 2022 at 6:40 PM Eric Orth <ericorth= 40google.com@dmarc.ietf.org> wrote: > Does any HTTP client not follow 307 redirects if received over cleartext? > This feels to me like a purely theoretical situation. I'm not opposed to a > bis making the trust in the HSTS feature be treated more similarly to > receiving the 307 over HTTPS when DNS is protected, but I also wouldn't > consider this important enough on its own to adopt a bis. > > On Wed, Aug 31, 2022 at 6:22 PM Brian Dickson < > brian.peter.dickson@gmail.com> wrote: > >> >> >> On Wed, Aug 31, 2022 at 10:43 AM Eric Orth <ericorth= >> 40google.com@dmarc.ietf.org> wrote: >> >>> I'm not sure what exactly is being changed or clarified with this >>> suggestion. Section 9.5 already applies at SHOULD-level, whether >>> cryptographically protected or not and whether the received records were >>> AliasMode or ServiceMode. >>> >> >> The text in 9.5 has some language that is actually NOT at the SHOULD >> level: >> >> Because HTTPS RRs are received over an often- >> insecure channel (DNS), clients MUST NOT place any more trust in this >> signal than if they had received a 307 (Temporary Redirect) response >> over cleartext HTTP. >> >> >> That's what the suggestion is making an effort to strengthen, under >> specific conditions (e.g. cryptographically protected HTTPS records >> received). >> >> The current 9.5 text quoted above, is placing MUST NOT guidance, >> independent of whether the records were cryptographically protected. >> >> I'm thinking it would be better to fix the quoted language above, in a >> -bis document, if the suggested text isn't acceptable as an update to the >> about-to-be-published draft. >> >> The logic used to reach that MUST NOT is suspect, IMHO. >> The main non-requirements on DNSSEC (i.e. that HTTPS does not require it) >> are then turned into an "assume all DNS responses are not cryptographically >> protected" inferentially. >> >> It would be better guidance to instruct clients to use appropriate levels >> of trust, on signed vs unsigned DNS, and/or DNS received over encrypted >> transports. >> >> I also think the guidance would be more precise if the encrypted >> transport were not lumped together with the signed content. >> Also something for a potential -bis or best practice document. >> >> Brian >> >> >>> On Wed, Aug 31, 2022 at 5:43 AM Martin Thomson <mt@lowentropy.net> >>> wrote: >>> >>>> On Wed, Aug 31, 2022, at 18:39, Brian Dickson wrote: >>>> > One additional suggested addition to the end of section 3.1 is: >>>> >> If DNS responses are cryptographically protected, and at least >>>> >> one HTTPS AliasMode record has been received successfully, >>>> >> clients MAY apply Section 9.5 (HSTS equivalent) restrictions >>>> >> even when reverting to non-SVCB connection modes. Clients >>>> >> also MAY treat resolution or connection failures subsequent >>>> >> to the initial cryptographically protected AliasMode record >>>> >> as fatal. >>>> > [Brian's note: this last would provide some guidance to implementers >>>> of >>>> > clients: a signed HTTPS AliasMode record is a strong signal that the >>>> > DNS operator is discouraging fallback, albeit at a "MAY" level.] >>>> > >>>> > NB: The 2.4.3 change could be removed as it is mostly independent, as >>>> > could the last addition to 3.1. >>>> > The 1.2 change is very minor, is not too important but presents a >>>> > succinct clarification on the hostname vs domain name thing. >>>> > The 2.4.2 change and section 3 changes together are fixes for the >>>> > prefix/no-prefix issue (which was basically a scrivener's error, and >>>> > does not change the semantics at all.) They should stay or go as one >>>> > unit. >>>> >>>> I somewhat like this change, but I would generalize to receiving any >>>> signed HTTPS record during resolution, rather than limiting it to AliasMode. >>>> >>>> That said, it is somewhat gratuitous. I'd want it standardized if that >>>> was what was expected, but I'd prefer to defer that to an >>>> extension/follow-up. >>>> >>>> (In case you hadn't guessed, I tend to agree with those arguing for no >>>> change to the spec.) >>>> >>>> _______________________________________________ >>>> DNSOP mailing list >>>> DNSOP@ietf.org >>>> https://www.ietf.org/mailman/listinfo/dnsop >>>> >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dnsop >>> >> _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Questions / concerns with draft-ietf-dnso… Warren Kumari
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Warren Kumari
- Re: [DNSOP] Questions / concerns with draft-ietf-… Brian Dickson
- Re: [DNSOP] Questions / concerns with draft-ietf-… Stephen Farrell
- Re: [DNSOP] Questions / concerns with draft-ietf-… Martin Thomson
- Re: [DNSOP] Questions / concerns with draft-ietf-… Stephen Farrell
- Re: [DNSOP] Questions / concerns with draft-ietf-… Viktor Dukhovni
- Re: [DNSOP] Questions / concerns with draft-ietf-… Eric Orth
- Re: [DNSOP] Questions / concerns with draft-ietf-… Viktor Dukhovni
- Re: [DNSOP] Questions / concerns with draft-ietf-… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Eric Orth
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Ben Schwartz
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Ben Schwartz
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Tommy Pauly
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Ben Schwartz
- Re: [DNSOP] [Ext] Questions / concerns with draft… Erik Nygren
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Warren Kumari
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- [DNSOP] HSTS on receiving a signed HTTPS record (… Martin Thomson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Warren Kumari
- Re: [DNSOP] Questions / concerns with draft-ietf-… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] HSTS on receiving a signed HTTPS reco… Eric Orth
- Re: [DNSOP] HSTS on receiving a signed HTTPS reco… Brian Dickson
- Re: [DNSOP] HSTS on receiving a signed HTTPS reco… Eric Orth
- Re: [DNSOP] [Ext] Questions / concerns with draft… Tommy Pauly
- Re: [DNSOP] HSTS on receiving a signed HTTPS reco… Ben Schwartz
- Re: [DNSOP] [Ext] Questions / concerns with draft… Ben Schwartz
- Re: [DNSOP] [Ext] Questions / concerns with draft… Warren Kumari
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Martin Thomson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Brian Dickson
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Viktor Dukhovni
- Re: [DNSOP] [Ext] Questions / concerns with draft… Paul Hoffman
- Re: [DNSOP] [Ext] Questions / concerns with draft… Erik Nygren
- Re: [DNSOP] [Ext] Questions / concerns with draft… Warren Kumari
- Re: [DNSOP] [Ext] Questions / concerns with draft… Erik Nygren
- Re: [DNSOP] [Ext] Questions / concerns with draft… Erik Nygren