IETF Logo Mail Archive

Re: [DNSOP] HSTS on receiving a signed HTTPS record (was: Questions / concerns with draft-ietf-dnsop-svcb-https ...)

Ben Schwartz <bemasc@google.com> Wed, 07 September 2022 20:58 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C7AC1526E2 for <dnsop@ietfa.amsl.com>; Wed, 7 Sep 2022 13:58:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.606
X-Spam-Level:
X-Spam-Status: No, score=-17.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4gs5fhgOvGw0 for <dnsop@ietfa.amsl.com>; Wed, 7 Sep 2022 13:58:20 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B741AC1526E0 for <dnsop@ietf.org>; Wed, 7 Sep 2022 13:58:20 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id bj14so9198722wrb.12 for <dnsop@ietf.org>; Wed, 07 Sep 2022 13:58:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=CHbGe5StdpLryxuGLBvOo+t+oQ/8zA4tlQkYM+MBLNs=; b=MJV5Pz0EEqWaXWjQe/wDeVu/nFkytb+y71amA1yr7XVEWpJmeJlAz2Sc9BHl7ZNcdA 0zX3/Ksf3eaJok7T85iEfDUqVEZMu074eBFqFrPmI7xD9nBqS5PKuUQ6Uu5w5n+DstFL th5Maloto0AiQ6bigcxNIR4u8/1HItIJK1TPS2sbMmcquVgrxo8HkUYOHO7oTcRUy4ho s8ua3hhII6u9vdxqbdk9DxRaip54ngNK48zRPMt+u17KxWRTDxJj9OUTSlYH0Rwsx1HX +mCyqLvi36e8ZYPBDV5bzKBeiJn+JT5Hjts9tMmPsV7jeeID3Z42JU5QQT1HA5HzXp2N +CXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=CHbGe5StdpLryxuGLBvOo+t+oQ/8zA4tlQkYM+MBLNs=; b=0ufFl49J0ANhm8TyDiqjqAvpzFJ4dfK65e6nbaeeLfhXtpaAsaGF5yPMOxSu2X8+65 uDUnxrvX1ZKjFsPHMYTT2kuxjupfAoA+JkzYatnXGlgbekrD7y35tQqotHugYPo+ZPU9 2i5x57IuE2lrF/CExIGkK8L5oU0Zq2uzlrxMMETZNG/NVRN9vgnQgdO8v/beH89dfO60 b5uRDP5H4Z41TIrOFrBs49XgCnOT/VMGquxp/9SamJGvrvC6vVfkBLKSG8Ef7EKhWjKm h/FDgpX1WjJ2hgq2qoSn9i7VKYVGaC5cFpDIVWpQm1leolP8KiAdPV3DM8pU6IuKlhqy I0QA==
X-Gm-Message-State: ACgBeo3GC6qiN/d74/W2QseM85HaLUG/VMLSPNKOEa9pU+03zNazUKVg tTm8lMAUg1gz6CzW2YXKraWcXF45hsovRMHPKFGdmsJDojw=
X-Google-Smtp-Source: AA6agR7NNeUi9i6o93xFluxn+pgR/WGy1PxPhpudQsGlDuIsEZ2Lu5zdYQZHqvbtHy/uk2CKQLxSmAOZPUzAPqDKnZA=
X-Received: by 2002:adf:f4cf:0:b0:228:63bd:da33 with SMTP id h15-20020adff4cf000000b0022863bdda33mr3177060wrp.181.1662584299063; Wed, 07 Sep 2022 13:58:19 -0700 (PDT)
MIME-Version: 1.0
References: <CAHw9_iKZJndu1100LBU3TiuhF9ACb0As2deA1oZWD2eA46tBbA@mail.gmail.com> <CAH1iCiqryY=u6MN2mkf7krHLmc7TQkoDaXe0k=ZZ+0e9uiMb-Q@mail.gmail.com> <YwaQrnoA3hifxCQW@straasha.imrryr.org> <CAMOjQcEcKQSWvb_LqmfkGwZ2dt_561jLZxHTMuMO0pMy2s9mbw@mail.gmail.com> <CAH1iCirnWdDY0p2-grQKN3PQWOM=JLevxbNskFFEzGwHvisGZA@mail.gmail.com> <B024358C-77FD-4E63-8E18-1CBCEA6C6B14@icann.org> <CAH1iCiry3VDS+dM+wEkPH5a_TSt5pEddxPjKOhL9_M20e_dR0A@mail.gmail.com> <8B970775-22CF-403B-9B8A-84DCC0932D76@icann.org> <CAHbrMsC_RO1J6qp_yOWOc3P4zpZ-cOCB6adXRwjoSQP7_yrWug@mail.gmail.com> <CAH1iCiqzeZORDmbE+XMs1wt6YZKYFZWnsnrvN8fbLHpFXEfDfw@mail.gmail.com> <CAHbrMsDSbDapPFFfhU1iyi5BpEjb8NA7WXz+1pu78dGnuVkNzg@mail.gmail.com> <CAH1iCiojyT47nvNqeCkz8X4ueY0y_fp11BNEoV6WMuWx639_Dg@mail.gmail.com> <CAH1iCipRjnvs71iiK1aaMKj98P65-NqKSL4+XfmMA_MsU9_JNg@mail.gmail.com> <fb2efcf3-649d-400a-bcb1-cdb0c8e70d09@betaapp.fastmail.com> <CAMOjQcGPNJ5ez-ZE9TVD=_7skbRsA9nKrVtCUq1E3yT_dUd5Pg@mail.gmail.com> <CAH1iCioh8OyZ1LDmtZaves_AsE7xnayiAJS_1rxNT0pgf2nBNg@mail.gmail.com> <CAMOjQcGKV+GRt24KFWFk=h591koQWnRFK7CPCAKCQF65SP1_=Q@mail.gmail.com>
In-Reply-To: <CAMOjQcGKV+GRt24KFWFk=h591koQWnRFK7CPCAKCQF65SP1_=Q@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 07 Sep 2022 16:57:51 -0400
Message-ID: <CAHbrMsDCnKbdTiLZow_irk2VCNvc8J3NJOOdaPbo3W-JRqMxXg@mail.gmail.com>
To: Eric Orth <ericorth=40google.com@dmarc.ietf.org>
Cc: Brian Dickson <brian.peter.dickson@gmail.com>, Martin Thomson <mt@lowentropy.net>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000941bee05e81c921e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8ipZmIn8PwhT9G7vGlYM4TtP8Vw>
Subject: Re: [DNSOP] HSTS on receiving a signed HTTPS record (was: Questions / concerns with draft-ietf-dnsop-svcb-https ...)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Sep 2022 20:58:23 -0000

I believe the proposed change here is moot.  The point of the current "MUST
NOT" is just a reminder that this logic does not require doing anything
unsafe.  A DNSSEC signature on the HTTPS record would not enable any
substantial improvements to the pseudo-HSTS upgrade.

Also, HTTP specifications generally do not rely on DNSSEC.  If there is
appetite for exploring possible enhancements to HTTP that rely on DNSSEC, I
think this would be better addressed in a general "DNSSEC-Enhanced HTTP"
document.  (However, I think it would not be wise to publish such a
document until such time as end-to-end DNSSEC is reasonably prevalent in
the HTTP ecosystem.)

On Wed, Aug 31, 2022 at 6:40 PM Eric Orth <ericorth=
40google.com@dmarc.ietf.org> wrote:

> Does any HTTP client not follow 307 redirects if received over cleartext?
> This feels to me like a purely theoretical situation.  I'm not opposed to a
> bis making the trust in the HSTS feature be treated more similarly to
> receiving the 307 over HTTPS when DNS is protected, but I also wouldn't
> consider this important enough on its own to adopt a bis.
>
> On Wed, Aug 31, 2022 at 6:22 PM Brian Dickson <
> brian.peter.dickson@gmail.com> wrote:
>
>>
>>
>> On Wed, Aug 31, 2022 at 10:43 AM Eric Orth <ericorth=
>> 40google.com@dmarc.ietf.org> wrote:
>>
>>> I'm not sure what exactly is being changed or clarified with this
>>> suggestion.  Section 9.5 already applies at SHOULD-level, whether
>>> cryptographically protected or not and whether the received records were
>>> AliasMode or ServiceMode.
>>>
>>
>> The text in 9.5 has some language that is actually NOT at the SHOULD
>> level:
>>
>>    Because HTTPS RRs are received over an often-
>>    insecure channel (DNS), clients MUST NOT place any more trust in this
>>    signal than if they had received a 307 (Temporary Redirect) response
>>    over cleartext HTTP.
>>
>>
>> That's what the suggestion is making an effort to strengthen, under
>> specific conditions (e.g. cryptographically protected HTTPS records
>> received).
>>
>> The current 9.5 text quoted above, is placing MUST NOT guidance,
>> independent of whether the records were cryptographically protected.
>>
>> I'm thinking it would be better to fix the quoted language above, in a
>> -bis document, if the suggested text isn't acceptable as an update to the
>> about-to-be-published draft.
>>
>> The logic used to reach that MUST NOT is suspect, IMHO.
>> The main non-requirements on DNSSEC (i.e. that HTTPS does not require it)
>> are then turned into an "assume all DNS responses are not cryptographically
>> protected" inferentially.
>>
>> It would be better guidance to instruct clients to use appropriate levels
>> of trust, on signed vs unsigned DNS, and/or DNS received over encrypted
>> transports.
>>
>> I also think the guidance would be more precise if the encrypted
>> transport were not lumped together with the signed content.
>> Also something for a potential -bis or best practice document.
>>
>> Brian
>>
>>
>>> On Wed, Aug 31, 2022 at 5:43 AM Martin Thomson <mt@lowentropy.net>
>>> wrote:
>>>
>>>> On Wed, Aug 31, 2022, at 18:39, Brian Dickson wrote:
>>>> > One additional suggested addition to the end of section 3.1 is:
>>>> >>    If DNS responses are cryptographically protected, and at least
>>>> >>    one HTTPS AliasMode record has been received successfully,
>>>> >>    clients MAY apply Section 9.5 (HSTS equivalent) restrictions
>>>> >>    even when reverting to non-SVCB connection modes. Clients
>>>> >>    also MAY treat resolution or connection failures subsequent
>>>> >>    to the initial cryptographically protected AliasMode record
>>>> >>    as fatal.
>>>> > [Brian's note: this last would provide some guidance to implementers
>>>> of
>>>> > clients: a signed HTTPS AliasMode record is a strong signal that the
>>>> > DNS operator is discouraging fallback, albeit at a "MAY" level.]
>>>> >
>>>> > NB: The 2.4.3 change could be removed as it is mostly independent, as
>>>> > could the last addition to 3.1.
>>>> > The 1.2 change is very minor, is not too important but presents a
>>>> > succinct clarification on the hostname vs domain name thing.
>>>> > The 2.4.2 change and section 3 changes together are fixes for the
>>>> > prefix/no-prefix issue (which was basically a scrivener's error, and
>>>> > does not change the semantics at all.) They should stay or go as one
>>>> > unit.
>>>>
>>>> I somewhat like this change, but I would generalize to receiving any
>>>> signed HTTPS record during resolution, rather than limiting it to AliasMode.
>>>>
>>>> That said, it is somewhat gratuitous.  I'd want it standardized if that
>>>> was what was expected, but I'd prefer to defer that to an
>>>> extension/follow-up.
>>>>
>>>> (In case you hadn't guessed, I tend to agree with those arguing for no
>>>> change to the spec.)
>>>>
>>>> _______________________________________________
>>>> DNSOP mailing list
>>>> DNSOP@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>>
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>>
>> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email