IETF Logo Mail Archive

[DNSOP] Re: New I-D: draft-callec-dive-00 (Domain-based Integrity Verification Enforcement)

Ben Schwartz <bemasc@meta.com> Thu, 09 April 2026 19:53 UTC

Return-Path: <prvs=2559c537a1=bemasc@meta.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CD753D8FA640 for <dnsop@mail2.ietf.org>; Thu, 9 Apr 2026 12:53:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1775764400; bh=sB2N7DefVFLnMToK8XzreUl7w0bp8KGSV6g0ar40Aio=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=BEWhIbc5XEdAjs0K1urjiF8iYLrTS3mPJMVL7m7wLF/iORPf1dnpqlPGqW5wnwobu gEHk06K19zKJHKCY2pOb6JxEnrT1v1LVhif5U/7Q+Gef2mew32gDFA6byV2eZ1PO+0 p8c3KfjWPKmq3gnPMb5Bn1SXOpkGioP9vK70MHYE=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.692
X-Spam-Level:
X-Spam-Status: No, score=-2.692 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9uZe4k5wT5hM for <dnsop@mail2.ietf.org>; Thu, 9 Apr 2026 12:53:19 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 51492D8FA62B for <dnsop@ietf.org>; Thu, 9 Apr 2026 12:53:17 -0700 (PDT)
Received: from pps.filterd (m0044012.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 639EuUCq2673051 for <dnsop@ietf.org>; Thu, 9 Apr 2026 12:53:11 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2025-q2; bh=sB2N7DefVFLnMToK8Xzr eUl7w0bp8KGSV6g0ar40Aio=; b=WCbT+EkGYTPBoZVV1raU1OYs9S1a8MGprOPD PH4iWbWwDrq9f42J1QQqtdRG60Wl3Tqupxj9SMza3/ry0MEsQBn2387NqcyZhuP9 4JZ6+G2tO1M2EXQZMmcwa/P0jQYPwQ47KVSXMbTJMWlYxVPTjAnHH/0Xm96YyEaq I2jKVYf+9/hdbITB9sF98CDRWRQckdKf+lO4jo2lUQ6Lk7MnpLKOAOxV6+opJaVT JWYbPSFF7Dkos4lS4ZPqpR9RvTfApf3dtcd6yn9v3piHBN7+zXPlaaHjVKEdMacI 6pglnK8WrOcAgsJrMKaPVh3OK3ceAm23u07xnZaaZRklSJo7ng==
Received: from mail-yx1-f71.google.com (mail-yx1-f71.google.com [74.125.224.71]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 4dcmsm58r1-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for <dnsop@ietf.org>; Thu, 09 Apr 2026 12:53:10 -0700 (PDT)
Received: by mail-yx1-f71.google.com with SMTP id 956f58d0204a3-64eaa6294d9so2486054d50.1 for <dnsop@ietf.org>; Thu, 09 Apr 2026 12:53:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1775764390; cv=none; d=google.com; s=arc-20240605; b=jfyzOzHwWX6n/PM0QC8L9pQAWa4N0whxBnIKkBKa8eAd3OIYhGlKXIPuV93jEI0EkO ERZgXpYICHShSEscyYSOBRXWms1qOzPKos6cWBQnEIORfnplrZJ7YfAeNu2cKilbDxMv WGprTBwAow+/Snuv6l2WM8WWVRHaB6YHQC5Vf7d8+UWl1gtmcZf+TZDtHFXY84+H0k1d cvgBv2cF7MZFYKPNvdEDyFB04aK+8GrTySzggu+oodYNiQeH0Q2QUSl3dUzMcg3DjFDy G6b2ND2W3L7UL/WcATM6JtxI0c69Q/4icN4EyW4O6T/A4DjcQdzu0SOSt+/l4laFec6n jKzw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version; bh=zU0v9x17N3RCbGwzz/zl9Tv0IQ2yQ5TMkqDsZ3Nq5ZA=; fh=G5UmbhSPbC+uTIJtScmn1G7B3S1zsDDMvMzQ7iwOXfw=; b=BNa8qrJib2S6dx6aQmWnowO3MQGq7KkiRaoj3/P4Rx/nElEf097VptzyCopkNDlrnF qhSpP1/zu8aMrM99/jLRgw8lCLmHdTVrhH70b69fUqVX1V1wa56XytrBO0MyBln1fwcA JkyCIxjoLLFsklGg+C1OlnX9hWWXg06O9RyevCpl8hlFL1Xw6dLPZm5nvZLd9DQJjCq+ oyzPrL7qz+ovsFa/cEzwdLPmHdxbopyyuq4D+q1SJXhPErwynb4W1wPHfgetF+i2RLYR m1KBVxBhX3hPlCmYlhMq+kXf/b4tlPFOXrf62KtLxsstPdvTgfjmDA37dZZZH/MVGDT1 winA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775764390; x=1776369190; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=zU0v9x17N3RCbGwzz/zl9Tv0IQ2yQ5TMkqDsZ3Nq5ZA=; b=jMWNO4BEQsD5UKG81vxyyBXae5phSeIE01cfkXDTsaCiSdemEMWhzyZmC2ZxH9VtxL Z9abeZQbDqFybcvfb0zYiIsFeOQkEanV4zE/4mVVmUaFJU/vOJpGK6PQgT4en29UwYYG Oc7NPDtmmTwRasPj9tAB3Ys43ySN5XyIQkfMUEOoN27QcBxTcroOsuY/tfWIDJBmGSdu MCDDlI1KhLGs5HBq/v2NsPIwrqvva02Ahgf8rJfvVs2kKas4MvNBRi/d+RTC3m1mCh+J 0XkAs+58f8CRbXeNHSlyRjpacOSBeM2fTZwsWBB3b4Lyjb6lB8xNT4qhYW89m9NICUNH HvHg==
X-Gm-Message-State: AOJu0YwNRI3RTjCM6/KjOssea3sNnd/gkjlgAFbS/JvcshtMiNpUdXLz WDUFRidyBCx+y4J8ffUnbAjplGBHABB1rtvTwhGvTmvkwwtP/sT+HW7qZXeO/ihMdmhB9u8m6FO xa+3O4Ml6nTWwnIUt3r950lkYsRie/zKLl2ISm597IQ4kiHOzL/4U2r6ltrJWJLXFZA2l69X1L0 B13WmbZIpRlfGujU3xTAkhH3vbc0OpU8I=
X-Gm-Gg: AeBDievi6O/7/VE6gq/s6DN46lnqK0D1ae+41Y/YSWwGLVS66bdQcK1y2Vq4iovnRTB RsGsHKCbzYjL12v80Fl04bs+NJZ3PGP1GjUBNIbvGyhN9GtfX3lOcY0fzHb/M5dkgqvGAfCi8pu 7VG6sg4XlvJhLqGZwqiDyOhFpCDV52yTlG/Q5f7zk/7u6C1CFi1t+qsNEPW7hSowKwWvY+CmK2o H82lkCfLuCpNLTarf4MLIyZ1/75wrCTsLUH
X-Received: by 2002:a53:cf10:0:b0:650:14cd:6706 with SMTP id 956f58d0204a3-65198a77e9dmr273265d50.3.1775764389568; Thu, 09 Apr 2026 12:53:09 -0700 (PDT)
X-Received: by 2002:a53:cf10:0:b0:650:14cd:6706 with SMTP id 956f58d0204a3-65198a77e9dmr273248d50.3.1775764389062; Thu, 09 Apr 2026 12:53:09 -0700 (PDT)
MIME-Version: 1.0
References: <19d52fc5c07.71a100da859579.6173238218423665931@callec.net>
In-Reply-To: <19d52fc5c07.71a100da859579.6173238218423665931@callec.net>
From: Ben Schwartz <bemasc@meta.com>
Date: Thu, 09 Apr 2026 15:52:58 -0400
X-Gm-Features: AQROBzDfIw5nFj-B9qnsBJ6g_JKMLWLYbkQCNZoCokBsU7zi49oPx_4LKi7VxwQ
Message-ID: <CAOdQrVN40CO4UgoLCRTCOF0hS2JOwWnvEYT7aEseg6qgV5dwog@mail.gmail.com>
To: Matéo Callec <mateo=40callec.net@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009d80f7064f0c5d97"
X-Proofpoint-GUID: _Fi3A15WdErQkiB_zldSsWoc8S9pejnC
X-Proofpoint-ORIG-GUID: _Fi3A15WdErQkiB_zldSsWoc8S9pejnC
X-Authority-Analysis: v=2.4 cv=Y//IdBeN c=1 sm=1 tr=0 ts=69d803a6 cx=c_pps a=ngMg22mHWrP7m7pwYf9JkA==:117 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=7x6HtfJdh03M6CCDgxCd:22 a=PAz_-FQ8hEVmOPYdF0yf:22 a=48vgC7mUAAAA:8 a=NEAV23lmAAAA:8 a=Gm-mP47CAAAA:8 a=XuTCl5CdM0o7QdOvLwgA:9 a=QEXdDO2ut3YA:10 a=7Lo3ygNS-KkDrNoMxMAA:9 a=2q4O/K3rjNU7EHYdBHB6dYyilSc=:19 a=77UAsF-AEtLh3zgG:21 a=lqcHg5cX4UMA:10 a=PRpDppDLrCsA:10 a=yHXA93iunegOHmWoMUFd:22 a=4G5jswJALH1dClxPbmk1:22
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDA5MDE4MiBTYWx0ZWRfXzcB2UckXXbaI MReF8tr7+m2U7Oe9MQwvNo3KTMS+xufBNulroqF+PwCxXid4O9A32asFzAdTXC4WBWS01V28iow qEsVPbGbrLXYvLkMGLoWStMt1ryZzyLv58M2lcVFkHq7DYBEuPf1XgKTlac7/D+J4vBjYRf9j27 TRuud3jiD2tGxvKP1gIibY7pbxJPq0LssjiQuPT6Bs5acOv0GVYAJMnQ6bW/ahK+RrYnUgp7kL/ ixu4VNjUBx2PFPC5XRHiGDPkqbZrQxn2Zc3Ib31Zy1P9oaUCZlloz/MPSwpJ8E8Aey0OVEfA+1d ivzYeayZ0+2tu13/DNtr033QFWfmSKDQ+KSwEpgZlgA9/fbWJcjga+st9ADICsJjSXh6r8R6l+4 icbP5yczKTNOAqatSHU0KJzxsM0oxXypHojzeIFvB5C+CPT8u/BRa/0gOMBXRex9M9XQJEKqSks jBJ8YlmqYTCwJDFroPg==
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-09_04,2026-04-09_02,2025-10-01_01
Message-ID-Hash: IR636OFZXFUVXABHIBEPYWB7E5TA5WC4
X-Message-ID-Hash: IR636OFZXFUVXABHIBEPYWB7E5TA5WC4
X-MailFrom: prvs=2559c537a1=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: New I-D: draft-callec-dive-00 (Domain-based Integrity Verification Enforcement)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EUpxbLgilznpyJgaaR7GZwleqOw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

This is an interesting idea, and noticeably related to
https://mailarchive.ietf.org/arch/msg/dnsop/q6TZjY--IskxbUKfqqhUKpJIJkw/.

I would encourage you to make the draft less verbose.

I recommend making more use of existing, relevant components such as HTTP
Message Signatures (RFC 9421).

I recommend drawing a clear separation between the "object security for
HTTP" aspect, depending on a trusted public key distributed out of band,
and the DNS distribution of that key.

I recommend starting in HTTPBIS, not DNSOP, as most of the utility and
complexity of this proposal is on the HTTP side.

--Ben

On Fri, Apr 3, 2026 at 6:59 AM Matéo Callec <mateo=
40callec.net@dmarc.ietf.org> wrote:

> Hi everyone, I have submitted a new individual Internet-Draft:
> "Domain-based Integrity Verification Enforcement (DIVE)"
> (draft-callec-dive-00). - Draft link: https: //datatracker. ietf.
> org/doc/draft-callec-dive/ - Reference Implementation: https: //github.
> com/diveprotocol/opendive-client
> 
> Hi everyone,
>
> I have submitted a new individual Internet-Draft: "Domain-based Integrity
> Verification Enforcement (DIVE)" (draft-callec-dive-00).
>
> - Draft link: https://datatracker.ietf.org/doc/draft-callec-dive/
> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-callec-dive/__;!!Bt8RZUm9aw!_EmR73x75nwsbuGw7aEKBcwSTzL-gTay1Rkz9ARK1v-7-4NgB6Adyd0yKCedzowE3waftCQLG6aY7ty-Vz2BfgHyXtY$>
> - Reference Implementation:
> https://github.com/diveprotocol/opendive-client
>
> ---
>
> 1. Abstract & Problem Statement
>
> DIVE is a protocol designed to ensure resource integrity by using the DNS
> as a secondary out-of-band source of trust.
>
> While existing solutions (like PGP-signed repositories or specific package
> manager keys) work, they often face challenges regarding key revocation,
> rotation, and distribution. If an attacker gains full access to a web
> server’s infrastructure, they can often serve malicious files along with
> updated (but compromised) checksums.
>
> ---
>
> 2. How DIVE Works
>
> DIVE decouples the file storage from the integrity verification key:
>
> - Transport: The server delivers the resource and a signature (via a
> dedicated HTTP header).
> - Verification: The client fetches the public key from a DNS resource
> record, secured by DNSSEC.
> - Validation: The client verifies the resource's integrity using the
> out-of-band key.
>
> This mechanism ensures that even if the HTTP server is fully compromised,
> an attacker cannot bypass integrity checks without also gaining control
> over the DNSSEC-protected zone.
>
> ---
>
> 3. Key Benefits
>
> - Rapid Revocation: Key revocation is as fast as DNS TTL propagation.
> - Multi-Key Support: The protocol allows for multiple active public keys,
> enabling key rotation without downtime and supporting diverse signing
> authorities for the same domain.
> - Granular Control: Keys can be restricted to specific subdomains.
> - Deployment Ease: Supports a report-only mode for progressive rollout
> without breaking existing workflows.
> - Resilience: An attacker must compromise both the web infrastructure AND
> the DNS/DNSSEC signing infrastructure (or the private keys associated with
> the DNS records) to successfully serve a signed malicious file.
>
> ---
>
> 4. Proof of Concept
>
> A reference client is available via "pip install opendive-client". You can
> test the verification logic with the sandbox:
>
> - Valid file: opendive download
> https://sandbox.diveprotocol.org/downloads/valid.txt
> <https://urldefense.com/v3/__https://sandbox.diveprotocol.org/downloads/valid.txt__;!!Bt8RZUm9aw!_EmR73x75nwsbuGw7aEKBcwSTzL-gTay1Rkz9ARK1v-7-4NgB6Adyd0yKCedzowE3waftCQLG6aY7ty-Vz2B7MwiB3o$>
> - Invalid file: opendive download
> https://sandbox.diveprotocol.org/downloads/invalid.txt
> <https://urldefense.com/v3/__https://sandbox.diveprotocol.org/downloads/invalid.txt__;!!Bt8RZUm9aw!_EmR73x75nwsbuGw7aEKBcwSTzL-gTay1Rkz9ARK1v-7-4NgB6Adyd0yKCedzowE3waftCQLG6aY7ty-Vz2BZ8HCf48$>
>
> I would greatly appreciate your feedback. Is this something the WG would
> find interest in pursuing?
>
> Best regards,
> Matéo Callec
>
>
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.46.0 | Report a Bug | By Email | System Status