Re: [DNSOP] Secdir early review of draft-ietf-dnsop-domain-verification-techniques-01
Shivan Kaul Sahib <shivankaulsahib@gmail.com> Mon, 10 July 2023 16:06 UTC
Return-Path: <shivankaul.1993@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4065C13AE52; Mon, 10 Jul 2023 09:06:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.847
X-Spam-Level:
X-Spam-Status: No, score=-6.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id incGn5UCtzs7; Mon, 10 Jul 2023 09:06:06 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2476EC13AE55; Mon, 10 Jul 2023 09:05:58 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-3fbc59de0e2so48791425e9.3; Mon, 10 Jul 2023 09:05:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689005156; x=1691597156; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=dPDuq217CwCNmaD5fLN5JWfemyKo36DUu0aNr99J4d8=; b=h29foMm/yFeYJM/LMKhArOYXI09y1FdGqncXPA5kD2JGJkokJfcN2CJBNXuLSXh8Hl xq0TSjfkS0X+e1HvmltJ85DKrM2oaskjeFVpPP44KEvnPZB+r21LlTWLZW0hcQDj8/Xb JNbIfUfcqO7hgAqsClUl/LXZfGow9CXYnC3wi21gISdDmDviw4GYhoG2BZvEvca5izcQ ds1zcqqyWwUfrZ4aDfh5Rw3vxEVsG3zR8stMGVVftGQVO428zNnxxWXVCyOGAkV6aPVw CF98ceLK2IIRomFAgSSelick8F1Sk8FKFiqcaYFrlmhJTLmvqa7SYDMTyfdqcXnmCC83 qTBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689005156; x=1691597156; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dPDuq217CwCNmaD5fLN5JWfemyKo36DUu0aNr99J4d8=; b=DPKm7rxI2zLKiNsdbL0sKjmKxBxxnuhT3ZkE7eAMM/mOaWXbRaSkLPMnnsXxqUidn1 pFRgdOJ14BCIOo5dVRq79F4jCELSxT9UMpt+RuMjqcO02S8DC81TtzpY3PqNpTw3Y7yt 5Z3boHTtadiSK06lsB8Mq+KqvLd5EIkdQ2oUD9Nqn3WixI16qEePd6BGHTePpTNDcO/3 S5IWt5swy/bt/NMUTUA+GgPoXGV/xuQWrILVbRmyS3f65mwEWfzbnSkmLQ/q1VDUnZO4 pGHkWP8Yk0u9iqIHFiIcxSgpq3dmzRZKhWQL3T9wKUfTaiwU44tqGvj5ro43eAZGPd91 PWgQ==
X-Gm-Message-State: ABy/qLYSrBahCa313Qw1C2h/cchN3vZKwo21WYZIGG9qQY9g6ePN2u0a PDBEVIM00/wnaEpyoN9s2kzToWe9FKbxUTrfFqKlvYE8MKUXng==
X-Google-Smtp-Source: APBJJlHdXyUuPOPyt+oVS6L7ETA78AkR+agy+YatUq1FVjCBzB/AkeC8WXWPvDQnD4Rq7+aMueF3gld/JLS0PWHsyyg=
X-Received: by 2002:a05:600c:220a:b0:3fa:7bf9:706c with SMTP id z10-20020a05600c220a00b003fa7bf9706cmr10306335wml.36.1689005156158; Mon, 10 Jul 2023 09:05:56 -0700 (PDT)
MIME-Version: 1.0
References: <168195124881.58577.7223695021506805865@ietfa.amsl.com>
In-Reply-To: <168195124881.58577.7223695021506805865@ietfa.amsl.com>
From: Shivan Kaul Sahib <shivankaulsahib@gmail.com>
Date: Mon, 10 Jul 2023 09:05:20 -0700
Message-ID: <CAG3f7MgqAgCZUsR7FC9FQNCu-ER2grDBxtCU-CCQ=3q1kq72xA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: secdir@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-domain-verification-techniques.all@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005b5109060024285c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GeKRtghFjs8sVfURgV2Rqa8eZ_4>
Subject: Re: [DNSOP] Secdir early review of draft-ietf-dnsop-domain-verification-techniques-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2023 16:06:09 -0000
Hi Ben, thanks again for your comments! We've uploaded a new version that takes them into account. On Wed, 19 Apr 2023 at 17:40, Benjamin Kaduk via Datatracker < noreply@ietf.org> wrote: > Reviewer: Benjamin Kaduk > Review result: Has Issues > > # SecDir review of draft-ietf-dnsop-domain-verification-techniques-01 > CC @kaduk > > ## Discuss > > ## Comments > > I'm a little nervous about allocating a new BCP number for a topic of > fairly > narrow scope such as this, but the guidance is good and worth publishing, > and > I have not better alternative to offer, so I will stifle any objection I > might > have raised. > > On the whole the content is reasonable, but read on for some suggestions on > how to tighten things up and some questions about why all the pieces are > needed. > > I also made a PR with some editorial suggestions, > > https://github.com/ietf-wg-dnsop/draft-ietf-dnsop-domain-verification-techniques/pull/51 > > ### Continuing Ownership > > While I see the example in Appendix A.1.4.1 about Atlassian, when we say in > the introduction that sometimes the DNS record must be kept in the zone to > prove continued ownership of the domain, that doesn't exactly seem to hold > true, or at least only provides a weak indication of continued ownership. > I > think that to really prove continued ownership the challenge would need to > be > rotated periodically; just putting one record in once and leaving it there > mostly only shows that you had control of the domain at the one point in > time > it was added and that there isn't anything cleaning up old records. A > wholesale migration of the domain to a different DNS server would clean up > old > records, but staffing changes within a large organization would not. > > ### Underscore for attrleaf > > In §3.1 we say "The provider constructs the validation domain name by > prepending a provider-relevant prefix followed by "-challenge" to the > domain > name being validated (e.g. "_foo-challenge.example.com")." which > implicitly > uses an underscore-prefixed atterleaf name component. Is the underscore > part > of the required or recommended behavior? > > ### Hashing the random token > > The recommendations in §3.1 requires computing the SHA-256 digest of the > Random Token before base64url encoding and use as RDATA, but provides no > justification for the SHA-256 step that I can see. If the intent is for > the > Random Token to be a non-public identifier for the challeng with only the > digest value being public, we should say that. Otherwise it's not clear > what > we gain over just using base64url(random-data) as the RDATA. > > ### TXT RDATA contents > > We say that the RDATA of the recommended TXT resource record construction > must > "contain" a certain token construction (rather than "consist of"). Does > the > format/structure of the RDATA also need to be one that unambiguously > identifies where the token is (or is a raw substring match sufficient)? > > I think we might provide clearer guidance if we laid out the recommended > comma-separated key-value format first and talked about the token= > contents, > and then only afterward mention that even if other formats are used, the > RDATA > MUST contain the token value (and whether it must be identifiable as such > via > some metadata). Or we could state up front what properties we want from > the > RDATA before going on to describe how we achieve those properties. But the > current formulation starts out with a MUST-level requirement without much > context and then tries to build the context around it, which tends to cause > confusion in the reader. > > Reading again, I think that the core of what is confusing me here is that > the > SHOULD-level guidance for using the comma-separated key-value pair format > is > buried as an aside in the mechanism for conveying the instructions for > removing a resource record. It seems like it's a more generic > recommendation > and should be framed as such. > > ### Instructions for TXT record removal > > We say > > > Providers MUST provide clear instructions on when a verifying record > > can be removed. The user SHOULD de-provision the resource record > > provisioned for a DNS-based domain verification challenge once the > > one-time challenge is complete. These instructions SHOULD be encoded > > in the RDATA via comma-separated ASCII key-value pairs [RFC1464] > > using the key expiry. If this is done, the token should have a key > > token. For example: > > I think that the "these instructions" refers to the "clear instructions" > provided by the provider. But the TXT record is something provisioned by > the > user, not the provider. If the instructions are to be encoded in the > RDATA, > does that require that the RDATA contents themselves are provided by the > provider to the user? I'd strongly recommend including some more > description > of the workflow that's envisioned if it includes the provider giving the > user > the entire RDATA contents to copy/paste in place (and also using those > RDATA > contents as a separate information channel to the user). > > Additionally, do we make any requirement/recommendation of the format used > for > the value corresponding to the "expiry" key? > > ### CNAME chaining > > In §3.2 we see the text "Another issue with CNAME records is that they must > not point to another CNAME" provided, with no reference. But CNAME chains > are > in heavy use on the internet in practice with no ill effect (case in > point: my > employer's CDN business), so I'd recommend removing the discussion of CNAME > chaining, or supplying a reference and discussion around them that is > closer > to the deployment reality. > > > ### Relationship to other work > > While I don't mind a focus on DNS-based domain-verification techniques in > this > document, it does seem like we might want to spend a little more time > placing > this work in the context of other schemes. For example, ACME has a number > of > challenge types, and one of them is essentially the DNS-based stuff > covered by > this document. Is what RFC 8555 specifies compliant with this document's > requirements and recommendations? Do we expect ACME to use our guidance > for > DNS-based verification and keep doing what they do for HTTP, TLS-SNI, etc. > verification? Or should they use a wholistic body of work for all > verification such that this document is out of scope for ACME? > > ### AVOID-FRAGMENTATION reference classification > > The actual text in Appendix A.1.1 that references [AVOID-FRAGMENTATION] > does > not contain any usage that would obviously promote it to a normative > reference. If there is intent to require implementors of this document to > read that one, some additional discussion of which parts are normative > requirements and why seems in order. > > ### Motivation for application-specific name prefix > > In Appendix A.1.1 we have some good text about an attack where a malicious > service can provide to the user the challenge from a different provider, > when > the TXT verification is on the actual domain name being verified (no > prefix/suffix). I would say this fits better in the main document > (security > considerations, probably) rather than the appendix with survey of current > usage. We currently say that the provider and service "should be obvious > from > the TXT content" in the security considerations but not much about how > things > go wrong if the provider and service are not obvious. (The existing prose > in > the appendix is perhaps a little unclear about how the attack actually > would > get pulled off in practice; it was clear to me based on my prior experience > but could be improved by, e.g., naming the parties involved (victim > service, > malicious service, user, DNS administrator).) > > ## Nits > > ### APEX Capitalization > > I don't remember seeing APEX used as a defined term in all-caps elsewhere. > What value do we think we're adding by writing it this way? > > ### Verifying Record > > We seem to implicitly introduce the term "verifying record" in §3.1; it > might > benefit from having an explicit definition. > > ### Self-referential Appendix > > Appendix A.1.1 contains the text "See Appendix A for a survey of different > implementations.", which is perhaps not a very useful reference. > > ### DNS name component ordering > > In Appendix A.1.1 we write "Some providers use a suffix of > _PROVIDER_NAME-challenge in the Name field of the TXT record challenge", > when > that value is a suffix in the wire format of the name but a prefix in the > presentation form of the name. This is especially confusing when the next > sentence goes on to include an example in presentation form, > _acme-challenge.<YOUR_DOMAIN>, where the _PROVIDER_NAME-challenge is a > prefix. > Maybe talking about "leaf" rather than prefix or suffix would be most > clear. > > > >
- [DNSOP] Secdir early review of draft-ietf-dnsop-d… Benjamin Kaduk via Datatracker
- Re: [DNSOP] Secdir early review of draft-ietf-dns… Paul Wouters
- Re: [DNSOP] Secdir early review of draft-ietf-dns… Benjamin Kaduk
- Re: [DNSOP] Secdir early review of draft-ietf-dns… Shumon Huque
- Re: [DNSOP] Secdir early review of draft-ietf-dns… Shivan Kaul Sahib