IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-rebs-dnsop-svcb-dane-00.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 10 December 2021 17:57 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45E863A0A39 for <dnsop@ietfa.amsl.com>; Fri, 10 Dec 2021 09:57:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b7hh_N7rzXTc for <dnsop@ietfa.amsl.com>; Fri, 10 Dec 2021 09:57:48 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87DA03A0A31 for <dnsop@ietf.org>; Fri, 10 Dec 2021 09:57:48 -0800 (PST)
Received: from smtpclient.apple (unknown [192.168.1.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id DC33DF370C for <dnsop@ietf.org>; Fri, 10 Dec 2021 12:57:46 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAHbrMsCbN8+2UCQLCYKvp5RZ_v+srMha5xU25A9Q9F=ASna9xA@mail.gmail.com>
Date: Fri, 10 Dec 2021 12:57:46 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: dnsop <dnsop@ietf.org>
Message-Id: <F9919030-4B37-42DE-BE7B-73BAAFDC5433@dukhovni.org>
References: <163908832760.8339.4135304026578566025@ietfa.amsl.com> <CAHbrMsCbN8+2UCQLCYKvp5RZ_v+srMha5xU25A9Q9F=ASna9xA@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iQa3zgduUdNiI90Ffm6EnMndr3g>
Subject: Re: [DNSOP] New Version Notification for draft-rebs-dnsop-svcb-dane-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Dec 2021 17:57:53 -0000

> On 9 Dec 2021, at 5:32 pm, Ben Schwartz <bemasc@google.com> wrote:
> 
> This is a very small draft explaining how to do DANE with SVCB, mostly following the pattern of DANE-SRV.  It also updates DANE for use with QUIC.
> 
> Please review.

Initial observations:

1.  While DANE certificate validation as described in RFCs 7671,7672 and 7673
    is fine in SMTP, IMAP, XMPP, ... for HTTP (and perhaps some other applications)
    skipping validation of the target name with DANE-EE(3) records introduces a "UKS"
    (i.e. "Unknown Key Share") issue, that would definitely be a concern for "h3".

    https://datatracker.ietf.org/doc/html/draft-barnes-dane-uks-00

    Thus, unless "UKS" is known to not be a concern, applications should also
    validate the target name against the server certificate even with DANE-EE(3).

2.  In 7671 CNAME chasing for the target zone is more detailed than in this draft.

	* Either every record in a chain of CNAMEs leading to an unaliased target
          is "secure" (DNSSEC-signed and validated), and there's an associated
          TLSA record for the end of the chain.  In which case that's used.

        * Or else, the TLSA record lookup is performed at the initial unaliased
          target.

    There are no "middle of chain" TLSA lookups, or TLSA lookups at the end of a
    chain that is not end-to-end secure.

3.  Are the targets of SVCB/HTTPS records allowed to be CNAME aliases?  Experience
    since 7672 was written shows that TLSA records at CNAME-expanded targets are
    rare, and supporting these correctly is complex.  Also the original target
    owners can, if they wish explicitly redirect their TLSA records to point at
    the TLSA records expected at the expanded name.

    So perhaps adding CNAME-expansion into 7672/7671 was a mistake.  There's
    an opportunity here to not repeat it if that's the case.  Mind you aliased
    MX exchange names are a violation of RFC5321 (one that's tolerated by many
    MTAs, some obliviously, because they just look up IP addresses without taking
    steps to exclude possible CNAME expansion along the way).

4.  If there are opportunistic applications in scope for this draft, they may
    want to follow the advice of 7672 to only check for TLSA records if the
    target zone is determined to be signed after first performing the IP (v4/v6)
    address lookup.  Here a related CNAME detail comes into scope, the target
    zone may be signed, but the CNAME expanded zone with the IPs might not.

    Therefore, if HTTPS/SVCB targets are allowed to be aliased, the client
    would have to issue an explicit "CNAME query" in the address lookup
    comes back as an "insecure" answer via CNAME/DNAME expansion.  This
    assumes that the client is delegating DNSSEC-validation to a local recursive
    resolver and trusting its "AD" bit.  If the client is doing its own DNSSEC
    validation, its DNS library will know whether the origin of the CNAME chain
    is secure or not, and this information may be available to the client without
    a follow-up explicit type "CNAME" lookup (to suppress CNAME expansion).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email