Re: [DNSOP] New Version Notification for draft-rebs-dnsop-svcb-dane-00.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 07 January 2022 07:00 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C45523A15BD for <dnsop@ietfa.amsl.com>; Thu, 6 Jan 2022 23:00:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wc7FnnXDsyCr for <dnsop@ietfa.amsl.com>; Thu, 6 Jan 2022 23:00:25 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A67683A15B9 for <dnsop@ietf.org>; Thu, 6 Jan 2022 23:00:25 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id C4874E2B2A; Fri, 7 Jan 2022 02:00:23 -0500 (EST)
Date: Fri, 07 Jan 2022 02:00:23 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop <dnsop@ietf.org>
Message-ID: <YdflB6Bw36k6ZHE9@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <163908832760.8339.4135304026578566025@ietfa.amsl.com> <CAHbrMsCbN8+2UCQLCYKvp5RZ_v+srMha5xU25A9Q9F=ASna9xA@mail.gmail.com> <F9919030-4B37-42DE-BE7B-73BAAFDC5433@dukhovni.org> <CAHbrMsDT5-u6n1tJnSjd9X1vMyyp5HcNrvL4NB3Quzi_p5nWfQ@mail.gmail.com> <YbeZyhZXAuLT250e@straasha.imrryr.org> <CAHbrMsATmtSapSWL4Ocr3F50x2xaLSmsi_XyAHHPRTUzrtnrVg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHbrMsATmtSapSWL4Ocr3F50x2xaLSmsi_XyAHHPRTUzrtnrVg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lZeSLRXIFJlVzbZzj4Uh96XpFKE>
Subject: Re: [DNSOP] New Version Notification for draft-rebs-dnsop-svcb-dane-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2022 07:00:31 -0000
On Wed, Dec 22, 2021 at 03:52:22PM -0500, Ben Schwartz wrote: [ Sorry about the delayed response, on the road since Dec 24th... ] > I don't want this draft to become an omnibus update to RFC 7671. My goal > is to produce a short draft that is basically parallel to RFC 7673. > > If you want to pursue a broader revamp of DANE, I think that could be > valuable, but I don't think it needs to be connected to this. Understood, but at least now you're aware of the outstanding "loose ends". To the extent that they're relevant to your draft, it may be appropriate to make any necessary adjustments. > > So this is different from the situation with MX (and IIRC SRV) records, > > so perhaps CNAMEs will be much more common in this context? > > I think it's too early to predict the popular deployment strategies here. > Also, SVCB + TLSA is "green field" territory, so it's up to us what we want > to allow. OK, so do you think that following CNAMEs to find TLSA RRs at the expanded target name is a good idea in this context? If not, I think it would be reasonable to diverge from 7671 on this detail. > > It is very much *NOT* an optimisation. Rather it is an essential > > element of robustness of the protocol in the face of the reality > > of the DNS ecosystem: > > > > - For DANE to be useful it must not be trivially subject to > > downgrade by not responding to TLSA records, returning REFUSED, > > NOTIMP, SERFVAIL or bogus replies. > > > > - However, many unsigned zones are served by functionally limited > > to mostly-broken load-balancers that just know how to return > > A/AAAA records and not much else. > > > > - When you send a TLSA query to such a nameserver, you often end > > up with a lookup failure, rather than a valid "insecure" denial > > of existence (proof of an insecure delegation at some parent > > node + insecure NODATA or NXDOMAIN). > > > > - For DANE to avoid downgrades, TLSA query SERVFAIL needs to lead > > to connection failure. > > > > This is why the "optimisation" in question is in fact an essential > > element of 7671. > > > > If it's an essential element of 7671, maybe it should be mentioned in 7671! If this is only discussed in 7672, mea culpa... > I think this is an interesting workaround, but I'm not sure it will be > necessary here. SVCB is to a large extent a "green field" territory, which > may exclude a lot of buggy legacy systems. Also, SVCB specifically renders > this kind of misbehavior into a hard-fail condition already [1], and > large-scale experiments have confirmed that this does not result in a > significant error rate. > > [1] > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-08#section-3.1 The largest known (to me) cluster of poor beviour with TLSA lookups is *.mail.protection.outlook.com, where TLSA queries return NOTIMP. Perhaps no similar issue is present in the targets of interest here. Things are indeed simpler if the workaround is not needed. > > No, I am talking about a situation where AD=0 despite the fact that the > > original name is in a signed zone, because the target of the CNAME > > lookup is not in a signed zone: > > > > ; signed zone > > www.secure.example. IN CNAME www.insecure.example. > > www.secure.example. IN RRSIG CNAME 13 3 ... > > _443._tcp.www.secure.example. IN TLSA 2 1 1 ... > > _443._tcp.www.secure.example. IN RRSIG TLSA 13 5 ... > > > > ; unsigned zone > > www.insecure.example. IN A 192.0.2.1 > > > > An "A" record query for "www.secure.example" via recursive resolver will > > return an insecure answer" with AD=0: > > > > www.secure.example. IN CNAME www.insecure.example. > > www.insecure.example. IN A 192.0.2.1 > > > > but there are in fact signed TLSA records for the qname. > > Yes, so the client issues a query for TLSA at > _443._tcp.www.secure.example. This seems like the standard RFC 7671 CNAME > handling. There is no need for the client to issue a query with > QTYPE="CNAME". Once the work-around is not needed, then indeed the "QTYPE=CNAME" query is also not needed to determine whether the unexpanded zone is signed. If the workaround is needed, then the CNAME query comes into play. -- Viktor.
- [DNSOP] Fwd: New Version Notification for draft-r… Ben Schwartz
- Re: [DNSOP] New Version Notification for draft-re… Viktor Dukhovni
- Re: [DNSOP] New Version Notification for draft-re… Philip Homburg
- Re: [DNSOP] New Version Notification for draft-re… Viktor Dukhovni
- Re: [DNSOP] New Version Notification for draft-re… Philip Homburg
- Re: [DNSOP] New Version Notification for draft-re… Viktor Dukhovni
- Re: [DNSOP] New Version Notification for draft-re… Ben Schwartz
- Re: [DNSOP] New Version Notification for draft-re… Viktor Dukhovni
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Hoffman
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-re… Ben Schwartz
- Re: [DNSOP] New Version Notification for draft-re… Viktor Dukhovni