Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Meeting in Montreal
Ryan Sleevi <ryan-ietf@sleevi.com> Tue, 10 July 2018 17:51 UTC
Return-Path: <ryan-ietf@sleevi.com>
X-Original-To: driu@ietfa.amsl.com
Delivered-To: driu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2C13131017; Tue, 10 Jul 2018 10:51:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sleevi.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pf7cJMXCejwn; Tue, 10 Jul 2018 10:51:57 -0700 (PDT)
Received: from homiemail-a85.g.dreamhost.com (homie-sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E305B130F04; Tue, 10 Jul 2018 10:51:56 -0700 (PDT)
Received: from homiemail-a85.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a85.g.dreamhost.com (Postfix) with ESMTP id 785576001608; Tue, 10 Jul 2018 10:51:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=mime-version :in-reply-to:references:from:date:message-id:subject:to:cc :content-type; s=sleevi.com; bh=RhhEoZ408ThwhoEVDri3uLd8KdA=; b= NcZ6oVC9iC0n/haNfPuiO056XcNWFnwSA1nBGp9uMDaxH3HDe3uK9SXCjXQPw2X+ QnfZ+PeRhmFI/nfLTKGNkw/rDFPz4jYXYnZKIyq4tpXNxYXomhQZ/8LCC9nN5toZ MdBDhm20eyjTavkTusJXb8v4JFPNslHTjiGuVwdaE3I=
Received: from mail-it0-f42.google.com (mail-it0-f42.google.com [209.85.214.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: ryan@sleevi.com) by homiemail-a85.g.dreamhost.com (Postfix) with ESMTPSA id 533D16001602; Tue, 10 Jul 2018 10:51:55 -0700 (PDT)
Received: by mail-it0-f42.google.com with SMTP id w16-v6so10403592ita.0; Tue, 10 Jul 2018 10:51:55 -0700 (PDT)
X-Gm-Message-State: AOUpUlF0uDdKGztHj7e0ENyZG4abAUluV1xMFcLjpCeLvicrUV9tZx5P FzC/EZ05ulab+CvgvWbdelOMlgRIVtMA4zyohKk=
X-Google-Smtp-Source: AAOMgpfuksUe3Ga9juzC5CUfobAyFAYv3gmOA6kuj2PLZqAxznoaKVgCcwYiLYtmDX0wdZMyFG3H8QfVpjwvaq4KoGE=
X-Received: by 2002:a24:62d0:: with SMTP id d199-v6mr7502623itc.91.1531245114637; Tue, 10 Jul 2018 10:51:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:244:0:0:0:0:0 with HTTP; Tue, 10 Jul 2018 10:51:54 -0700 (PDT)
In-Reply-To: <22df8aac-7b9d-0d0b-5eac-694e52be251d@nostrum.com>
References: <m1fcoe5-0000GuC@stereo.hq.phicoh.net> <alpine.LRH.2.21.1807101056140.5219@bofh.nohats.ca> <4a845808-5348-d6e4-dda2-59aaf0e85c14@nostrum.com> <3DF5A66C-CCBF-4116-A1FC-35CF8E05808B@hopcount.ca> <e1675184-f0bc-670d-3db1-b99a9daf1657@nostrum.com> <CAJhMdTOZtOpF_aK-ZzP0DfkDMcAtTKFLdSpKkrSPvP1cOgnOjQ@mail.gmail.com> <CAPt1N1=Xky1MjmbzdnR2zxcVbD3mz0O3Qo_uEVK96uMLUrwu8g@mail.gmail.com> <22df8aac-7b9d-0d0b-5eac-694e52be251d@nostrum.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Tue, 10 Jul 2018 13:51:54 -0400
X-Gmail-Original-Message-ID: <CAErg=HGMkYFBMG2gHykXpPc5ry=DVsZHohSen-tT7-_281q7VQ@mail.gmail.com>
Message-ID: <CAErg=HGMkYFBMG2gHykXpPc5ry=DVsZHohSen-tT7-_281q7VQ@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Ted Lemon <mellon@fugue.com>, Joe Abley <jabley@hopcount.ca>, DoH WG <doh@ietf.org>, driu@ietf.org, dnsop WG <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>, Patrick McManus <pmcmanus@mozilla.com>, Philip Homburg <pch-dnsop-3@u-1.phicoh.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000001f45cb0570a8c9ed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/driu/rpx-qB82uu6idHI2rrV5jPtgcZ8>
X-Mailman-Approved-At: Tue, 10 Jul 2018 11:07:07 -0700
Subject: Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Meeting in Montreal
X-BeenThere: driu@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "DNS Resolver Identification and Use \(DRIU\)." <driu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/driu>, <mailto:driu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/driu/>
List-Post: <mailto:driu@ietf.org>
List-Help: <mailto:driu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/driu>, <mailto:driu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 17:52:00 -0000
On Tue, Jul 10, 2018 at 1:05 PM, Adam Roach <adam@nostrum.com> wrote: > On 7/10/18 11:41 AM, Ted Lemon wrote: > > On Tue, Jul 10, 2018 at 12:34 PM, Joe Abley <jabley@hopcount.ca> wrote: > >> > But this is really equivalent in just about every important way to >> sending the normal <img src="https://example.com/img/f.jpg"> along with >> a pushed DNS record that indicates that "example.com" resolves to >> "192.0.2.1" -- and this latter thing is (to my understanding, at least) in >> scope of the conversation that Patrick is proposing to have. >> >> My question is why you would involve the DNS at all if all the >> performance-based resolution decisions can be made without it. You're >> just adding cost and complexity without benefit > > > The ip= modifier would be a great way to arrange for something to look > like it came from a different source than its actual source. I'm sure > there's an attack surface in there somewhere. > > > Keeping in mind that the certificate provided by whatever machine you > reached would necessarily have to match the URL's origin, this is very much > one of the questions that is being asked: is there? > > /a > Yes. Consider Site A (foo.example) and Site B (bar.example). Both point themselves to CDN 1, which then obtains a certificate for both their names in subjectAltNames. Site B then decides that CDN 1 is an unreliable partner, and goes CDN 2, updating DNS appropriately. This is the same problem in considering the HTTP/2 coalescing without doing DNS resolution (either because of poor security posture or by combining ORIGIN + Secondary Certificates). RFC 8336 briefly touches on this ( https://tools.ietf.org/html/rfc8336#section-4 ) but doesn't really explore the policy implications of the proposed or recommended mitigations. If you start with no mitigations, the net effect of both an ip= or a DNS-ignoring ORIGIN frame is to effectively treat the certificate as a 825-day DNS TTL. By framing the problem as "What's the worst that could happen if DNS entries had their TTLs ignored and were cached for 825 days", that might help explore things further. The suggestion of OCSP reduces that TTL to 7 days (effectively; due to Microsoft's contractual requirements on publicly trusted CAs), but that's still substantially longer. That's why involving DNS is at least relevant to that discussion, especially given that publicly trusted certificates are themselves predicated on DNS. Further, considering that the CA only has to validate a DNS once per 825-day period, and can issue unlimited 825-day certificates during that period, then the effective extension of relying solely on certificates 1650 days minus a second.
- Re: [Driu] [DNSOP] Resolverless DNS Side Meeting … Patrick McManus
- Re: [Driu] [Doh] Resolverless DNS Side Meeting in… manu tman
- Re: [Driu] [DNSOP] Resolverless DNS Side Meeting … Philip Homburg
- Re: [Driu] [DNSOP] Resolverless DNS Side Meeting … Paul Vixie
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Tim Wicinski
- Re: [Driu] [Doh] Resolverless DNS Side Meeting in… Patrick McManus
- Re: [Driu] [DNSOP] Resolverless DNS Side Meeting … Paul Wouters
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Paul Wouters
- Re: [Driu] Resolverless DNS Side Meeting in Montr… Patrick McManus
- Re: [Driu] Resolverless DNS Side Meeting in Montr… Ted Lemon
- [Driu] Resolverless DNS Side Meeting in Montreal Patrick McManus
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Joe Abley
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Joe Abley
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Ted Lemon
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Joe Abley
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Ted Lemon
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Patrick McManus
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Philip Homburg
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Dave Lawrence
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Joe Abley
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Adam Roach
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Paul Wouters
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Dave Lawrence
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Ryan Sleevi
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Dave Lawrence
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Daniel Kahn Gillmor
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Tony Finch
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Mike Bishop
- Re: [Driu] [DNSOP] [Doh] Resolverless DNS Side Me… Ryan Sleevi
- [Driu] SRV and HTTP Mark Nottingham
- Re: [Driu] [DNSOP] SRV and HTTP Ólafur Guðmundsson
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] [DNSOP] SRV and HTTP Mark Nottingham
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] [DNSOP] SRV and HTTP Dave Lawrence
- Re: [Driu] [DNSOP] SRV and HTTP Dave Lawrence
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] SRV and HTTP - 18:30 Tuesday Mark Nottingham
- Re: [Driu] [DNSOP] SRV and HTTP Patrik Fältström
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Petr Špaček
- Re: [Driu] SRV and HTTP Leif Hedstrom
- Re: [Driu] [DNSOP] SRV and HTTP Patrik Fältström
- Re: [Driu] [Doh] [DNSOP] Resolverless DNS Side Me… Mike Bishop
- Re: [Driu] [DNSOP] SRV and HTTP Nico Williams
- Re: [Driu] [Doh] [DNSOP] SRV and HTTP Joseph Lorenzo Hall
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] [DNSOP] SRV and HTTP Nico Williams
- Re: [Driu] [DNSOP] SRV and HTTP Mark Andrews
- Re: [Driu] SRV and HTTP - 18:30 Tuesday (room cha… Mark Nottingham
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Shane Kerr
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Jim Reid
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Tim Wicinski
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Ray Bellis
- Re: [Driu] Resolverless DNS Side Meeting in Montr… Patrick McManus
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Sebastiaan Deckers
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Adam Roach
- Re: [Driu] [Doh] SRV and HTTP - 18:30 Tuesday (ro… Adam Roach