Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

Phillip Hallam-Baker <> Sun, 01 March 2015 15:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 165C91A9102 for <>; Sun, 1 Mar 2015 07:21:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IrfKMCVuE3xE for <>; Sun, 1 Mar 2015 07:21:55 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D1CD61B29FF for <>; Sun, 1 Mar 2015 07:21:35 -0800 (PST)
Received: by labgf13 with SMTP id gf13so1202552lab.10 for <>; Sun, 01 Mar 2015 07:21:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=UiXBZC9GN68hSWMnzAAYareCcx2uW8EISLMDBdKWtN8=; b=fzxRxd/JEWFktjnwDf4DtRq2hBgtnie1tM5N/hPLPiy5h6/mP5zELqDtYDcU6S0rl2 6AIifU3LYmLM90cO3mK8tUHSBNF6J6O+hTPQZ6sFHaWcbAn8K5tsIvKszYbnqRqqxcsO zqskNc33V7UQm7WzI/k29yOO8rXMXrBqSHfY8vPK4K/CPEHacO+kBMERwqbgPROso0Je 6qPrR7xyLhwqDSzqxbbfYLvmltbEQGm0xYehi7CEotAUqxA9UUO7hgWVk6P3rAA/CsJV nTSwGrduOhOy1xUgqypCsF3WA6KANOl7lrqw8P+rqw6b+zjQaQmXHD5c0Zeprgv6DILb GLBw==
MIME-Version: 1.0
X-Received: by with SMTP id dg7mr21154050lac.58.1425223294186; Sun, 01 Mar 2015 07:21:34 -0800 (PST)
Received: by with HTTP; Sun, 1 Mar 2015 07:21:33 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Sun, 1 Mar 2015 10:21:33 -0500
X-Google-Sender-Auth: hFckpcu6x45tMKRcnEKMuXotsZM
Message-ID: <>
Subject: Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard
From: Phillip Hallam-Baker <>
To: Mark Andrews <>
Content-Type: multipart/alternative; boundary=001a11349ae62cfb5805103ba85f
Archived-At: <>
Cc: IETF Discussion Mailing List <>, =?UTF-8?B?UGF0cmlrIEbDpGx0c3Ryw7Zt?= <>
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 01 Mar 2015 15:21:57 -0000

On Sat, Feb 28, 2015 at 5:27 PM, Mark Andrews <> wrote:

> And that is coming "_25._tlsa" and it uses DNSSEC to prevent the
> downgrade.  Whether your MTA uses STARTTLS or not is another matter
> but we can prevent downgrade attacks from succeeding.

No it is not coming. The only way that can happen and be considered a
secure proposal is to charter a new working group in the security area to
work on a new security policy record to address the problem.

This is an important and difficult problem and one that the DANE working
group declared to be OUT OF SCOPE.

Every time I tried to raise the issues I was told they were OUT OF SCOPE.

As a result TLSA is a dogs breakfast. It is a combination of the key
publication mechanism the WG was chartered for and a security policy
mechanism that wasn't really chartered but was done anyway but only in a
half baked fashion.

This was my main concern with the DANE approach from the start. They would
refuse to consider the general problem. Deliver a product that creates more
problems than it solves when trying to solve the larger one and then insist
that we use it because it is 'a standard'.

Well DANE has practically no deployment or traction so I don't see it as a
fact on the ground that has to be worked on. This is a hard problem and it
is a problem that is easier to address from a clean sheet of paper than one
with a legacy support issue.

The way to address security policy for SRV type records is as follows:

1) Free the client end from the performance and data size issues imposed by
the legacy DNS client-resolver protocol.

DPRIV is a really good opportunity to tweak the protocol so we don't have
to worry about the client having to ask for multiple DNS RRs or that the
results might not fit into 500 bytes or an ethernet MTU.

2) Define a new security policy record that is designed to work with SRV
from the start and covers all the security policy concerns.

In particular make it possible to explicitly specify criteria such as 'use
TLS transport' or 'XYZ authentication is required'.

The first change is the more important one and the fix is quite easy.
Traditionally UDP DNS queries are one request packet and one response
packet. This ensures that the services are idempotent and the resolver does
not need to maintain TCP/IP connection state.

If we change the protocol so that a DNS request must still be a single
packet but a response can have multiple response packets we preserve the
connectionless, idempotent property while freeing ourselves from much of
the impact of the MTU size constraint.