Re: [keyassure] Objective: Restrictive versus Supplementary Models

Martin Rex <> Thu, 31 March 2011 00:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EA7063A69AF for <>; Wed, 30 Mar 2011 17:24:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.22
X-Spam-Status: No, score=-10.22 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3hNL6dPXmJ87 for <>; Wed, 30 Mar 2011 17:24:49 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D03963A67D3 for <>; Wed, 30 Mar 2011 17:24:48 -0700 (PDT)
Received: from by (26) with ESMTP id p2V0QLgp023492 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 31 Mar 2011 02:26:26 +0200 (MEST)
From: Martin Rex <>
Message-Id: <>
To: (Eric Rescorla)
Date: Thu, 31 Mar 2011 02:26:21 +0200 (MEST)
In-Reply-To: <> from "Eric Rescorla" at Mar 30, 11 10:17:47 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Mar 2011 00:24:50 -0000

Eric Rescorla wrote:
> Jay Daley <> wrote:
> >
> > Richard L. Barnes wrote:
> > >
> > > Yes, but as ekr pointed out, injecting fake DANE RRs can only
> > > cause the connection to fail, it won't result in the client
> > > connecting to a bogus server.   That's why it's RECOMMENDED
> > > instead of REQUIRED.
> >
> > That's still potentially a devastating DOS attack if done well and
> > against an important target.  Worthy of a REQUIRED for that alone.
> >
> > There is also the layer 9 interpretation issue here - if we say that
> > DANE in its entirety requires DNSSEC then that message can be shouted
> > loud and clear, reinforced and hopefully entrenched.  If we say that
> > only some parts need it then people, for entirely fallible reasons,
> > get confused, doubt DANE, can use this to attack DANE and so on.
> I think this is an important consideration. However a relevant
> question for a 2119-level MUST seems to be whether we wish to have
> this data rejected if not DNSSEC signed.
> What's your view on that?

I'm much less worried about false positives resulting in DoS, which
can be more easily achieved attacking at the network layer (IP, TCP).

What worries me is the false negatives resulting from a
"successful verification" of an unsigned DANE RR.

The prerequisite for a "successful DANE validation" is that the
DANE TLSA record has been DNSSEC validated.  And my concern is that
some GUIs might get that wrong unless the spec is crystal clear
what constitutes a successful DANE validation (DNSSEC required)
and what not.

I'm OK with interpreting even an unsigned TLSA validation failure
as "something is goofy here, abort the connection", but that causes
the DANE validation result to have 3-states "good/not-obviously-bad/bad"
rather than a boolean "good/bad", and a 3-state may get mapped incorrectly
to binary UI indicators (icon present/absent).