IETF Logo Mail Archive

Re: [dnsext] resolving IESG comments on draft-ietf-dnsext-dnssec-bis-updates

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 11 July 2012 14:41 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5818421F86E2; Wed, 11 Jul 2012 07:41:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1342017695; bh=b7CwA6qPdyksR0s72Ijy8cBlnYUv++PdBsHuqPKEBhI=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=SZjWOW6CIPixDWdWvF6QZ2DvYsy4zbGqN5Xtzwc8Pk6zw3HGNrc4t3SgcZuyuGq3/ 26BuRpNwTiQtBJwPv0zg1cBfDTffg6PlAJdfjrkQgDA9JuvoxgFdaDw4kHi+pqUo9c 5vB1Z7F4Upbc001Z7qyWt9RWSPXoKJMyLnsScNcw=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF92A21F86E2 for <dnsext@ietfa.amsl.com>; Wed, 11 Jul 2012 07:41:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.428
X-Spam-Level:
X-Spam-Status: No, score=-102.428 tagged_above=-999 required=5 tests=[AWL=-0.129, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rCqN0FGFA3d6 for <dnsext@ietfa.amsl.com>; Wed, 11 Jul 2012 07:41:34 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 2B6F721F86E0 for <dnsext@ietf.org>; Wed, 11 Jul 2012 07:41:34 -0700 (PDT)
Received: from [10.20.30.102] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97] (may be forged)) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q6BEftCt038001 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 11 Jul 2012 07:41:57 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1278)
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <A74BA8CA-B833-4A43-ACBC-771EBE5D6DFF@frobbit.se>
Date: Wed, 11 Jul 2012 07:41:56 -0700
Message-Id: <5B8B6E62-3903-4B26-821C-DFA55FA6D4F3@vpnc.org>
References: <alpine.BSF.2.00.1207100827380.30040@fledge.watson.org> <D3D58A5F-D4DF-4ECA-AE2E-09008E7FAD52@vpnc.org> <A74BA8CA-B833-4A43-ACBC-771EBE5D6DFF@frobbit.se>
To: Patrik Fältström <patrik@frobbit.se>
X-Mailer: Apple Mail (2.1278)
Cc: Samuel Weiler <weiler@watson.org>, dnsext@ietf.org
Subject: Re: [dnsext] resolving IESG comments on draft-ietf-dnsext-dnssec-bis-updates
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Jul 11, 2012, at 12:06 AM, Patrik Fältström wrote:

> 
> On 10 jul 2012, at 16:50, Paul Hoffman wrote:
> 
>> The amount of differing opinions about the four states *even among DNSSEC-knowledgeable people* in that thread and others was significant.
> 
> The big difference is between people that do think it is a good thing that people in X.509 world themselves can "click" on "continue anyways" on a validation failure.

That is *not* where the difference of opinions about DNSSEC were. The differences were about what specific events constitute bogus versus indeterminate or insecure. There were good reasons for the WG to differentiate between bogus and indeterminate/insecure, but the DNSSEC documents had places of unclarity, including two different definitions of "bogus".

> I think personally it is *feature* that with DNSSEC a validator by default do not return anything if validation fails for some reasons, and the end user can not do anything at all about it (part from running its own resolver etc etc).
> 
> But I do understand other people do have other views.

Exactly. The "other views" from different people who the community thinks understand DNSSEC made it hard for us to know what to put in our document. Thus, the request for clarity in *this* document.

> Because of this, for me, a no-response in DANE is the same as failed validation, and such a failure that the end user/application should not continue. At all. No "continue anyway" etc.

This view ignores the fact that PKIX has its own protections to which DANE is adding value. It is fine if this WG wants to say in dnssec-bis-updates that other protocols that want to add value with DNSSEC should fail to less than the protocol if DNSSEC does not return "secure", and it is fine if this WG wants to say that "we aren't going to specify what other protocols will do", but the current DNSSEC documents do neither.

> Giving the ability "to continue" opens the door for denial of service attacks as a way to circumvent DANE security.
> 
> So to me there are three states only.
> 
> - No DANE in use
> - DANE in use, validation succeeds
> - All other cases

If you want to change DANE, please so do in the DANE WG. The thread here is about making the DNSSEC document clearer for other WGs who will want to use DNSSEC. If the DNSSEC spec had been clearer on what bogus means and what the expectation of the IETF is for why there is a difference between insecure and indeterminate, the DANE WG discussion would have gone *much* better.

--Paul Hoffman

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email