IETF Logo Mail Archive

Re: [TLS] WGLC: draft-ietf-tls-dnssec-chain-extension-04

Shumon Huque <shuque@gmail.com> Fri, 07 July 2017 15:50 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFB1813154C for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 08:50:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KN7xlTmzcKa5 for <tls@ietfa.amsl.com>; Fri, 7 Jul 2017 08:50:05 -0700 (PDT)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82A61127599 for <tls@ietf.org>; Fri, 7 Jul 2017 08:50:05 -0700 (PDT)
Received: by mail-ua0-x236.google.com with SMTP id z22so22571957uah.1 for <tls@ietf.org>; Fri, 07 Jul 2017 08:50:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nNhK5c7Eum9oV6bTcls7F3/v11uKLDlc6+d9+zUOFW0=; b=LMZ1QSMbODUhQjMQCF/r6zVJ8Pwmy9WUFw7ZHh0nfn3whmPE77+EzlY05Cz4MleL7K /PUQjrUhVUg0cp6VfNyGCTDSNQN+32M1fP5PH1oW70vG5rqKeLZBwNeDuPeBjldjxZDo axAqz/mSQ3yesJLQWpIwTLiV5PO0Zu4iM75nHhzN0jsdzx3g3RhDmwyUly/wljeq80rN 15kdHEKIosRuvD7S//cUoGJe/CspVJyh4BvyWl9THXFxjDBZsIubXenXQqm0XTbbhyw1 P0Ax5Uuk09ynjThkyGYjULZ6FfAXVuChY72V/izw5M9lwfwzBlwpsOWvCMR7RVhx6vaA kCNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nNhK5c7Eum9oV6bTcls7F3/v11uKLDlc6+d9+zUOFW0=; b=J0ZSkpIz/oUVhgtDeWTJu+cJXE8/vgwMUxTfl2iLQx4Za6eiixmcwS5uQ+2BfQoVr0 Kc+M/g9cf3d9Fb9IogQ1CTo8vHw8W5ecNyMxrXFrjzYWKq75deEllZxT9uPgSkzKVwKM Vu8gTs7I/99pW2YGBXEh0mXkoWguI3xGps/CdLtA9zgSfkugOXumFZxnTTZ0IcpUrDwL Flh+eewE3ObxoBnbBBuAFg2jMFa6f/qfDUH9iIW6DKlWTP519bEFj7YXGvpS3msXdHSn 2oWmF+T31AI0OkgxQULP4HozUhWabvIUrvVNKd4bQZdd4Xu+G82MpBpokbj/xa03MzoD kQgA==
X-Gm-Message-State: AIVw111+vxxb1G8AyNVKeT9rrxMlE75UF/rGuXORVI/vWdVtcT01fiAc VSKo/pER1/DDT+FaKqlfczGWGdFmoQ==
X-Received: by 10.176.93.2 with SMTP id u2mr1095944uaf.109.1499442604686; Fri, 07 Jul 2017 08:50:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.79.231 with HTTP; Fri, 7 Jul 2017 08:50:03 -0700 (PDT)
In-Reply-To: <A17C4AB2-FCBB-443D-AD66-BCA228C0D546@rfc1035.com>
References: <765945B5-B686-45EB-84AE-38731C3006D6@rfc1035.com> <20170705171211.GM5673@mournblade.imrryr.org> <1F943876-91FC-4529-9B44-9F187EDA48B5@rfc1035.com> <CAHPuVdVbLw+vw4pzHNeBJK_gnqWntEfCgqo-DPQcdcmwXRV00A@mail.gmail.com> <A17C4AB2-FCBB-443D-AD66-BCA228C0D546@rfc1035.com>
From: Shumon Huque <shuque@gmail.com>
Date: Fri, 07 Jul 2017 11:50:03 -0400
Message-ID: <CAHPuVdV1HSQu5CVYbBXXv+MgfM8inunH3KPN9ep=qv+c1hDzAw@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f40304362188d042530553bc2f11"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/60vX1arN3aLXwjaPePgYbnOEaKo>
Subject: Re: [TLS] WGLC: draft-ietf-tls-dnssec-chain-extension-04
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jul 2017 15:50:08 -0000

On Fri, Jul 7, 2017 at 11:34 AM, Jim Reid <jim@rfc1035.com> wrote:

>
> > On 7 Jul 2017, at 16:06, Shumon Huque <shuque@gmail.com> wrote:
> >
> > IMO, the real gain from having the client cache data, is that the server
> could then potentially send a much smaller DNSSEC chain. But this requires
> the client to signal what they've cached, and makes the protocol more
> complex. I would prefer to leave that to a future revision of the spec,
> after we've gained some operational experience with the current one.
>
> Shumon, I think the biggest gain would be fewer RRSIGs for the client to
> validate. Having the server send a smaller DNSSEC chain (and perhaps add
> something to the protocol for a client to signal that) probably won’t have
> the right cost/benefit optics. YMMV. It would be a Good Thing if a TLS
> client didn’t need to revalidate everything in the chain for tlsa.foo.com
> after closing and reopening a TLS session to that end-point or it could
> start at the previously validated delegation for .com when the TLS server
> returned the full chain for tlsa.bar.com.
>
> As you hint at, it would be good to get more data and operational
> expertise.
>

Okay, absent any strenuous objections, I propose that we mention that the
client may cache data from the chain. For the case of a TLS client
re-connecting to the same end point, most likely TLS session resumption
would be used (thus dnssec_chain re-validation wouldn't be needed) so this
optimization doesn't gain anything. But yes, it would help save the client
some signature validation work in the case of tlsa.foo.com to tlsa.bar.com.

-- 
Shumon Huque

v2.23.0 | Report a Bug | By Email