Re: [TLS] draft-shore-tks-dnssec-chains-extension

Viktor Dukhovni <> Wed, 22 July 2015 22:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2F2E11B2F3F for <>; Wed, 22 Jul 2015 15:18:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e_RD5MsIR7Kq for <>; Wed, 22 Jul 2015 15:18:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 138831B2F3D for <>; Wed, 22 Jul 2015 15:18:19 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 38A40284B55; Wed, 22 Jul 2015 22:18:17 +0000 (UTC)
Date: Wed, 22 Jul 2015 22:18:17 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
Subject: Re: [TLS] draft-shore-tks-dnssec-chains-extension
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Jul 2015 22:18:21 -0000

On Wed, Jul 22, 2015 at 05:23:39PM -0400, Paul Wouters wrote:

> >Should everything other than the first CNAME be in additional
> >records?
> I think so.
> > Should all the above (with their RRSIGs) be in the answer
> >section, with the union of the supporting DNSKEY/RRSIG/DS records
> >as additional?
> No, only the TLSA record and its RRSIG should be in there, so it is
> identical to a real DNS response packet.

But, the presence of a CNAME chain (either from host to TLSA base
domain, or from TLSA base domain to ultimate TLSA RRset) the start
of the chain is in the answer per your first comment?

> >I tried to ask a related question during the meeting, but bandwidth
> >to explain the context was limited:  Should proofs of non-delegation
> >be included, to keep gTLDs and ccTLDs honest for some future CT for
> >DNS?  Specifically, suppose you see:
> >
> > IN TLSA <rrdata>
> >
> >with an RRSIG from the ".com" zone, should there also be NSEC/NSEC3
> >records that demonstrate that "" (and
> >are not delegated?  (Such records might then be subject to "gossip"
> >or related "transparency" counter-measures).
> That's an interesting question. I'd be tempted not to do this work in
> the TLS extension but keep that to a ct-dnssec document.

But it would affect which RRsets servers should put in the extension.

I guess the extension structure remains the same, so no need to
pin this down yet?

> >>I do strongly prefer the binary blob to be in raw dns format. That
> >>will make parsing easier with existing code, and over time we will
> >>not run into issues where dns libraries support newer algorithms
> >>but this specific dnssec parsing code isn't updated.
> >
> >I'm not sure what "algorithms" you have in mind?
> The successor to ECDSA or something like Curve*. I meant new DNSKEY
> algorithms used to generate RRSIG records. I would like to see DNS
> code maintained by DNS people used by browser people but I am young and
> naive.

Oh, I see, indeed I DO NOT want to see applications shipping with
their own rarely updated DNSSEC libraries.  They should at least
use an actively maintained library that is sepeparate from the
application, and provides a "standard" API for doing the validation.

Even better would be a new type of query to the local resolver that
includes all the records as part of the query, and the local resolver
validates the results (for clients that can reach a resolver on, but which in turn can't get DNSSEC data).

(That is a protocol is even better than an API).

> > We should perhaps
> >allow (even encourage) "compression" to reduce the payload size,
> Is that a problem in TLS? I thought the CA chains were already massively
> bigger? Or is this something specific to the client/server hello
> message?

Sure, CA chains are largish, but no reason to make DNS chains
needlessly large, or for servers to perform uncompression just to
forward DNS packets to clients.

> >This really can't go in the certificate, because then certificates
> >would have to be updated as often as RRSIGS are regenerated.  That
> >seems exceedingly unlikely to be deployable.
> I agree, but Adam Langley did make that work so perhaps we are wrong?

Google might be more at liberty to mint certificates as they please
and to coordinate this with any DNS RRSIG refreshes, I don't see
the world at large being at liberty to do this.