IETF Logo Mail Archive

Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 13 February 2018 17:08 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A14B5126CE8; Tue, 13 Feb 2018 09:08:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pj1893aFGr0T; Tue, 13 Feb 2018 09:08:20 -0800 (PST)
Received: from mail-pl0-x234.google.com (mail-pl0-x234.google.com [IPv6:2607:f8b0:400e:c01::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5187512D853; Tue, 13 Feb 2018 09:07:55 -0800 (PST)
Received: by mail-pl0-x234.google.com with SMTP id f4so6919560plr.10; Tue, 13 Feb 2018 09:07:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=7RVnq8g2/ZkMAhsOGv1x98TUiaIXL4+6eRampIvQWHs=; b=njJ3Kh+oJs/pP05r2hvF36gi29C8M3VauOEC8vihHnb2LoaaMoDCavCEAfLabgJHry x0O1P4pdSM+Ty0H+RWpV1RI9gM9iwlrGRf4eoRZXn++756oe6WR5WqxLyChbAFVpVPUv LM4QOzeZRjYn00WzoTLnpzrZcx4fNSwQRf0QtE+eTEiDqVOhP+PbORrCy0vTpJHNeEHs B2f8pHBYZ1hwEVDqII23Z5rHS03lD/C8ENB9l8MTEP3qdCRSPx19dy6Uhll/ypR5E/lv Iqk799O4rnuK8JbRc9vedc2tOLHHCrRVUggGo2FDZMHYD9vj5GPmaSn8GFgWnCwazYLw G0kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=7RVnq8g2/ZkMAhsOGv1x98TUiaIXL4+6eRampIvQWHs=; b=dcVV533vbUOPyqMdt0clw81igG3FcSN6tcV6CAV7rQ/IRxGX+/0jrSQno8yz1WjKiX NaAxZ0pTbfjmpTU3AjlU6oDUQBbK51/Zu4ovqP+Iyb1oOzECW1Z7YvFxNwh0q38kdyhF NQrwgLpvPFoPM/4vgbJ/nKyIDNGn/V4e2AxijvXhYyVFylOrz3WzF9N0tMPZyNcdxytj 79O/CIFxIhM2cw7pKbDB6kn5Zfhrv+VJPdAv9nqJe27HAQUWlM7YuO+9+aDSPXWPqf+T DyHCd4uazlZGuQ9bDqGuMUtbadBOqNTFGCAwa7ikaYlsgJHBEcKR/Viiz2ENfr/LvTSb y8+Q==
X-Gm-Message-State: APf1xPCHCIcFg2/8qIBXOOYLL2p1zdkPeiQvtZEtZlf7nxlrFGCSLODS v0z5IFDTm3PmjUU8hn1FLfkRG0+1YQSU7biLjxI=
X-Google-Smtp-Source: AH8x224hIR7G7Cj8BykQ5DD8zH9VbG9/HfoQqE7BTwwehFdTqPzRqilzyLhX6JQ+i3OYwN0ROvgXi3IX+tUWQDG5Ugo=
X-Received: by 2002:a17:902:6041:: with SMTP id a1-v6mr1687087plt.225.1518541674614; Tue, 13 Feb 2018 09:07:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.186.143 with HTTP; Tue, 13 Feb 2018 09:07:14 -0800 (PST)
In-Reply-To: <CAHPuVdUVrzwNZDYktnztxuWQ-6yt+vT1aU76D1mL9rm3N3PJFw@mail.gmail.com>
References: <151800968634.4877.12510609339415982154.idtracker@ietfa.amsl.com> <CAHPuVdWO1LqNBK_f4xxcgP5PLQGDw1OMJiymf3jWXSDftP07+A@mail.gmail.com> <4c90bb83-5ba1-8193-df67-38e25f76caf8@nlnetlabs.nl> <CAHPuVdUVrzwNZDYktnztxuWQ-6yt+vT1aU76D1mL9rm3N3PJFw@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 13 Feb 2018 12:07:14 -0500
Message-ID: <CAHbuEH7aoiBK3vbH77Qdmiu6+ULS5VyefNydpkwM6MV=SmHdEA@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: Willem Toorop <willem@nlnetlabs.nl>, tls-chairs <tls-chairs@ietf.org>, draft-ietf-tls-dnssec-chain-extension@ietf.org, Mirja Kühlewind <ietf@kuehlewind.net>, TLS WG <tls@ietf.org>, Joseph Salowey <joe@salowey.net>, The IESG <iesg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/B06gg7iepYJuLHChWEoIbh5YDLY>
Subject: Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2018 17:08:24 -0000

On Thu, Feb 8, 2018 at 9:32 AM, Shumon Huque <shuque@gmail.com> wrote:
> On Thu, Feb 8, 2018 at 4:51 AM, Willem Toorop <willem@nlnetlabs.nl> wrote:
>>
>> Op 08-02-18 om 03:27 schreef Shumon Huque:
>> > On Wed, Feb 7, 2018 at 8:21 AM, Mirja Kühlewind <ietf@kuehlewind.net
>> > <mailto:ietf@kuehlewind.net>> wrote:
>> >
>> >     Mirja Kühlewind has entered the following ballot position for
>> >     draft-ietf-tls-dnssec-chain-extension-06: No Objection
>> >
>> >
>> > ----------------------------------------------------------------------
>> >     COMMENT:
>> >
>> > ----------------------------------------------------------------------
>> >
>> >     Two minor, mostly editorial comments:
>> >
>> >     1) Intro (sec 2): " It also provides the
>> >        ability to avoid potential problems with TLS clients being unable
>> > to
>> >        look up DANE records because of an interfering or broken
>> > middlebox on
>> >        the path between the client and a DNS server."
>> >     Is that actually a well-known problem (can you provide a reference?)
>> >
>> >
>> > Some folks (at Google and NLnet Labs if I recall; maybe others) have
>> > done
>> > measurements to show this is an actual problem -- for a relatively small
>> > but
>> > still non-trivial fraction of clients. We'll try to see if we can dig up
>> > specific
>> > references to documents that could be cited.
>>
>> I wouldn't call it a relatively small fraction :)  DNSSEC is severely
>> hampered for end-entities by broken infrastructure in many different
>> ways.  Sometimes an upstream resolver can be used for positive DNSSEC
>> answers (i.e. existing records), but not for non-existent or wildcard
>> answers, because it simply doesn't forward the NSEC(3) proof for it.
>>
>>
>>
>> The last measurements we at NLnet Labs did was in July 2015:
>>
>>         Gorjón, Xavier Torrent, and Willem Toorop.
>>         "Discovery method for a DNSSEC validating stub resolver."
>>         (2015)
>>
>>         https://nlnetlabs.nl/pub/os3-2015-rp2-xavier-torrent-gorjon.pdf
>>
>> Measurements were done with RIPE Atlas, with at the time +-8200 probes.
>> At the time only 56% of probes received enough DNSSEC data from their
>> upstreams to be able to perform DNSSEC validation for both positive and
>> non-existent answers (required for DANE).
>
>
> Ah, thanks. I'd forgotten that it was so high!
>
> I think my "relatively small" comment was recalling an earlier study (I
> think by
> Google) that saw a breakage of around ~ 5%, but I think that was just
> measuring
> the ability to lookup and obtain less common RR types and did not measure
> ability
> to perform full DNSSEC validation.

What's the behavior when the middlebox is a proxy, let's say existing
a managed network?  I presume from from section 3.1 that this
negotiation doesn't work in that instance unless sites configured for
this are not subject to the proxy as is often done for financial site
access from corporate networks.  It would be good to know if it does
work and that is addressed with the text Mirja calls out for her #1
question.  Having this clarified could be helpful.

Thanks.

>
> Shumon.
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email