IETF Logo Mail Archive

Re: [TLS] Proposed text for dnsssec chain extension draft

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 26 April 2018 04:17 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A1F4127867 for <tls@ietfa.amsl.com>; Wed, 25 Apr 2018 21:17:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgEl5FjkpEio for <tls@ietfa.amsl.com>; Wed, 25 Apr 2018 21:17:23 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EBC912426E for <tls@ietf.org>; Wed, 25 Apr 2018 21:17:23 -0700 (PDT)
Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id B7EFE7A3309 for <tls@ietf.org>; Thu, 26 Apr 2018 04:17:22 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <e922e5fe-2d58-5182-87e4-618a86bc96f1@nlnetlabs.nl>
Date: Thu, 26 Apr 2018 00:17:21 -0400
Content-Transfer-Encoding: 7bit
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <5E452933-1085-44CF-AF19-8DBB8870C5F8@dukhovni.org>
References: <1D2EB7F1-B796-4459-93C2-443A7104F33A@dukhovni.org> <e922e5fe-2d58-5182-87e4-618a86bc96f1@nlnetlabs.nl>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Oo_puWg_lTMwOWXoKfnwgHisfK4>
Subject: Re: [TLS] Proposed text for dnsssec chain extension draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2018 04:17:25 -0000

> On Apr 25, 2018, at 10:02 AM, Willem Toorop <willem@nlnetlabs.nl> wrote:
> 
> If you do, could you please make separate pull requests for denial of
> existence and another one for the lifetime field.

I made a single pull request with two commits, I hope that's OK.

The 16-bit field is the second commit, and if that fails to get
adopted, then you can use just the first commit.

  https://github.com/tlswg/dnssec-chain-extension/pull/14

The text is slightly different from my earlier post based on
a revisions already staged by the authors which adds a section
containing a brief overview of the the two types of a denial
of existence response.  The first commit makes what I think
are additional necessary adjustments elsewhere in the document.

It also changes MUST use DANE when TLSA records are present to
SHOULD use DANE when TLSA records are present AND "usable".
With the protocol subject to downgrade attacks, the MUST does
not afford any downgrade resistance.  The client may do as it
pleases and the server is none the wiser, so MUST does not
make sense here.

-- 
	Viktor.

[ Drafting revisions to a document sure forces one to read the fine
  print in ways that a mere "review" often fails to achieve. :-( ]

v2.23.0 | Report a Bug | By Email