Re: [TLS] Proposed text for dnsssec chain extension draft
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 26 April 2018 04:17 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A1F4127867 for <tls@ietfa.amsl.com>; Wed, 25 Apr 2018 21:17:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgEl5FjkpEio for <tls@ietfa.amsl.com>; Wed, 25 Apr 2018 21:17:23 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EBC912426E for <tls@ietf.org>; Wed, 25 Apr 2018 21:17:23 -0700 (PDT)
Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id B7EFE7A3309 for <tls@ietf.org>; Thu, 26 Apr 2018 04:17:22 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <e922e5fe-2d58-5182-87e4-618a86bc96f1@nlnetlabs.nl>
Date: Thu, 26 Apr 2018 00:17:21 -0400
Content-Transfer-Encoding: 7bit
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <5E452933-1085-44CF-AF19-8DBB8870C5F8@dukhovni.org>
References: <1D2EB7F1-B796-4459-93C2-443A7104F33A@dukhovni.org> <e922e5fe-2d58-5182-87e4-618a86bc96f1@nlnetlabs.nl>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Oo_puWg_lTMwOWXoKfnwgHisfK4>
Subject: Re: [TLS] Proposed text for dnsssec chain extension draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2018 04:17:25 -0000
> On Apr 25, 2018, at 10:02 AM, Willem Toorop <willem@nlnetlabs.nl> wrote: > > If you do, could you please make separate pull requests for denial of > existence and another one for the lifetime field. I made a single pull request with two commits, I hope that's OK. The 16-bit field is the second commit, and if that fails to get adopted, then you can use just the first commit. https://github.com/tlswg/dnssec-chain-extension/pull/14 The text is slightly different from my earlier post based on a revisions already staged by the authors which adds a section containing a brief overview of the the two types of a denial of existence response. The first commit makes what I think are additional necessary adjustments elsewhere in the document. It also changes MUST use DANE when TLSA records are present to SHOULD use DANE when TLSA records are present AND "usable". With the protocol subject to downgrade attacks, the MUST does not afford any downgrade resistance. The client may do as it pleases and the server is none the wiser, so MUST does not make sense here. -- Viktor. [ Drafting revisions to a document sure forces one to read the fine print in ways that a mere "review" often fails to achieve. :-( ]
- [TLS] Proposed text for dnsssec chain extension d… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Melinda Shore
- Re: [TLS] Proposed text for dnsssec chain extensi… Willem Toorop
- Re: [TLS] Proposed text for dnsssec chain extensi… Willem Toorop
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Joseph Salowey
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Joseph Salowey
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Eric Rescorla
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Eric Rescorla
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Eric Rescorla
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Richard Barnes
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Paul Wouters
- Re: [TLS] Proposed text for dnsssec chain extensi… Richard Barnes
- Re: [TLS] Proposed text for dnsssec chain extensi… Eric Rescorla
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni