Re: [TLS] Proposed text for dnsssec chain extension draft

[Richard Barnes <rlb@ipv.sx>]

On Thu, Apr 26, 2018 at 11:22 AM, Nico Williams <nico@cryptonector.com>
wrote:

> On Thu, Apr 26, 2018 at 07:50:08AM -0700, Eric Rescorla wrote:
> > On Thu, Apr 26, 2018 at 6:51 AM, Viktor Dukhovni <ietf-dane@dukhovni.org
> >
> > wrote:
> > > On Apr 26, 2018, Eric Rescorla <ekr@rtfm.com> wrote:
> > >
> > >   * a lifetime field
> > >   * enforce vs. test
> > >   * a report URI
>
> We will need only the TTL.  We will not need anything else.  This is NOT
> like HPKP.  This will pin only the use of the extension, and NOT EVEN
> the use of DANE since you can send a denial of existence and you can
> *always*[*] do that if you stop wanting DANE.
>

Until my DNSSEC signing infra breaks, the signatures expire, and now my
server is bricked.

--Richard



>
> [*] unless you're operating in an alternate DNS universe where no zone
>     is signed, not even the root zone, but then you wouldn't have used
>     this extension ever, and you'd not have pinned it).
>
> Because we'd pin only to the use of this extension, the TTL is
> sufficient.
>
> > > This specification is always "enforce" (though my pull request
> > > changes a MUST use DANE to a SHOULD with some necessary added
> > > conditions) and since the report URI is in good measure to
> > > support non-enforce mode, we're back to just max-age.
>
> > But this reinforces my point. I think we ought to have an enforce vs
> > test flag and a report URI (and I I don't find your arguments above
> > about why we shouldn't do this persuasive.)  Standardizing this
> > functionality would require resolving these issues.
>
> Strawman.  These are make-believe issues.  Is it just to give the
> appearance that we couldn't possibly reach consensus on just two bytes?
>
> Nico
> --
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>