[TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
Ted Lemon via Datatracker <noreply@ietf.org> Fri, 29 March 2024 20:02 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: tls@ietf.org
Delivered-To: tls@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 080FFC14F6B9; Fri, 29 Mar 2024 13:02:15 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Ted Lemon via Datatracker <noreply@ietf.org>
To: dnsdir@ietf.org
Cc: draft-ietf-tls-svcb-ech.all@ietf.org, tls@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.9.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <171174253501.29384.9373864670898234756@ietfa.amsl.com>
Reply-To: Ted Lemon <mellon@fugue.com>
Date: Fri, 29 Mar 2024 13:02:15 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VQcqUuOXSE8sgcp4_CHa6Jlc394>
Subject: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 20:02:15 -0000
Reviewer: Ted Lemon Review result: Almost Ready This is a DNS Directorate review for draft-ietf-tls-svcb-ech-01. Section 4.1 advises disabling fallback, but does not talk about DNSSEC, which is surprising given that the draft proposes privacy properties for SVCB responses containing ECH data. I would think that it would make sense to say that the SVCB querier should attempt to validate the response, and then talk about what to do for bogus, insecure and valid positive and negative responses. For example, I would think that a /bogus/ response should be taken to mean that the SVCB record must be assumed to exist and should be treated the same as if the list of destinations were not reachable. An /insecure/ NXDOMAIN or NODATA response would not provide this assurance, and so what is currently described in the document makes sense for this case. A /valid/ NXDOMAIN would assure that no SVCB record existed, and hence ECH is not available. I don't think it's reasonable to specify the privacy properties of SVCB and /not/ talk about DNSSEC validation. I could see that there might be an objection that if DNSSEC isn't working at a particular site because of a broken DNS resolver, this would prevent connecting to perfectly acceptable destinations simply because of general DNSSEC breakage, not a specific attack on this specific domain. The problem is that there's no way to distinguish this from an attack. So if this exception is allowed, the security considerations section should talk about what the risks are of allowing it. E.g. if we succeed in validing the root and com, but can't validate the zone containing the SVCB (or determine that it's not signed), that would be a clear indication of an attack, but if we can't validate the root, it could just be brokenness, and an attacker would do well to just prevent all validation so that we can't distinguish.
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- [TLS] Dnsdir early review of draft-ietf-tls-svcb-… Ted Lemon via Datatracker
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Erik Nygren
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Erik Nygren
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] [dnsdir] Dnsdir early review of draft-i… Tim Wicinski
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Sean Turner