Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
Rob Sayre <sayrer@gmail.com> Fri, 29 March 2024 23:21 UTC
Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2BEBC14F69A; Fri, 29 Mar 2024 16:21:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hgTnHAl0R1sc; Fri, 29 Mar 2024 16:21:09 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91217C14F686; Fri, 29 Mar 2024 16:21:09 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-56bc5a3aeb9so3013187a12.3; Fri, 29 Mar 2024 16:21:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711754467; x=1712359267; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=o8y5xONtEyf14u0pOZDElBemj4Ws4k2pG3yAM9oNvBk=; b=JsZ0AdQ0nZCnYobwnp8EadNplge7Fj7+PJvk5ZRXj8Hvlxq+f7AeJ3lwWS49Qk+N+A CyVg+8sg2H1Ts/K26mZ3BndO3CO6bUpF6/oq0RtW6VLe9z7v/iMLushUv452C3FVGow1 3vSyXC9CZM49cEcYG2vB0fPW5AtU/KJhwcS9vyQ8JY7TjDOtD44Q6kOxgajQvllcJv84 Nw4VwWmMG3/zIIy8u6VU0qrTe0d0F/moxDEQ1MB8TJ1FafDHU5Kp5h/xIcAUAd991I+U fQTRlTUkB0yX45isDO7M0EifVC044tONUYgrIPH5+JKgTu2Sn25rZyWFj8+DQRG6AqrV cZ3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711754467; x=1712359267; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=o8y5xONtEyf14u0pOZDElBemj4Ws4k2pG3yAM9oNvBk=; b=ctkwoDZc1w/dbpKNP/NxSlUhsefiI2hxpaVYe2esIeGDWvFNpYe7tfwzjMw9kGLlGm 5J+Djb9kPGipgdkgXi3YT5T1EoBjbP2UwnJM4iKrvobe1+mIngyeabKm8p+ndX/9Hil7 i9fk6kCd0b50VkFTM1aj/5RgRQ6o9uWnIODLHWSIR1xaD/X6FZj81qWKhNqwkoEfIW6j 9Xym7k72LzCcEEjj0bCNCd1nkB8HD2gfiL4e0U3dJNrqy6rm/u5+4hETCKRTyTjDITyh NzgLXwv05riWs9/um0bBSqUsiCx6uigP8OfGn2GxiTjeHjULdFQXv218T/Hn0nD+QC8N /7YA==
X-Forwarded-Encrypted: i=1; AJvYcCXpQdZf2PeOiT4O0xnyInq9O+kAg4Rviwhk3puJ60ENVlWIbRIJcBvmwuCYb/ElPzfC+30aNtV3OwSqeTYmPF8PC0BcKBXT7DOi4uQBJ/HTB5KqqcjxVcOMjrCgUarHAGO3Vg==
X-Gm-Message-State: AOJu0Yy+dys3WgaYJQAavHx5Hgx82ftvdd2g6RJpFhrKLcAoIcylyLuw +DMaxzGcQ3v3tEdsFHG+hJtRGc53Wb8pHpGbVuRKhf6NG+aj235aV48MfMH/QtX6jhYULycR65e 6lx4vTKY7o6mAggt8yRPUGXhIa9I=
X-Google-Smtp-Source: AGHT+IGxipNbGykAKS+/u1P0i0t1x2fjckgskmleYCXXWt1HOrPPszXeR7ft3kYia9JehBMQpO6QSdo2GS+cVrWCF5w=
X-Received: by 2002:a05:6402:270c:b0:56b:f79e:89ea with SMTP id y12-20020a056402270c00b0056bf79e89eamr2604800edd.14.1711754467416; Fri, 29 Mar 2024 16:21:07 -0700 (PDT)
MIME-Version: 1.0
References: <171174253501.29384.9373864670898234756@ietfa.amsl.com> <CAChr6SwCKV4P_xab_3dKSwKDfPdxjz3WinQaWebMcXh8-_xy0g@mail.gmail.com> <CAPt1N1knx=+K627L6rsf4nGuiwpSXjWoMB4QcMfwhJdaGKypUw@mail.gmail.com> <CAChr6SxKA7YidnYWW=6DOWeQo+_CKNaWNOQL9JQnJUB3thgBhw@mail.gmail.com> <CAPt1N1=snvSeQ74xs=HNVyszxjTD1SPMxw3+BVh-5-HBnOcZag@mail.gmail.com>
In-Reply-To: <CAPt1N1=snvSeQ74xs=HNVyszxjTD1SPMxw3+BVh-5-HBnOcZag@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 29 Mar 2024 16:20:56 -0700
Message-ID: <CAChr6Sx0WX-X3dWjkwMJAa4Rz3BhnUdYMFwWgLkorm6d-16g1w@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: dnsdir@ietf.org, draft-ietf-tls-svcb-ech.all@ietf.org, tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f9240a0614d4e441"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WIA_vvUEu8_cg9yIbqgtRGt5HGA>
Subject: Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 23:21:10 -0000
I don't think it relates to DNSSEC. You can fail at DNS (DNSSEC failure) or you can fail during ECH (unless you want to use non-ECH, which is not ECH, and not part of this draft). It makes sense to me: one can reject a request unless the requirements embedded in the SVCB are met (the server chooses those, which can include many aspects of the request). I don't understand why one would insert DNSSEC here. That seems to be the whole point--it works without it. thanks, Rob On Fri, Mar 29, 2024 at 3:57 PM Ted Lemon <mellon@fugue.com> wrote: > I'm not telling you that you have to require DNSSEC. I'm saying the > document is incomplete if you don't talk about how it relates to DNSSEC. I > think EKR got the point, so maybe go with his approach? > > On Fri, Mar 29, 2024 at 6:27 PM Rob Sayre <sayrer@gmail.com> wrote: > >> It's a policy choice, though, right? I think ekr hinted at this issue as >> well. >> >> It's that one might also view requests that reveal the SNI as insecure. >> If that's the case, DNSSEC doesn't help. There will certainly be a >> transition period where that will be impractical for many servers. I think >> these are separate problems, though. >> >> thanks, >> Rob >> >> >> On Fri, Mar 29, 2024 at 3:10 PM Ted Lemon <mellon@fugue.com> wrote: >> >>> It looks like if you can't get the SCVB you're going to fail insecure, >>> so being able to use DNSSEC to prevent that for signed domains seems >>> worthwhile. >>> >>> On Fri, Mar 29, 2024 at 4:41 PM Rob Sayre <sayrer@gmail.com> wrote: >>> >>>> On Fri, Mar 29, 2024 at 1:02 PM Ted Lemon via Datatracker < >>>> noreply@ietf.org> wrote: >>>> >>>>> >>>>> I don't think it's reasonable to specify the privacy properties of >>>>> SVCB and >>>>> /not/ talk about DNSSEC validation. >>>>> >>>> >>>> Could you explain more about this part? I think DNSSEC doesn't add much >>>> here, unless you want to accept non-ECH traffic. For example, many of the >>>> test servers will bounce you to some other site if you don't send ECH or >>>> screw it up in some way (speaking as someone who has screwed it up many >>>> times...). >>>> >>>> I think there might be a DoS attack here, where someone messes with the >>>> response, but they can also turn off the DNSSEC bit unless it's DoT/DoH/DoQ >>>> etc. So, if using those, it's just the trustworthiness of the DNS server >>>> itself, right? Sorry if I'm missing something. >>>> >>>> thanks, >>>> Rob >>>> >>>>
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- [TLS] Dnsdir early review of draft-ietf-tls-svcb-… Ted Lemon via Datatracker
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Erik Nygren
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Erik Nygren
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Rob Sayre
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Ted Lemon
- Re: [TLS] [dnsdir] Dnsdir early review of draft-i… Tim Wicinski
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Eric Rescorla
- Re: [TLS] Dnsdir early review of draft-ietf-tls-s… Sean Turner