Re: [TLS] draft-shore-tls-dnssec-chain-extension-00
Paul Wouters <paul@nohats.ca> Wed, 01 July 2015 03:27 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1579C1A1A80 for <tls@ietfa.amsl.com>; Tue, 30 Jun 2015 20:27:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oLNyitg6xi2J for <tls@ietfa.amsl.com>; Tue, 30 Jun 2015 20:27:46 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3F4F1A1A78 for <tls@ietf.org>; Tue, 30 Jun 2015 20:27:45 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3mLp0H0HKpz9G; Wed, 1 Jul 2015 05:27:43 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=I1RU9fa5
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id dUVm3EJa4uON; Wed, 1 Jul 2015 05:27:42 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 1 Jul 2015 05:27:41 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 31AE4800B3; Tue, 30 Jun 2015 23:27:41 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1435721261; bh=gRjAKeNLdDeeqpZX09x5XtERIGolgfvJ8g+c2CtO1cA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=I1RU9fa5er4AYm7K55hbHhw4XDne9cKxbDki1LXrz51JRvF7nlqQ9AJy6DRc/Z5QF xJy8q9CNARZE5shgR3H+uRrhhTMrKv0d/xFGsnyfUL+wqqOTU7Gk1QmtVFkYhfwv95 2Zu6z93sfDKooX8taQarO1Nfi+ohSALD4exgKw/0=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.1/8.15.1/Submit) with ESMTP id t613ReoC029661; Tue, 30 Jun 2015 23:27:40 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Tue, 30 Jun 2015 23:27:40 -0400
From: Paul Wouters <paul@nohats.ca>
To: Melinda Shore <melinda.shore@nomountain.net>
In-Reply-To: <55922571.8080605@nomountain.net>
Message-ID: <alpine.LFD.2.11.1506302319510.29441@bofh.nohats.ca>
References: <55922571.8080605@nomountain.net>
User-Agent: Alpine 2.11 (LFD 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Z9RPFzv1CSYN67o3Y5f62ULDf24>
Cc: tls@ietf.org
Subject: Re: [TLS] draft-shore-tls-dnssec-chain-extension-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2015 03:27:47 -0000
On Mon, 29 Jun 2015, Melinda Shore wrote: > Subject: [TLS] draft-shore-tls-dnssec-chain-extension-00 > We've submitted a initial draft describing a TLS extension for > the transport of a DNS record serialized with the DNSSEC > signatures needed to authenticate that record. So this looks similar to the earlier "put it in an X509 attribute" experiment that chrome did for a while. If it makes browser people happier to use DNSSEC, I'm all for it. Although I would be happier if we just shipped a binary DNS packet blob (minus transport header) that could be given to a dnssec validation library as if it came from a remote DNS nameserver. I don't really see the use of a new DNS transport format, as the DNS packet format can already be used to add a large number of records. Additionally, code on nameservers for draft-ietf-dnsop-edns-chain-query could directly be used to generate the TLS extension data blob as well for the TLS server. Having browsers have some kind of "validate this chain of DNS records that is asumed to be in some validation order" seems awfully specific code that is "just not DNS enough" to cause problems. I'd rather see the data fed into existing real dns validation libraries. Paul
- [TLS] draft-shore-tls-dnssec-chain-extension-00 Melinda Shore
- Re: [TLS] draft-shore-tls-dnssec-chain-extension-… Viktor Dukhovni
- Re: [TLS] draft-shore-tls-dnssec-chain-extension-… Melinda Shore
- Re: [TLS] [dane] draft-shore-tls-dnssec-chain-ext… Shumon Huque
- Re: [TLS] draft-shore-tls-dnssec-chain-extension-… Paul Wouters
- Re: [TLS] draft-shore-tls-dnssec-chain-extension-… Shumon Huque
- Re: [TLS] draft-shore-tls-dnssec-chain-extension-… Viktor Dukhovni
- Re: [TLS] draft-shore-tls-dnssec-chain-extension-… Daniel Kahn Gillmor
- Re: [TLS] draft-shore-tls-dnssec-chain-extension-… Viktor Dukhovni
- Re: [TLS] draft-shore-tls-dnssec-chain-extension-… Melinda Shore