Re: [TLS] Dnsdir early review of draft-ietf-tls-wkech-04
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 16 April 2024 12:13 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BC67C14F60C; Tue, 16 Apr 2024 05:13:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9k3tA17SmdTm; Tue, 16 Apr 2024 05:13:37 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on2107.outbound.protection.outlook.com [40.107.8.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D419DC14F6AC; Tue, 16 Apr 2024 05:13:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=goW2aZ8GMzr6zDuLhmKRfxrin7Clpv4N0PT4DDJi4wFx8e8FVZnEI5e1uvGkzOPOGFpjxGdMJTRZhlGnKWerKj62qBRoqldX/CaYZPGopbI/3x1NzpBmhQIkPItpDMvAXwJwMDU3E7iOjZO5Y4ckYRmYert78G66DaKPRL/altUF07WbUtCpnFlkU210Dpm0WKyuidvUMqJ/c/nHPrPb1nubC/t3mp5x4qVQxIvh1xrrKihYKgS8wg3Rqu6OMXF1NLfwWv6zxHcDyqfr9Lc10QRGsUMrWjhzTkYxcwQSoldB4UH/G0bvpf0MSrtwfJNF7XFz+PRnRfwOxugIBoHICw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2Zp+f3o1pv7bd2swMzfjF1CjtHWbxQKnCJBpB9kHVo0=; b=FlBeKJ2SyshdgewRq5h9HeU8k01qtyj5IcNiYcjAIBCw+kYFVjW8MufvIlBHi/lIFSg32Biq7a/mhPW901Yy9PXWoZDWB9paMHbyghVU73qrWz0Pukn0KlX7Vi/t9FRidTVUpRbSauNStEEr86/YkJYZu8uehPjuUwZ+TBrXoKPV8K0FUZ5LwkWKxHK3yViZzdGGTLWyPiEfN6pwrJls5sw3Bs3wtyUwtxDpAykIUvIVni3NClJ1rA4Pd/mtqKmo/38EgLzIz+Mnbzu2+U43t4HLHFKsdqCvpfYSxBTJQPGu8P8CZkTJfWQDlmUBnX6oO7vfwfBd+vimB3ykCvVlEQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2Zp+f3o1pv7bd2swMzfjF1CjtHWbxQKnCJBpB9kHVo0=; b=XYlYUXhkm8ZLacUhEIGRr6TFvz0/w0kAh2W8IeLN8mK2uNof5hcyUWWakWPyYDzkbHCsUESDsQ0mtfOOo3/k2r8cLR/hbWjcM3zjj1tn/8/HmaB6wq0x8L2Zdowe9QaSjBXADDoJ4P1DZyi9TdPDjtFso4RqlxmtMCKZDXiiNHnTEZ0c6FjvjpYaLJWJ8YMp8xRZhaJje/CzXMEu5gbZddkOhegSzvcpk4XGO9yr4dgD38cwHa8HPB94IgDk7/eBFVLLgMhEtl21saxnOXRqrwndwJJsTR3cPkRxd/MfrgUV/1IRCjDz/37yfsLld3fBXkw9mCPs78MSYxFLWqt49g==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DBBPR02MB10752.eurprd02.prod.outlook.com (2603:10a6:10:53c::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.49; Tue, 16 Apr 2024 12:13:30 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4421:1ca6:59b4:20c9]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4421:1ca6:59b4:20c9%7]) with mapi id 15.20.7452.049; Tue, 16 Apr 2024 12:13:30 +0000
Message-ID: <7fc09f1c-8b50-4ec8-87dd-4e453a1c60ba@cs.tcd.ie>
Date: Tue, 16 Apr 2024 13:13:28 +0100
User-Agent: Mozilla Thunderbird
To: David Blacka <davidb@verisign.com>, dnsdir@ietf.org
Cc: draft-ietf-tls-wkech.all@ietf.org, tls@ietf.org
References: <171322109338.39987.3724834037673235032@ietfa.amsl.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <171322109338.39987.3724834037673235032@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------8cA2pcOJ4fXL0VzRyjGaM2sK"
X-ClientProxiedBy: LO2P265CA0201.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9e::21) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|DBBPR02MB10752:EE_
X-MS-Office365-Filtering-Correlation-Id: ca39b43e-71f3-436a-468c-08dc5e0ea0e7
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: hKovi/Vl+VqcxvIOo89jcDCykZLHD/9vrE0bvByfYZRA9iSaKHSrCOlV1lumtYPiw+zj4R4CpJRMDeTEYtUARt3k8mKgEE7La2N71C2HlQGMOX4L3OnWiu5diM+4e9ibKT279jMclZpe2g4pwLHHSudcT5SjXuiE+2VzqPxbHDyuHtSPMTa9LqmTEeFObMSLi0tnrBV931tm7uvlqV8iH44OSG5CIR4qJtkqE8UXTHUuoJSdm1DxCktYDTMrsh5+cQh6jKF0toiLVjGP+PK74kzJj5D4Hb8xhyGJK16HBB/RqgkClznsUf6eCUmesYRV3pMoB10CcZkHF2tgGJxm0d20tKfQGHZ9Bf5rtObzplU7GibMWZxKBqPpt9nxDpWlRnoqQf3lJYikQhxYrNFBBEYYG0uMTUjI0JF5+AUXW9vp6991pXZc/QhgRkFx935dp11t1JiLnrnZtxEm+QX9EVJ8MgJtCl+cwetv3mTDVpNP3hd6HlCCCFgcuxXnLDho8QMo0o5Wrm0V3q/ASp12TD4PdHTZPR8A0/7IKhza81x0OCtxTaL6xnrIuQwrM7QI66WkbPMrGPv8D24vIjOss0qFK5O5SaBhkplajYnL/LUI8OUselOe6l4/z+MdJhsRQp1ttSlrBRR40lfIX+CrycMMcAWj/3FaH5+9XJ0KVdA=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: Ilyne4QVePla5t16E44sdA2ItfZwFClBp+wyuxWxZHh+Re8MqxY0CbrIlArvkPzkloUjx2QeT/em0+VgPqbQEhv1xkfKYVlQNht96meTvlLQRZcNdoodBb4vYTZoA2Dw3EcbkrHFxwGwE8y/fxx61k7Xd0dQKGPqfL+7SXvOHHUICJrHoKGRT56N0DNTCNJUc76S6I9zY6/vo/niNqxpgdOySk3HCQYje1SKJ/4umzPjkl55NhUL1soZEo6ulGxgBchzLztcGxw7bSqce1fOqpSM/h0E/41ioObpFgxZejeek7EwcvKeOEEJ/Qcu8xkpcGRqOXdkX8zR30RMFpqyxvKZVJAujyfmYDD7Dkf2MOnfRvUBzk0S38JeNQg6FTVawIu9LpXaAlk6CgsN6pNKu7blAbBfIw80r/KFL/e3UpDaotgJbOD3DWFvliU2qP/zrgBmXwiPohJTeoOEHyjAXP6r037SQBQGWTRbSzjNaNVUd8D9dndJoy9KRj/xXKLazgAeE3yhQ0pU8NORw8Xsdu5JT0yM3WKodBtxu1d2FgQNt/m7e014pq7ugF/XhxIXMcqqyzE3CYOKiXp6MKE866PhfrwFf3YF01VrXrCJICbNt4baSurp5rCKkU5aO4H62oRDCHUJWtRV8uDengMmTlFwRUJsXgARmgr8splf6bz+FnoGXZ5wj9VKCXsbWn3/ZiVofmEECIcwunHQrYkWWa+DCJeeFmT/h2xSBaIf/r/A7r+KHXWirvMNgfLGd49qnBh7TTiDLKxyYRGArLZMKSxaIrKyXZ4VPm0/ggQrkWBeaSNg1YJDi7/8+UvGxatooTW/zxZywiR2ErMx/P8gJveVUz2DuqHW7Yo+I5usxmJc5bNrqSqKM930RjTqHoC3P54ddQEOnM3ItC1T3ogRhQkFoyBqi0EpMdjCmBnl+S0qgKcOTGaCWUzYqcPadnon2wRIl5Zpbv+FaJLUJP/MwGGi2JEyotG9hpC4XQ0Rh/RDN0AqB2PdSibfYRYCGrzGLa1xEKDyV3MEaBIdN64SEu55kpm6xelgOuQIS/PP4/lc7n/1zJiTu7K3yHNNE1gioZKW4VGFZC2IWK5eiWEI9HsrBbG+I8wA0wfHlAvaOS+VPjEcDB8Ptsn3VE1/BasbKTszr5U5bzB67vYW30NKwrBFYDOgCuhObqSW2x3fV93OgibbDWNTrE7+5FkkrdtiPCB5r296uELKpzNXyKYb2kCNwwaUnJrIYqc8+L5VnxpwtWZib28n52W459ooAjPr7UJ+fk1DtanKW0+cCmBDPI/zK+e7ZFsFaaE4emon6AUJTu6AoTLry1g/qBP3wr7rC4+MqXGa4qYDdhQRyFaEcrryk41xBUDt9kcIuEGDjhTVkiMkvsxYL2p0tV+55nhit1bTWguaaLIvGP4VHjnmAkukAOtMMoJ5Cb26zOQOFgJbs5DCysEglsD67/qOaYKLuKPM5CXeWJVE7/DXS9j1SG0+YI8UUMMhYb91xal3E32jiCMJ0MeDlDSNdL1I2Ll9rKwvk/qtPKbMf3mH5uNq2UoCAMTqBf7dbj/K0xxgpN9gS3/TDJqfecHf/LNcWpz7+cv0sgn4LBEKwG5gr4GyvaGd3WXRf7GBMpvG0jPrMfOBSbQXnPkZ5EjrUJl0ccQm
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: ca39b43e-71f3-436a-468c-08dc5e0ea0e7
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Apr 2024 12:13:30.9347 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: ZTS5nDs+sJbKwcI/gpMeUztoh0wK9eXc/TSnk+uchgcRXxA/kbHNWskiBPeDX/oj
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR02MB10752
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_8cAPs_3GhBEyr0yYnq4v28SKkU>
Subject: Re: [TLS] Dnsdir early review of draft-ietf-tls-wkech-04
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 12:13:42 -0000
Hi David, Thanks for taking the time to review this. On 15/04/2024 23:44, David Blacka via Datatracker wrote: > Reviewer: David Blacka > Review result: Ready with Issues > > This is an early review, so the actual status simply means that I didn't find > anything alarming in this draft. Ta. The authors do agree that it's not actually ready though so no need to be so nice:-) > At its core, this I-D is a registration for a well-known URI, using the > criteria described in RFC 8615. The use of this well-known URI is that a > separate software component from the web server itself can poll the URI and, > based on the response, update DNS RRsets. This seems pretty straightforward. > > The JSON format is encoding of the SVCB ServiceParams, plus the priority, > target, and "regeninterval" fields. This makes sense, since we are asking the > "Zone Factory" to generate a SVCB or HTTPS record from the data. This leads to > some obvious questions: > > * What happens if there are unknown keys in the JSON? (e.g, is the response > considered invalid? Yeah, that's TBD for now. Authors need to chat about it and probably reflect on how we've seen new tags for SVCB being added over the last while. > Or does the Zone Factory ignore them and create the RRs > anyway?) * how are changes to the underlying SVCB service parameter registry > handled? This I-D asks IANA to create another registry for the JSON fields. > Does this have to "keep up" with the SVCB IANA registry? Good questions that'll need answering. Will create GH issues for those (and for issues raised in Martin Thomson's review); I plan to create those this week when I get time. > This I-D talks about web servers running in "split mode". Is this a common > term in the web world? Is there a reference to this practice? It's not common in the web world, but is part of the design of ECH and defined in that draft. I added a sentence saying that to my local copy. > If not, could > it be described more completely? I found the abbreviation "BE" to be jarring, > possibly more so because it is used without any English articles. We already changed some terminology based on Martin's review so those all now say "backend" rather than "BE." > Since I don't really understand "split-mode" (which is presumed to be the norm > based on the example), I don't understand why the distinction is relevant to > the proposal? Does the Zone Factory behave differently if the web server is in > "split-mode"? Section 5 suggests that is does, but I'm not sure exactly what > is going on there. Yeah, there're a few things still to be figured out wrt split mode but we'll be working on it next week or so - probably ok to keep an open issue for that. > I found the term "Zone Factory" a bit odd as well, but I couldn't think of a > better name. "Zone Agent"? "SVCB Update Client"? ZF still seems better to me, but we'll doubtless get feedback as the draft progresses in the WG and gets further dnsdir review as things settle down. > The I-D in section 6 says: > > ZF SHOULD set a DNS TTL short enough so that any cached DNS resource > records are likely to have expired before the JSON object's content is > likely to have changed. The ZF MUST attempt to refresh the JSON object and > regenerate the zone before this time. This aims to ensure that ECHConfig > values are not used longer than intended by BE. > > This could be couched more precisely in terms of "regeninterval". We might > want to avoid being overly prescriptive, though. Something like "The ZF SHOULD > set a DNS TTL less than 'regeninterval'", perhaps. WFM. Made that change locally. > In Section 6 (and maybe section 3), it isn't spelled out how the Zone Factory > determines the "owner" of the SVCB and or HTTPS records. I only ask about this > because, if it isn't the domain part of the well-known URI used, then it should > be accounted for in the JSON format. > > I'll also note that this early I-D does have a number of obvious typos, at > least one was noticed by the ART reviewer: > > * "For many applications, that requires publication of ECHConflgList data > structures in the DNS" -- there is an ell masquerading as an i. * "Zone factory > (ZF): an entity that has write-accsss to the DNS" -- should be "access". Ta. Fixed locally. > There are likely others. Doubtless:-) Thanks again, S. PS: In case someone cares - the draft may well expire before we get -05 out, but it should be a short interregnum:-) > > >
- [TLS] Dnsdir early review of draft-ietf-tls-wkech… David Blacka via Datatracker
- Re: [TLS] Dnsdir early review of draft-ietf-tls-w… Stephen Farrell