[TLS] Service Binding DNS Records (draft-nygren-service-bindings-00)
Erik Nygren <erik+ietf@nygren.org> Tue, 08 July 2014 14:42 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 902FC1B2ADE for <tls@ietfa.amsl.com>; Tue, 8 Jul 2014 07:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5cMO9zSKvXdI for <tls@ietfa.amsl.com>; Tue, 8 Jul 2014 07:42:12 -0700 (PDT)
Received: from mail-vc0-x233.google.com (mail-vc0-x233.google.com [IPv6:2607:f8b0:400c:c03::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE89D1A00F6 for <tls@ietf.org>; Tue, 8 Jul 2014 07:42:11 -0700 (PDT)
Received: by mail-vc0-f179.google.com with SMTP id id10so5513316vcb.38 for <tls@ietf.org>; Tue, 08 Jul 2014 07:42:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=T9zT47I86vAVmp40Jlog0q2zx2yI8xo9mDtR+Jbcipw=; b=vzo6UzK88u7s3D3KHLw+iYJ/BgZNj+70QHF9jtxFiXP2kp5YbCgNHD7gtZqC2eCm2X eU2boJS8UbIpvkRoxB5QYGcDVukYxRHF0SXYnX3Nd2P31lqdWGOPShV0UOqfX6dsed88 9/nVW2bf1ka0vj2saqcb2hUCTjwB1Ch1T0KfgQElqgtk3LhVNXPwOn6BEAFdgdt4zmGz jLdbhCFL32OH/ZZCoCi/tFHtDoXLjx/1NohG0wY/L/bXogPxtH8qD0zuYt6LYN2B1iz6 Sk3H46qWtN2vEboga9GNbGicB18z/oL3x8sms1fLMCzesFKXbeyvzmERL2RPVUQQvZ8G 7VYA==
MIME-Version: 1.0
X-Received: by 10.58.69.76 with SMTP id c12mr1971740veu.35.1404830530981; Tue, 08 Jul 2014 07:42:10 -0700 (PDT)
Sender: nygren@gmail.com
Received: by 10.221.11.8 with HTTP; Tue, 8 Jul 2014 07:42:10 -0700 (PDT)
Date: Tue, 08 Jul 2014 10:42:10 -0400
X-Google-Sender-Auth: 5vfhPx6uOAcyCK1IlxaUJuT9EbY
Message-ID: <CAKC-DJgamUz3Xm9mw3+y8En5aaoX_f4Zj7PS-Gsv3PFgstoECQ@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b3a9bcec4d46f04fdaf985c"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/bOG0GMrRgGOsZZMXdelNU46bQAY
Subject: [TLS] Service Binding DNS Records (draft-nygren-service-bindings-00)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 14:42:13 -0000
Following some discussion in both the TLS and HTTPBIS working groups at past meetings (including in the TLS interim), it became clear that there was a need for a mechanism more flexible and powerful than SRV records for communicating parameters for establishing a connection to clients. In the TLS 1.3 world, one specific use-case is to bootstrap any handshake encryption via the DNS. One of the major browser concerns is limiting the number of DNS lookups that need to be performed before establishing a connection, especially when multiple records that may only exist a small fraction of the time need to be hunted for. This proposal attempts to limit that while also enabling future flexibility. In particular, I believe this proposal also makes DANE/TLSA much more operationally viable for HTTPS use-cases. Regarding the concern that the adoption rate for new record types is slow, this is explicitly an additional mechanism for now (such that clients should fall back to A/AAAA address records and such when unavailable), especially as the security functionality enabled in the first version is primarily opportunistic. Feedback is most welcome and I'm happy to discuss more in Toronto. This does not yet have a working group home yet, especially as it spans the interests of a number of WGs. There are also plenty of open issues, and I'd like to land on the concepts before getting into final details of encoding: http://tools.ietf.org/html/draft-nygren-service-bindings-00 ---------- Forwarded message ---------- From: <internet-drafts@ietf.org> Date: Fri, Jul 4, 2014 at 12:39 AM Subject: I-D Action: draft-nygren-service-bindings-00.txt To: i-d-announce@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Service Binding DNS Records (DNS B) Author : Erik Nygren Filename : draft-nygren-service-bindings-00.txt Pages : 16 Date : 2014-07-03 Abstract: This document describes a DNS "B" RR which binds together information needed to establish connection to a service across multiple protocol layers, including the location of the server, the application-level protocol, and security bootstrap information. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-nygren-service-bindings/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-nygren-service-bindings-00 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt