Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)
Willem Toorop <willem@nlnetlabs.nl> Thu, 08 February 2018 09:51 UTC
Return-Path: <willem@nlnetlabs.nl>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 220D312D88A; Thu, 8 Feb 2018 01:51:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.01
X-Spam-Level:
X-Spam-Status: No, score=-7.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LTv2ZkhQBYLl; Thu, 8 Feb 2018 01:51:30 -0800 (PST)
Received: from dicht.nlnetlabs.nl (dicht.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A79DB1250B8; Thu, 8 Feb 2018 01:51:29 -0800 (PST)
Received: from [IPv6:2a04:b900:0:1:411c:86ef:6e38:d3a6] (unknown [IPv6:2a04:b900:0:1:411c:86ef:6e38:d3a6]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id A9BBE8EBE; Thu, 8 Feb 2018 10:51:27 +0100 (CET)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1518083487; bh=uvBOKUmlpntVnQ4EK5YFgOU43i0oJFJwYbz8/MunPgE=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=XYw+y/4bqtKKbQR8/PMizwAZnwZOHO06jf9LfbYugL6UeF9eSEkbhWoIwlw4+Jx+3 6y4MqYX5CZw4WEGPROZ08bIg6nQ6Eup5kclpetZ/QDxZ71CgAscbU3H/7wBrZatmrJ r9hlK+pz2EjW6bEIdt55QAcUZH+GTJiM43GVZJ4c=
To: Shumon Huque <shuque@gmail.com>, Mirja Kühlewind <ietf@kuehlewind.net>
Cc: The IESG <iesg@ietf.org>, draft-ietf-tls-dnssec-chain-extension@ietf.org, Joseph Salowey <joe@salowey.net>, tls-chairs@ietf.org, TLS WG <tls@ietf.org>
References: <151800968634.4877.12510609339415982154.idtracker@ietfa.amsl.com> <CAHPuVdWO1LqNBK_f4xxcgP5PLQGDw1OMJiymf3jWXSDftP07+A@mail.gmail.com>
From: Willem Toorop <willem@nlnetlabs.nl>
Message-ID: <4c90bb83-5ba1-8193-df67-38e25f76caf8@nlnetlabs.nl>
Date: Thu, 08 Feb 2018 10:51:27 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CAHPuVdWO1LqNBK_f4xxcgP5PLQGDw1OMJiymf3jWXSDftP07+A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eEeSLMOnf_uNhd-1I1zaesqtHxo>
Subject: Re: [TLS] Mirja Kühlewind's No Objection on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 09:51:33 -0000
Op 08-02-18 om 03:27 schreef Shumon Huque: > On Wed, Feb 7, 2018 at 8:21 AM, Mirja Kühlewind <ietf@kuehlewind.net > <mailto:ietf@kuehlewind.net>> wrote: > > Mirja Kühlewind has entered the following ballot position for > draft-ietf-tls-dnssec-chain-extension-06: No Objection > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Two minor, mostly editorial comments: > > 1) Intro (sec 2): " It also provides the > ability to avoid potential problems with TLS clients being unable to > look up DANE records because of an interfering or broken middlebox on > the path between the client and a DNS server." > Is that actually a well-known problem (can you provide a reference?) > > > Some folks (at Google and NLnet Labs if I recall; maybe others) have done > measurements to show this is an actual problem -- for a relatively small but > still non-trivial fraction of clients. We'll try to see if we can dig up > specific > references to documents that could be cited. I wouldn't call it a relatively small fraction :) DNSSEC is severely hampered for end-entities by broken infrastructure in many different ways. Sometimes an upstream resolver can be used for positive DNSSEC answers (i.e. existing records), but not for non-existent or wildcard answers, because it simply doesn't forward the NSEC(3) proof for it. The last measurements we at NLnet Labs did was in July 2015: Gorjón, Xavier Torrent, and Willem Toorop. "Discovery method for a DNSSEC validating stub resolver." (2015) https://nlnetlabs.nl/pub/os3-2015-rp2-xavier-torrent-gorjon.pdf Measurements were done with RIPE Atlas, with at the time +-8200 probes. At the time only 56% of probes received enough DNSSEC data from their upstreams to be able to perform DNSSEC validation for both positive and non-existent answers (required for DANE). There is a RFC that outlines detection and mitigation techniques on how to deal with this from DNSSEC validation stub resolvers: RFC8027 - DNSSEC Roadblock Avoidance Ultimately such a stub resolver has to be able to fallback to full recursive resolving (i.e. iterating from the root). Although even that might fail... Furthermore, hampered DNS (but not specifically DNSSEC), is the primary motivation for the new DNS over HTTPS draft (and workgroup): https://tools.ietf.org/html/draft-ietf-doh-dns-over-https (DoH might be the ultimate final fallback in DNSSEC Roadblock Avoidance) > > or would > it be enough to say something like this: " It also provides the > ability to avoid potential problems with TLS clients being unable to > look up DANE records when DNS server is not reachable." > > > Your rewording of this sentence would unfortunately not be accurate. > It's usually not the DNS server that is unreachable, but that some middlebox > has done something wrong, such as: not allow DANE queries or responses > through; not allow DNSSEC signatures through; not allow EDNS options > that enable DNSSEC through, or engage in other misbehavior. > > > 2) IANA Considerations should probably be updated. > > > I guess you are suggesting that the last sentence is probably obsolete: > > "If the draft is adopted by the WG, the authors expect to make an > early allocation request as specified in [RFC7120]." > > Agreed. It's a little late for that! :-) > > We will remove it. > > Shumon Huque >
- [TLS] Mirja Kühlewind's No Objection on draft-iet… Mirja Kühlewind
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Shumon Huque
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Willem Toorop
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Shumon Huque
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Kathleen Moriarty
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Martin Thomson
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Shumon Huque
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Kathleen Moriarty
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Viktor Dukhovni
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Shumon Huque
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Kathleen Moriarty
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Shumon Huque
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Kathleen Moriarty
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Viktor Dukhovni
- Re: [TLS] Mirja Kühlewind's No Objection on draft… Shumon Huque