IETF Logo Mail Archive

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-dnssec-chain-extension-06: (with DISCUSS and COMMENT)

Paul Wouters <paul@nohats.ca> Sun, 04 March 2018 03:09 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2F01200C1; Sat, 3 Mar 2018 19:09:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAtrwT5QWflj; Sat, 3 Mar 2018 19:09:41 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6948A126FDC; Sat, 3 Mar 2018 19:09:41 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3zv7LV2pzHz1pl; Sun, 4 Mar 2018 04:09:38 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1520132978; bh=Rv8G0UUZlFXNsKLZl70VM0k0eGeTjXTVj7g/Fg/F+Hw=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=VxSTFdtjsvGkkD5SwC3iBRvDfo1IzUDhCoElpz782gOgIORxzgrfeCjNs49bO7qBE QHNKe+DqMmddKhkwBUXKHxSMDATp7uSAfi/gE9Yi0Uvk+iJkiXLbKEfmDLg514m7Ok lu//8aWhhkScjArIgupBHunm4nBotsBhRL0DIGZo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id YOQ6CazROagh; Sun, 4 Mar 2018 04:09:35 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 4 Mar 2018 04:09:35 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 8E77A366713; Sat, 3 Mar 2018 22:09:34 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 8E77A366713
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 846F444DA267; Sat, 3 Mar 2018 22:09:34 -0500 (EST)
Date: Sat, 03 Mar 2018 22:09:34 -0500
From: Paul Wouters <paul@nohats.ca>
To: Shumon Huque <shuque@gmail.com>
cc: Nico Williams <nico@cryptonector.com>, Viktor Dukhovni <viktor@dukhovni.org>, tls-chairs <tls-chairs@ietf.org>, draft-ietf-tls-dnssec-chain-extension@ietf.org, The IESG <iesg@ietf.org>, TLS WG <tls@ietf.org>
In-Reply-To: <CAHPuVdUOZ1J+us4QfS+AedMvRzTGBRMGHvu5jpOdYr6mENGKXw@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1803032202100.15664@bofh.nohats.ca>
References: <CABcZeBOST2X0-MH2hhzpPJaUkbY++udsUV1bMnMhH2V2wQRPmA@mail.gmail.com> <CAHPuVdUs7mUJiqZjFjLDCNmHHGR9AP-g5YaLLbJj-zkDKd=_-w@mail.gmail.com> <alpine.LRH.2.21.1802211425260.7767@bofh.nohats.ca> <CAHPuVdX=_6b5g572-T-9Ccwek-WwL11KdTVwV9oNC9LaO5=0=Q@mail.gmail.com> <alpine.LRH.2.21.1802260913290.9977@bofh.nohats.ca> <70D42B5C-7FF9-49C1-95D4-13FDC611FF96@dukhovni.org> <CAHPuVdU8boBpYO3QutJgawH-54fKD+R9PaaT-5yWE+y2t+BwwA@mail.gmail.com> <CAHPuVdWhEnYxcLUzs-zbnKiN0zj+WO-7_cK2EobS1Gipurk7CQ@mail.gmail.com> <20180227233610.GD8921@localhost> <20180227233854.GE8921@localhost> <20180228200707.GF8921@localhost> <CAHPuVdUOZ1J+us4QfS+AedMvRzTGBRMGHvu5jpOdYr6mENGKXw@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ecB5BXNq3eZrAHTrciZ3xBG28bc>
Subject: Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-dnssec-chain-extension-06: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Mar 2018 03:09:43 -0000

On Thu, 1 Mar 2018, Shumon Huque wrote:

> I do not know if the draft authors and/or WG have an appetite to do the much 
> more major change suggested by Viktor (i.e in-protocol pinning TTL commitment
> and requiring subsequent denial of existence proof if DANE is removed).

I think it is worth discussing in London and/or some people meeting up
to talk about this and bring something to the list/WG.

The original idea of this extension I believe (and one of my reasons
behind writing RFC 7901) was to provide an alternative path for DNS
that couldn't be blocked or broken and that provides DNS answers without
additional latency. To me, that always included proof of non-existence,
as it would come in as the answer to a DNS chain-query via TLS headers
as the transport.

I don't know why this got turned into something that is almost like DNS
but not quite DNS. I think that is a mistake.

The TLS extension should be nothing more (and nothing less) than
stappled DNS suitable for a DNS routines.

Paul

v2.15.0 | Report a Bug | By Email