Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)
Shumon Huque <shuque@gmail.com> Wed, 07 February 2018 04:21 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A76012422F; Tue, 6 Feb 2018 20:21:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IQQ4xbDhQNlV; Tue, 6 Feb 2018 20:21:50 -0800 (PST)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E79D3120227; Tue, 6 Feb 2018 20:21:49 -0800 (PST)
Received: by mail-io0-x22c.google.com with SMTP id d13so521603iog.5; Tue, 06 Feb 2018 20:21:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0l+tfcpLm2lQu4otVm7KW7xH6cvwAZ/1oX9XEunj9r4=; b=VPCmDctYVs1GjSYspO7ZO/NtC0td6AN9KjqXesDVEEerrGCcW0GkJPkNm0sptnSKls 8VfgfxXqCTgl7zN281q2I+uplctZzbDucOLhfwwDwOHr40GQcbNIpCMJPsElxTz11Pda gHU7o70as0lAeipCB2dqXvTSmYFxFU1RtFyP2mR6Db8lnxOQ6eUoCKYYkUiWTyQsniyx W2hPr9kUqa2pT2cyQbRCKf/1KcTnot7lSmDms59aNwxOCV6Q1PYNPlWNgnNackz9PSdo tipcAnw94Ips73/iFACK0xEtvT+ufiLXVxTF2A7CsoqoXV8apYSErfyFRSTczpXjOEWY jxEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0l+tfcpLm2lQu4otVm7KW7xH6cvwAZ/1oX9XEunj9r4=; b=Q6RRvVZyJrifunBoxUq92QrpxjI+pPja76Kjxi2GnWp5jsaC+qmFloRgDq/m4tx9iW XZ09PrPtWy46eyb6Zh2flZtSOIbmqi8ZNkaHHIjQxAV9/0a5t9Zvk85NHEM6wlTK+jTP taeI1lOax2bRk4JYzCB1McckVNT3OcJRrQypMqz7b1cGbprCJpHSYmqRxn8jJMDF+bMR ZnTRMyPDsvdnne5/27kcRdDxPpbJwa7jtQiStnfjkJDCyWbwVkQ8E4VWGRMfQzBKNXqD 4E0bxLX/rFp82/EMWD3uK94H6voy+p1de2c8JPDhmENeAjnEMB/v4Ce+rDF27X97RUM5 y4MA==
X-Gm-Message-State: APf1xPDPGpNP1WFjs8pwKWQm83YpHsnEsFg9tCJGnoXAcWFpqkJTu+dc fkZsdomgfQTKWUu7EEE8pfnIK6Co+r4k82TnR8s=
X-Google-Smtp-Source: AH8x224rHvT6Z/4oFSrxSKD1FZQmz98QWB1mb7WdSc/dbzQwLcmiq7CHDx5L64zy589CUVMx1XcqVX/1YSevDlBgwa8=
X-Received: by 10.107.53.213 with SMTP id k82mr5645184ioo.170.1517977309198; Tue, 06 Feb 2018 20:21:49 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.201.198 with HTTP; Tue, 6 Feb 2018 20:21:48 -0800 (PST)
In-Reply-To: <eff8a514-b704-a75b-c8f0-71b8f8d28e93@nostrum.com>
References: <151797357502.25862.16667889525841537162.idtracker@ietfa.amsl.com> <23185062-60CA-4BA6-BAA5-5DDD6279558B@dukhovni.org> <eff8a514-b704-a75b-c8f0-71b8f8d28e93@nostrum.com>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 06 Feb 2018 23:21:48 -0500
Message-ID: <CAHPuVdV2U-GvnbDdhCzGvzMWJf-NySyK1UP09bV3mpMt-qiGqA@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Viktor Dukhovni <ietf-dane@dukhovni.org>, tls-chairs@ietf.org, draft-ietf-tls-dnssec-chain-extension@ietf.org, The IESG <iesg@ietf.org>, TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1144a1a64abe22056497a20f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fiKFWDUUd-mYxJmFrBpU7kKOXl8>
Subject: Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnssec-chain-extension-06: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 04:21:52 -0000
On Tue, Feb 6, 2018 at 10:39 PM, Adam Roach <adam@nostrum.com> wrote: > On 2/6/18 9:28 PM, Viktor Dukhovni wrote: > >> >> On Feb 6, 2018, at 10:19 PM, Adam Roach <adam@nostrum.com> wrote: >>> >>> Unless I missed something important, this scenario doesn't seem to make >>> much >>> sense: if the client provides name A and the server replies with name B, >>> the >>> client either (1) isn't performing server name validation (in which case >>> it is >>> nonsense for the client to ask for a dnssec_chain), or (2) is going to >>> error >>> out the connection. Do I have that right? If there's some situation in >>> which >>> the server acting as described above provides some benefit, I would love >>> to >>> see it described in here. If it's just a matter of having completely >>> described >>> behavior for corner cases, it may be worthwhile indicating that the >>> client >>> will reject the connection if the server decides to complete the >>> handshake >>> like this. >>> >> DANE clients sometimes accept more than one name for the server. This >> happens >> when the server name is obtained indirectly from MX OR SRV records, or as >> the >> result of (DNSSEC-validated) CNAME expansion. >> > > Ah, that's an interesting point. You may want to keep this in mind when > responding to the question put forth by the GEN-ART reviewer. > > So in principle, more than one name might be acceptable to the client. In >> practice however, I don't yet see a mechanism where a client that can't do >> DNSSEC validation on its own would be in a position to do this. >> > > My understanding is that this mechanism isn't just for clients that can't > do their own DNSSEC validation; it's also intended to reduce latency for > interactive applications (web browsers and real-time-communication clients > in particular). > >> >> > Yes, that's true. But if we were to consider the MX/SRV use case, then for this specification to be complete, it would have to consider clients that are unable to validate on their own. This means the dnssec_chain extension would have to provide records that can (also) validate the MX or SRV records, which it doesn't do right now. In early discussions about the scope of this draft, I believe we decided to omit the MX/SRV case to keep things simple. This is why the draft only references RFC 6698 and 7671, and not 7672 and 7673. (Well it mentions 7672 only tangentially to suggest that such clients likely won't need this mechanism). Shumon Huque
- [TLS] Adam Roach's Yes on draft-ietf-tls-dnssec-c… Adam Roach
- Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnss… Viktor Dukhovni
- Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnss… Adam Roach
- Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnss… Shumon Huque
- Re: [TLS] Adam Roach's Yes on draft-ietf-tls-dnss… Shumon Huque