Re: [TLS] draft-shore-tks-dnssec-chains-extension
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 22 July 2015 17:16 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 307ED1B2BC3 for <tls@ietfa.amsl.com>; Wed, 22 Jul 2015 10:16:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qAsNNXyHkQW7 for <tls@ietfa.amsl.com>; Wed, 22 Jul 2015 10:16:24 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FA861A8711 for <tls@ietf.org>; Wed, 22 Jul 2015 10:16:24 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id AEE7C284B55; Wed, 22 Jul 2015 17:16:22 +0000 (UTC)
Date: Wed, 22 Jul 2015 17:16:22 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20150722171622.GH4347@mournblade.imrryr.org>
References: <alpine.LFD.2.11.1507220736290.2328@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.11.1507220736290.2328@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/mxFN0TduF90hkikx__-UbxvhIvs>
Subject: Re: [TLS] draft-shore-tks-dnssec-chains-extension
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 17:16:26 -0000
On Wed, Jul 22, 2015 at 07:45:17AM -0400, Paul Wouters wrote: > I think the server should stick to one chain, from the root to itself, > so it does not have to deal with variable chain blobs per client. > That will allow server code to stick to something like hourly > regenerating the blob for use with all clients. >From the root to its own TLSA RRset, however, this can be complicated in the presence of CNAMEs: www.example.com. IN CNAME cdn.example.net. cdn.example.net. IN A 192.0.2.1 _443._tcp.cdn.example.net. IN CNAME _dane.example.net. _dane.example.net. IN TLSA 2 0 1 <trust-anchor-digest> In this example, three leaf RRsets need to be verified back to the root (with notable overlaps in the chains): www.example.com. IN CNAME <RDATA> _443._tcp.cdn.example.net. IN CNAME <RDATA> _dane.example.net. IN TLSA <RDATA> How should these be organized? It seems to me that the immediate answer that gets the client going in the right direction is the first CNAME, which enables to construct the TLSA base domain, and then to follow the second CNAME to the ultimate TLSA RRset. Should everything other than the first CNAME be in additional records? Should all the above (with their RRSIGs) be in the answer section, with the union of the supporting DNSKEY/RRSIG/DS records as additional? I tried to ask a related question during the meeting, but bandwidth to explain the context was limited: Should proofs of non-delegation be included, to keep gTLDs and ccTLDs honest for some future CT for DNS? Specifically, suppose you see: _443._tcp.www.example.com. IN TLSA <rrdata> with an RRSIG from the ".com" zone, should there also be NSEC/NSEC3 records that demonstrate that "example.com" (and www.example.com) are not delegated? (Such records might then be subject to "gossip" or related "transparency" counter-measures). > I do strongly prefer the binary blob to be in raw dns format. That > will make parsing easier with existing code, and over time we will > not run into issues where dns libraries support newer algorithms > but this specific dnssec parsing code isn't updated. I'm not sure what "algorithms" you have in mind? We should perhaps allow (even encourage) "compression" to reduce the payload size, this would require the client to "uncompress" (canonicalize) all the RRs before checking the RRsigs. Once canonicalized, DNSSEC signature checks don't care how the canonical forms of each RRset were constructed, and the wire form (which is not canonical) is not more compatible with new signature algorithms than any other representation. > As for ekr's question on why not stuff this inside X.509, that would not > be compatible with tls raw pulic keys that only contain a SBKI, and drag > back into the protocol more ASN.1 parsing and containers. This really can't go in the certificate, because then certificates would have to be updated as often as RRSIGS are regenerated. That seems exceedingly unlikely to be deployable. -- Viktor.
- [TLS] draft-shore-tks-dnssec-chains-extension Paul Wouters
- Re: [TLS] draft-shore-tks-dnssec-chains-extension Viktor Dukhovni
- Re: [TLS] draft-shore-tks-dnssec-chains-extension Paul Wouters
- Re: [TLS] draft-shore-tks-dnssec-chains-extension Viktor Dukhovni
- Re: [TLS] draft-shore-tks-dnssec-chains-extension Shumon Huque
- Re: [TLS] draft-shore-tks-dnssec-chains-extension Melinda Shore
- Re: [TLS] draft-shore-tks-dnssec-chains-extension Viktor Dukhovni
- Re: [TLS] draft-shore-tks-dnssec-chains-extension Shumon Huque
- Re: [TLS] draft-shore-tks-dnssec-chains-extension Viktor Dukhovni
- Re: [TLS] draft-shore-tks-dnssec-chains-extension Paul Wouters