IETF Logo Mail Archive

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-dnssec-chain-extension-06: (with DISCUSS and COMMENT)

Paul Wouters <paul@nohats.ca> Wed, 21 February 2018 19:48 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 489F61289B0; Wed, 21 Feb 2018 11:48:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fg-5c7O6P_Mk; Wed, 21 Feb 2018 11:48:15 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1956124BAC; Wed, 21 Feb 2018 11:48:14 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3zmp1l0dL4z38S; Wed, 21 Feb 2018 20:48:11 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1519242491; bh=AZvKubPQrITp5c4ndlw5uhJ4TgMCwkhmG1pDuAeWfqw=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Qy8HQ8jUR3Ds6BvlkibrgMQRvpa26GHi5fqKq8ATLrOSv4sJuzDp4mDq00jqK4KvO F3Bur1Zk7IiJjJL545oWV4QamboP88aO4Axh75DNP2FHsZnXrgcv91yaylrwiRNutj s8dDk5NnOq6Y5XNQYcG2DkAo83jiLpmIhYGlZi5o=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id qu3DokQRorO5; Wed, 21 Feb 2018 20:48:09 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 21 Feb 2018 20:48:09 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 45FD5C75; Wed, 21 Feb 2018 14:48:08 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 45FD5C75
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 3A688414535C; Wed, 21 Feb 2018 14:48:08 -0500 (EST)
Date: Wed, 21 Feb 2018 14:48:08 -0500
From: Paul Wouters <paul@nohats.ca>
To: Shumon Huque <shuque@gmail.com>
cc: Eric Rescorla <ekr@rtfm.com>, TLS WG <tls@ietf.org>, draft-ietf-tls-dnssec-chain-extension@ietf.org, The IESG <iesg@ietf.org>, tls-chairs <tls-chairs@ietf.org>
In-Reply-To: <CAHPuVdUs7mUJiqZjFjLDCNmHHGR9AP-g5YaLLbJj-zkDKd=_-w@mail.gmail.com>
Message-ID: <alpine.LRH.2.21.1802211425260.7767@bofh.nohats.ca>
References: <151801408058.4807.6327251050641650375.idtracker@ietfa.amsl.com> <CAHPuVdUgZLUf5M8ir=610mvERwQzPhbhGGOyW5s552JtP8d05g@mail.gmail.com> <CABcZeBOST2X0-MH2hhzpPJaUkbY++udsUV1bMnMhH2V2wQRPmA@mail.gmail.com> <CAHPuVdUs7mUJiqZjFjLDCNmHHGR9AP-g5YaLLbJj-zkDKd=_-w@mail.gmail.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pjonCjLbh5eweZ-fcKVm1whZagw>
Subject: Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-dnssec-chain-extension-06: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 19:48:16 -0000

On Wed, 21 Feb 2018, Shumon Huque wrote:

> Okay, got it. For people that have already implemented this, I think
> there has been an implicit understanding that the format of the chain
> data is a sequence of concatenated wire format RRs exactly as they appear
> in a DNS message section

Note, I would not call it "sequence of concatenated wire format RRs", as
it is simply the wireformat of a DNS message. The fact that some parts
are concatenated RR's is just part of the wireformat of the DNS reply
message. That is, this isn't introducing some new form of concatenated
content - it is _just_ a regular DNS wire format message, and the
document should not go deeper into its explanation.

I noticed some discussion about the ordering of this content. I am not
sure why that should be done. DNS doesn't care about the order, and
neither should producers or consumers of this extension. DNS has no
ordering inside its message. In pseudo code, they should simply:

while(not stuck and not empty(RRlist)):
 	stuck = True
 	for each RR in RRlist:
 		if validated_with_cache(RR):
 			add_to_cache(RR)
 			remove_from_RRlist(RR)
 			stuck = False

And then the order of RRs doesn't matter.


I don't think getting unrelated DNSSEC records would be an issue. TLS
has its maximum sizes for the handshake. In fact, it could allow the
extension to have some useful data in the case of MX or SRV.  (and could
be a feature to build a nice resolver over TLS using 1 tor circuit)

I'm also not sure about the talking of unsigned CNAME records from
DNAME. The above pseudo code (extended with special cases) should be
in some DNS library, and that library will know what records to expect
unsigned which are proven by the DNAME (or wildcard) synthesis and knows
when/if to add it to the validated cache. I don't think that should be
explained in this RFC at all. The DNS implementation does not need
to be specified in this document and it should just focus on saying
that "the DNS message response is validated and upon validation the
content can be considered DANE validated".

Paul

v2.23.0 | Report a Bug | By Email