Re: [TLS] Proposed text for dnsssec chain extension draft
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 26 April 2018 15:53 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48EFB126D45 for <tls@ietfa.amsl.com>; Thu, 26 Apr 2018 08:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0bu9qTFedo0g for <tls@ietfa.amsl.com>; Thu, 26 Apr 2018 08:53:31 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 421AF124205 for <tls@ietf.org>; Thu, 26 Apr 2018 08:53:31 -0700 (PDT)
Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 816F17A3309 for <tls@ietf.org>; Thu, 26 Apr 2018 15:53:30 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAL02cgREhrRUgPO97zuMhdWpSOisXDenMXmxebEL28VactYY8g@mail.gmail.com>
Date: Thu, 26 Apr 2018 11:53:29 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <7E825613-AB1B-42BC-A3E9-13AFE9604347@dukhovni.org>
References: <1D2EB7F1-B796-4459-93C2-443A7104F33A@dukhovni.org> <CABcZeBPNwBKqVLmNR=KqrxhwbxJZPs_-oK26XbK8oq1yRaS8eg@mail.gmail.com> <1EA85624-3A19-4EA3-9A2E-D1DE19414F8C@dukhovni.org> <CABcZeBOauDUGqTz6TCHemonWKEx91NtQmTw8cOfyU1D51+RODQ@mail.gmail.com> <20180426152206.GM25259@localhost> <CAL02cgREhrRUgPO97zuMhdWpSOisXDenMXmxebEL28VactYY8g@mail.gmail.com>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/t-tPrOa5gV5RoqzPI21WvUmO96s>
Subject: Re: [TLS] Proposed text for dnsssec chain extension draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2018 15:53:33 -0000
> On Apr 26, 2018, at 11:41 AM, Richard Barnes <rlb@ipv.sx> wrote: > > Until my DNSSEC signing infra breaks, the signatures expire, and now my server is bricked. If that happens, you're bricked anyway, the 1.1.1.1, 8.8.8.8, 9.9.9.9, 64.6.64.6, ... resolvers all validate and are used by a broad and rapidly growing set of users. Sites that consider DNSSEC too risky, won't deploy DNSSEC and then of course won't deploy this extension. That said, the explicit lifetime field also in part addresses your concerns about recovery from operational errors. Set it to zero or a small number (of hours, units deliberately left out of proposed changes to this draft to make sure non-zero values are unspecified). Of course given evermore sophisticated BGP attacks: https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/ you might actually want to consider DNSSEC, implement it properly and monitor, and the bricking won't happen. -- -- Viktor.
- [TLS] Proposed text for dnsssec chain extension d… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Melinda Shore
- Re: [TLS] Proposed text for dnsssec chain extensi… Willem Toorop
- Re: [TLS] Proposed text for dnsssec chain extensi… Willem Toorop
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Joseph Salowey
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Joseph Salowey
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Eric Rescorla
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Eric Rescorla
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Eric Rescorla
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Richard Barnes
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Paul Wouters
- Re: [TLS] Proposed text for dnsssec chain extensi… Richard Barnes
- Re: [TLS] Proposed text for dnsssec chain extensi… Eric Rescorla
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Nico Williams
- Re: [TLS] Proposed text for dnsssec chain extensi… Viktor Dukhovni