IETF Logo Mail Archive

Re: [TLS] Proposed text for dnsssec chain extension draft

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 26 April 2018 15:53 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48EFB126D45 for <tls@ietfa.amsl.com>; Thu, 26 Apr 2018 08:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0bu9qTFedo0g for <tls@ietfa.amsl.com>; Thu, 26 Apr 2018 08:53:31 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 421AF124205 for <tls@ietf.org>; Thu, 26 Apr 2018 08:53:31 -0700 (PDT)
Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 816F17A3309 for <tls@ietf.org>; Thu, 26 Apr 2018 15:53:30 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAL02cgREhrRUgPO97zuMhdWpSOisXDenMXmxebEL28VactYY8g@mail.gmail.com>
Date: Thu, 26 Apr 2018 11:53:29 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <7E825613-AB1B-42BC-A3E9-13AFE9604347@dukhovni.org>
References: <1D2EB7F1-B796-4459-93C2-443A7104F33A@dukhovni.org> <CABcZeBPNwBKqVLmNR=KqrxhwbxJZPs_-oK26XbK8oq1yRaS8eg@mail.gmail.com> <1EA85624-3A19-4EA3-9A2E-D1DE19414F8C@dukhovni.org> <CABcZeBOauDUGqTz6TCHemonWKEx91NtQmTw8cOfyU1D51+RODQ@mail.gmail.com> <20180426152206.GM25259@localhost> <CAL02cgREhrRUgPO97zuMhdWpSOisXDenMXmxebEL28VactYY8g@mail.gmail.com>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/t-tPrOa5gV5RoqzPI21WvUmO96s>
Subject: Re: [TLS] Proposed text for dnsssec chain extension draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2018 15:53:33 -0000


> On Apr 26, 2018, at 11:41 AM, Richard Barnes <rlb@ipv.sx> wrote:
> 
> Until my DNSSEC signing infra breaks, the signatures expire, and now my server is bricked.

If that happens, you're bricked anyway, the 1.1.1.1, 8.8.8.8, 9.9.9.9,
64.6.64.6, ... resolvers all validate and are used by a broad and
rapidly growing set of users.

Sites that consider DNSSEC too risky, won't deploy DNSSEC and then of
course won't deploy this extension.

That said, the explicit lifetime field also in part addresses your
concerns about recovery from operational errors.  Set it to zero or
a small number (of hours, units deliberately left out of proposed
changes to this draft to make sure non-zero values are unspecified).

Of course given evermore sophisticated BGP attacks:

  https://blog.cloudflare.com/bgp-leaks-and-crypto-currencies/

you might actually want to consider DNSSEC, implement it properly
and monitor, and the bricking won't happen.

-- 
-- 
	Viktor.

v2.23.0 | Report a Bug | By Email