Re: [TLS] WGLC: draft-ietf-tls-dnssec-chain-extension-04

Shumon Huque <shuque@gmail.com> Tue, 04 July 2017 15:33 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0726E13195E for <tls@ietfa.amsl.com>; Tue, 4 Jul 2017 08:33:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lRzURWTf94Oc for <tls@ietfa.amsl.com>; Tue, 4 Jul 2017 08:33:48 -0700 (PDT)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96CA01320D0 for <tls@ietf.org>; Tue, 4 Jul 2017 08:33:46 -0700 (PDT)
Received: by mail-ua0-x236.google.com with SMTP id g40so128745682uaa.3 for <tls@ietf.org>; Tue, 04 Jul 2017 08:33:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=etKlyZUIgwPCW78oK686D1fg6yCHzuZ+yaZhBwgAv3M=; b=c9viecMrp0Vz7b1jSyoimKuV13yzaHjmsK+TRZtQB55FcHLxCopFPlAW1Zf0oFe8ri oZO8W9z+zraG5jSy5p6PNwvW6FjFv6aM+lYlExENbamibjXM25bWILhFXpIa8bDP+ewX fTu1VVswaFQ2d1ZORTQ9XH07DSszxZ+yhdmiHvC+k8uGUM3AQ1qgt397z/mr8r25o7be agkLN4M01lEuTqkG4dlzGd2whUjwSRkeo+YM8HiH6EGnBfqCreRO5D6aX7epSsbameAY S/pgeaio7tGSNLOJKOIpxHKEAgg7f2/pCvNohKSD0TXBzER+K7q7LpyizuWDqUC8XGR7 jDyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=etKlyZUIgwPCW78oK686D1fg6yCHzuZ+yaZhBwgAv3M=; b=fjP/sJ92hxYoZUY6OaPQTXQqixh8AstRO1u1TUBt1OtDVSimCcwjIAnTQiv7SwbnXe Zm5WqcxRkuGVG6RiOHXZLjDumJZ/jqPgnRK1jGDOmI9/Aze8LLfURFswoU2JLBJOEhA4 ZTBo8pCpO2zIL5eBAPF6x3HFJQO6jq7goLAwgS1OcszvgnoTNkAngeajmFVmXbg6Od51 +y2eEu1/FgkkusNFr14/6hYJKhv6tweWpd1VaoC/gTzWALJPb+tOQkSdWCAqpzpDq9DH ZZgOX9Y2sT0uBrBR/h/MWmfWZgpzVShyHcF+fVbznsI1uvZ/og/k7AzDwiEpvhEtPDEC 6pbw==
X-Gm-Message-State: AKS2vOzZjfPZprAbTGt+EuBrrU791di7RCN7QW+/aKb6JlFlmy/stfqJ Oln1cdHPNFZhPb+Igp0miXuc12DlbA==
X-Received: by 10.159.40.200 with SMTP id d66mr23194379uad.48.1499182425642; Tue, 04 Jul 2017 08:33:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.79.231 with HTTP; Tue, 4 Jul 2017 08:33:45 -0700 (PDT)
In-Reply-To: <20170702140308.6amd5ds3qqt3ju5m@LK-Perkele-VII>
References: <CAOgPGoAcuFF5v8f5LWpYQtgE8WygA+n1fsg0AeVFJX1=cADUgw@mail.gmail.com> <20170702140308.6amd5ds3qqt3ju5m@LK-Perkele-VII>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 4 Jul 2017 11:33:45 -0400
Message-ID: <CAHPuVdWHaEjMQtjdRCS4cLVZW7iJ_urAcaE3DnWgWrwzC8d2Vw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c122bdcef19f305537f9b8a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tekrzfKwT7uLBy0sNTE_85Hhdck>
Subject: Re: [TLS] WGLC: draft-ietf-tls-dnssec-chain-extension-04
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2017 15:33:52 -0000

On Sun, Jul 2, 2017 at 10:03 AM, Ilari Liusvaara <ilariliusvaara@welho.com>;
wrote:

> On Wed, Jun 28, 2017 at 02:15:45PM -0700, Joseph Salowey wrote:
> > This is the working group last call for
> > draft-ietf-tls-dnssec-chain-extension-04.
> > Please send you comments to the list by July 12, 2017.
>
> Some comments:
>
> 1) Section 3.2.  Protocol, TLS 1.3:
>
> > The authentication chain will be an extension to the certificate_list
> > to which the certificate being authenticated  belongs.
>
> Extension blocks are per-certificate. I presume the extension goes to
> the extension block of EE certificate?
>

Yes, in fact the previous sentence to the one you quoted did say this more
or less: " ... return a serialized authentication chain in the Certificate
message associated with the end entity certificate being validated ". I
would propose rewording that a bit and removing the last quoted sentence
entirely:

   Servers receiving a "dnssec_chain" extension in the ClientHello, and
   which are capable of being authenticated via DANE, SHOULD return a
   serialized authentication chain in the extension block of the
Certificate
   message containing the end entity certificate being validated, using the
   format described below.


> 2) Section 3.2.  Protocol, TLS 1.3:
>
> I think if one refers to TLS 1.2 section, one should just call out the
> differences (i.e., where the server extension goes), and not duplicate
> parts of TLS 1.2 processing.
>

I agree.

3) Section 3.4.  DNSSEC Authentication Chain Data:
>
> > The resource records SHOULD be presented in the canonical form and
> > ordering as described in RFC 4034 [RFC4034].
>
> What is the expected _receiver_ (i.e., client) behavior? Is the client
> supposed to run a canonicalization and sorting pass on the records?


> If the client does not do this, and the server sends noncanonical or
> unsorted RRset, the validation is going to fail.
>

Since the ordering is a SHOULD on the server side, the client has to check
and perform canonical re-ordering if necessary anyway, before computing and
validating the signature. If this were a MUST, a stronger case could be
made that this recommendation saves the client some work.

Personally, I would be fine with taking out the recommendation for the
server to canonically order the records. DNSSEC validators (the client end)
are required to reconstruct the canonical form and ordering of the RRset
(see RFC 4035, Section 5.3) before validation, so unless there is a
compelling rationale for deviating from this, we shouldn't.

Section 6 ("Verification") essentially says to do validation according to
RFC 4035, which covers all of this, and we were planning on leaving it at
that -- rather than replicating text that just restates DNSSEC validation
logic that is normatively defined elsewhere.

(Perhaps RFC 5155 should also be mentioned now that this spec accommodates
negative proofs associated with wildcards and thus has to deal with NSEC3).


> 4) Section 3.4.  DNSSEC Authentication Chain Data:
>
> > Each RRset in the sequence is followed by its associated RRsig
> > record.  The RRsig record is in DNS wire format as described in RFC
> > 4034 [RFC4034], Section 3.1.  The signature portion of the RDATA, as
> > described in the same section, is the following:
>
> This seems to imply that all RRs that make RRSet need to be adjacent in
> the serialization. However, I don't see this explicitly stated
> anywhere.
>

Yes, we can state that more explicitly.


>
> Also, 'RRsig record' or 'RRsig records'? IIRC, if ZSK is being rolled
> (and for DNSKEY, if KSK is being rolled), there will be two RRsig
> records for one RRtype.
>

Good catch. RRsig records (or maybe RRsig RRset).

I think we say "DNSKEY RRsets" throughout, so that covers additional
keys/rollovers etc.



> 5) Section 3.4.  DNSSEC Authentication Chain Data:
>
> > The first RRset in the chain MUST contain the TLSA record set being
> > presented.  However, if the owner name of the TLSA record set is an
> > alias (CNAME or DNAME), then it MUST be preceded by the chain of
> > alias records needed to resolve it.
>
> Is there a requirement to order the aliases in order those aliases are
> followed?
>

Strictly speaking, DNS protocol specs don't require it. In practice, some
DNS clients balk or fail if they are presented aliases out of order. So
almost all DNS responders order aliases. This is a green field application
though, so we don't need to impose such a requirement, but I'm also okay
with stating that the aliases are ordered.


> 6) Section 3.4.  DNSSEC Authentication Chain Data:
>
> > The final DNSKEY RRset in the authentication chain corresponds to the
> > trust anchor (typically the DNS root).  This trust anchor is also
> > preconfigured in the TLS client, but including it in the response
> > from the server permits TLS clients to use the automated trust anchor
> > rollover mechanism defined in RFC 5011 [RFC5011] to update their
> > configured trust anchor.
>
> I think this is wrong. The final DNSKEY RRSet does contain the the
> preconfigured root key. However, it also contains other keys that
> are used to sign the DS records.
>

Ok, yes, the rationale provided for including the trust anchor DNSKEY RRset
is incomplete. As you say, it is also needed to authenticate the ZSKs which
sign delegations. We'll update this text.


> The client needs those keys in order to validate the chain, and those
> keys are rotated every few months for root, instead of every N years.
>

Correct, and that's why the entire DNSKEY RRset is always delivered.


> Furthermore, frequently the trust anchor is provisioned as a fake DS
> record for the root. Validating with such anchor requires sending the
> root DNSKEY.
>

Also true, and hence the entire DNSKEY RRset is always delivered.


> Real-world zone data (omitted the cryptographic line noise, and added
> some hilights):
>
> $ dig +dnssec -t DNSKEY .
>

[ stuff omitted ]

7) Section 4.  Construction of Serialized Authentication Chains
>
> > The transport is "tcp" for TLS servers, and "udp" for DTLS servers.
> > The port number label is the left-most label, followed by the
> > transport, followed by the base domain name.
>
> So if this would be used with IETF-QUIC, the labels would be
> _443._tcp, which is the same as one used by HTTPS, right?
>

I hadn't yet thought of this use case, but wouldn't it be _443._udp since
QUIC runs over UDP? Perhaps a server operator that supports both TLS and
QUIC, wants to have separate server credentials for each. And if not, they
could alias one of the TLSA records to the other.

-- 
Shumon Huque