IETF Logo Mail Archive

Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01

Ted Lemon <mellon@fugue.com> Fri, 29 March 2024 22:11 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE68C14F686 for <tls@ietfa.amsl.com>; Fri, 29 Mar 2024 15:11:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BvkV7xX8Zzbm for <tls@ietfa.amsl.com>; Fri, 29 Mar 2024 15:11:02 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB076C14F6A6 for <tls@ietf.org>; Fri, 29 Mar 2024 15:10:57 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id 46e09a7af769-6e695470280so1244576a34.3 for <tls@ietf.org>; Fri, 29 Mar 2024 15:10:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1711750256; x=1712355056; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=T6BaqkfMF0QjybMZikVw4WGnbAxDReWpOtTMTbcApCA=; b=KZJ5Nkqmgc4AYhGfy/169NrRbj0n93la0L5fYSGdtOzrM9VO9N2t+93nCc6hRS7Inc 4FEuTcDLSElRijMe+gNV9tjTDMQSOsB7G26JqJThWQhlwCeOt/b1k62TZ/an0dv73QAZ so2yo4w/+lUlfStOBGeNbVL4z+u5HXVYtnxrJxDTCoBn3cP7kGJXg+UJnW8ImLj0h4PI CQE1vLbOFmnkEJmbMWr41fT1bBTQDI5h+JNd/rBbNEtNVukFWg7ltihgYI8MLLuD+35Q /5dSDlIIhaX2JyGqH1eLnyrc9qPzFzDi4QYee4ADSIt1xGVIL2iKL8masb7/xee7J3NI 7iJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711750256; x=1712355056; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=T6BaqkfMF0QjybMZikVw4WGnbAxDReWpOtTMTbcApCA=; b=l9IOud347BrMhhkcYttC9EtEMl75ZKH5NK+HS/PqVswZSfRTxTDTKAfDcB0xJy5KsK HyBDnwmgORmwJhRUbtWDaxfaV732vEhRHrFbCJpX+uUQxdtN2Gp7SmTmWtKoY+WFsO/h YdFZyxukSWBL3zWlutvg1ZXGZSzO2DczpJAHT4ENZsqd8uf1sbEwxm9vfymquA1neH/5 kDKHVAl3o1GEX6E+DaJ/82SgwA0MmwXqDawbBzdPYIwsuM1w3bLdnPfeg2dw0MHPYnSY ekylshATJddyt25STb+9CzXtf3C1yBHbWowmbnRA+Q1dT6Xs0d+DAd1LP9dOlpeaz5hm P7Vg==
X-Forwarded-Encrypted: i=1; AJvYcCUawL8PitKU++Lm9wyz/cduSklKW1/AVnT8nVv4EyySa3ogZwU4QlHuyXQrubof+o5AVKifo3A7otVBYIo=
X-Gm-Message-State: AOJu0YxMEAabVtNvVckqNd8qg4XblCf/ELNCnPHF7trpLWIWTiLfKftq ZcSKbJEVTeMBIjBo0dYBkvs/38E06TOADhKRIr1kk4P0dVXn1GPnQ1qyN8NLahj5q4ZbeAQDIIX hTx9VxLrh0OcpdiAYDEOATSEgO2fhdooTWtGZlg==
X-Google-Smtp-Source: AGHT+IFSLuti8tB4UE8FhV8c0gwrCEG9wvds1c/Pu0I9WtTu64nvW93NE62c2YlkmwQ10tooeXt2/D1Jqi9X/KuiBcY=
X-Received: by 2002:a9d:5603:0:b0:6e5:35b8:dcb7 with SMTP id e3-20020a9d5603000000b006e535b8dcb7mr3626694oti.19.1711750256405; Fri, 29 Mar 2024 15:10:56 -0700 (PDT)
MIME-Version: 1.0
References: <171174253501.29384.9373864670898234756@ietfa.amsl.com> <CAChr6SwCKV4P_xab_3dKSwKDfPdxjz3WinQaWebMcXh8-_xy0g@mail.gmail.com>
In-Reply-To: <CAChr6SwCKV4P_xab_3dKSwKDfPdxjz3WinQaWebMcXh8-_xy0g@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Fri, 29 Mar 2024 18:10:20 -0400
Message-ID: <CAPt1N1knx=+K627L6rsf4nGuiwpSXjWoMB4QcMfwhJdaGKypUw@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: dnsdir@ietf.org, draft-ietf-tls-svcb-ech.all@ietf.org, tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000fa4adf0614d3e9b2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/v3syb9t9De8bjoaGy95y3Oxed20>
Subject: Re: [TLS] Dnsdir early review of draft-ietf-tls-svcb-ech-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 22:11:04 -0000

It looks like if you can't get the SCVB you're going to fail insecure, so
being able to use DNSSEC to prevent that for signed domains seems
worthwhile.

On Fri, Mar 29, 2024 at 4:41 PM Rob Sayre <sayrer@gmail.com> wrote:

> On Fri, Mar 29, 2024 at 1:02 PM Ted Lemon via Datatracker <
> noreply@ietf.org> wrote:
>
>>
>> I don't think it's reasonable to specify the privacy properties of SVCB
>> and
>> /not/ talk about DNSSEC validation.
>>
>
> Could you explain more about this part? I think DNSSEC doesn't add much
> here, unless you want to accept non-ECH traffic. For example, many of the
> test servers will bounce you to some other site if you don't send ECH or
> screw it up in some way (speaking as someone who has screwed it up many
> times...).
>
> I think there might be a DoS attack here, where someone messes with the
> response, but they can also turn off the DNSSEC bit unless it's DoT/DoH/DoQ
> etc. So, if using those, it's just the trustworthiness of the DNS server
> itself, right? Sorry if I'm missing something.
>
> thanks,
> Rob
>
>

v2.23.0 | Report a Bug | By Email