Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
Daniel Margolis <dmargolis@google.com> Wed, 13 April 2016 07:48 UTC
Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB9E312DFEA for <uta@ietfa.amsl.com>; Wed, 13 Apr 2016 00:48:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.696
X-Spam-Level:
X-Spam-Status: No, score=-3.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BgRfTVvQsi4g for <uta@ietfa.amsl.com>; Wed, 13 Apr 2016 00:48:18 -0700 (PDT)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A01BF12DFCD for <uta@ietf.org>; Wed, 13 Apr 2016 00:48:14 -0700 (PDT)
Received: by mail-io0-x233.google.com with SMTP id o126so60207601iod.0 for <uta@ietf.org>; Wed, 13 Apr 2016 00:48:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=o4Nvx7ioVlsak4v31ighfmeTxOybkczTOZnUiK/xeKM=; b=JP0eiTDnnVWlPqpqThDeCUWa8G8WK/LJ3Wgo/YflzTFpTC3pTWjfWb5gd1nKlY3ZMk Bm0f7FjXqVntAmBQHB08b1iaCeBqqCxibHu53btTdOeZsau3llyqey0r8Kf9dNXGFyiF 8dLv6bCQC0aochfn1dDCCMVsGdUoafaMIdUgPjuKvtI0Gm9sJUw1vxTZ/8SDNyIrjeoE D8RHEaBG4CyND2WkCSjnYp8qbBq4gOLV4AmvruVrDGJQPT43Bx0akfFINI0LMvqFUeb4 qtcuQZM8+ZHxXK4oga0N6hmuCPJsbD2wRui646VIXofO0/Q56rJ8v60FkwOgybX4NvP7 FMfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=o4Nvx7ioVlsak4v31ighfmeTxOybkczTOZnUiK/xeKM=; b=kvm7X7Eotu8xRQ5eaOF2aQ69bAtjKkSgVnFUYugSQEyc21t/OCydpqdt+yHJ2xW33Z xp8ECqWjN1wOMdM6IHR6WGejdLm24fTNm8XUPQ/IZ2dzPeXdXL9y9yNQv2VLH/If2ieq HdfDYbbdKG1O3SdP50PqrlWvWjszCPD4x9lhC0VVWrZZ5bZ5BUe0zAY7eLH9FCH+DG2u XSCBBwEuQZa+fAqRqBRqewlN0D0XNtwf197wad4S8frGQggFyAOooTliwHbOMhgn7rac 6PjmeeA6QDRvHBhlMdT56GgzR+eI33oekhT33aeHMGHaWmwsO4ENfJ9zYNdNQdF+S1ar iJAw==
X-Gm-Message-State: AOPr4FX70sjTp5MXGTH00p8KgIX1Ap3PIpFTo6IeI69Uog2jfkGlNq1EP7cUPTXjJxc0cNJ09a3SW4FnL+SsH9Jy
MIME-Version: 1.0
X-Received: by 10.107.161.140 with SMTP id k134mr8881962ioe.190.1460533693806; Wed, 13 Apr 2016 00:48:13 -0700 (PDT)
Received: by 10.64.91.226 with HTTP; Wed, 13 Apr 2016 00:48:13 -0700 (PDT)
In-Reply-To: <20160413014304.GB26423@mournblade.imrryr.org>
References: <570C0CD2.9030401@cs.tcd.ie> <20160411212128.GA26423@mournblade.imrryr.org> <CANtKdUekXNkVvsfq0UjCiaaPVBgoVGfrfnYUrdoOf0EegXMuPg@mail.gmail.com> <20160413014304.GB26423@mournblade.imrryr.org>
Date: Wed, 13 Apr 2016 09:48:13 +0200
Message-ID: <CANtKdUf0kN5aOmX0-NsyQXz_+PRGfaXa37DFZoCX3FqdYh5CpA@mail.gmail.com>
From: Daniel Margolis <dmargolis@google.com>
To: uta@ietf.org
Content-Type: multipart/alternative; boundary="001a1140fff001069a05305900f4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/LLsTjPJ2LFIzcMljkeBSmz5X_50>
Subject: Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2016 07:48:20 -0000
What's the complexity you're worried about? Is it mainly that there's another switch to flip incorrectly (i.e. inadvertent misconfiguration, at a greater risk due to the presence of more configurations) or the risk of malicious DoS? I think Stephen laid out the trade-offs fairly well. I can see the argument for telling recipients that if they already publish a DANE record they're probably fine and shouldn't really need an STS policy as well. But a "must" seems less helpful to me here; senders who have some external limitation that prevents them from implementing DNSSEC then must not implement STS? I'd be worried that some larger deployments might have trouble with that. On Wed, Apr 13, 2016 at 3:43 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Tue, Apr 12, 2016 at 06:52:31PM +0200, Daniel Margolis wrote: > > > I'm not sure if I'm being stupid here, but what does it mean for STS to > be > > "trumped" by DANE (or the reverse)? Do you mean that if the recipient > > domain/MX has both STS and DANE you will *only* validate the DANE policy? > > Correct. Trying to enforce both is too complex, and needlessly > increases the risk of delivery problems. > > > If we instead said that senders who validate STS must honor STS and > senders > > who validate DANE must honor DANE, is there a conflict? > > That language is either tautological, or unreasonable, if intended > to imply that systems capable of both must be willing to apply both > concurrently. > > > I would presume that if there is either a DANE failure or an STS failure > > senders who validate both will treat it as a failure. Introducing a > concept > > of priority strikes me as unnecessary. What am I missing? > > I have no plans to support concurrent evaluation of potentially > conflicting policies. DANE is more robust than STS, given a DANE > policy I see no reason to also consider STS policy. > > Of course an administrator will be able to choose which policy > applies to a given nexthop, but not enforcement of both. > > -- > Viktor. > > _______________________________________________ > Uta mailing list > Uta@ietf.org > https://www.ietf.org/mailman/listinfo/uta >
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Jim Fenton
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- [Uta] "webby" STS and DANE/DNSSEC co-existence Stephen Farrell
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Mark Risher
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Neil Cook
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Daniel Margolis
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Daniel Margolis
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Aaron Zauner
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Neil Cook
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Daniel Margolis
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Neil Cook
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Daniel Margolis
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Neil Cook
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Chris Newman
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Binu Ramakrishnan
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Daniel Margolis
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Aaron Zauner
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Aaron Zauner
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Jim Fenton
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Aaron Zauner
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Aaron Zauner
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Eric Rescorla
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Jim Fenton
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Chris Newman
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Jim Fenton
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Viktor Dukhovni
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Chris Newman
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence =JeffH
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Stephen Farrell
- Re: [Uta] "webby" STS and DANE/DNSSEC co-existence Leif Johansson