IETF Logo Mail Archive

[Uta] Re: Seeking Input on Secure Service Delegation

Michel Le Bihan <michel@lebihan.pl> Mon, 08 September 2025 13:57 UTC

Return-Path: <michel@lebihan.pl>
X-Original-To: uta@mail2.ietf.org
Delivered-To: uta@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 6FA215F48AF9 for <uta@mail2.ietf.org>; Mon, 8 Sep 2025 06:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=lebihan.pl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6RRzQe5MeDjp for <uta@mail2.ietf.org>; Mon, 8 Sep 2025 06:57:51 -0700 (PDT)
Received: from lebihan.pl (lebihan.pl [146.59.80.63]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 0BF635F48A2E for <uta@ietf.org>; Mon, 8 Sep 2025 06:56:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lebihan.pl; s=mail; t=1757339813; bh=O00AbjW/D7qSyR9SDxIp26v9JPUdcaA64mMaynwh5nU=; h=Date:Subject:To:References:From:In-Reply-To:From; b=NHgK4QbmNwKUWvFMm1XFi1+QMgIsowY9oK35JikQ6VuxRX9qIqHq4KaauHkjyChEs a6/Pp+VFoFep9tlYWuAxnGlhkGEGyGsTf9JdrT3Aayc8Umry944s8VS2hsZCyDl8v1 +HkjIdLNhVCtvGyf5mam/MwWEY3jEpbt3zOvlCbA=
Received: from [192.168.0.120] (83.9.144.111.ipv4.supernova.orange.pl [83.9.144.111]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by lebihan.pl (Postfix) with ESMTPSA id 1654928DA30 for <uta@ietf.org>; Mon, 08 Sep 2025 15:56:53 +0200 (CEST)
Message-ID: <0f44c55c-4f7b-4569-9a74-79ce39aa85c5@lebihan.pl>
Date: Mon, 08 Sep 2025 15:56:52 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: uta@ietf.org
References: <39e81484-b99d-4ce9-91f6-5d0e885e5391@lebihan.pl> <aLUWbgcOZXNxoelP@chardros.imrryr.org>
Content-Language: en-US
From: Michel Le Bihan <michel@lebihan.pl>
In-Reply-To: <aLUWbgcOZXNxoelP@chardros.imrryr.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: Y4BJYV4XTLVNVPEXLE4RTK6APM3KEJOH
X-Message-ID-Hash: Y4BJYV4XTLVNVPEXLE4RTK6APM3KEJOH
X-MailFrom: michel@lebihan.pl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-uta.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Uta] Re: Seeking Input on Secure Service Delegation
List-Id: UTA working group mailing list <uta.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/qJUVaUhp3cvijMRnu5IVV04FbO0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Owner: <mailto:uta-owner@ietf.org>
List-Post: <mailto:uta@ietf.org>
List-Subscribe: <mailto:uta-join@ietf.org>
List-Unsubscribe: <mailto:uta-leave@ietf.org>

Hi Viktor,

Apologies for the late reply.

While DNSSEC adoption is strong in some ccTLDs, two issues prevent it 
from being a complete solution:

 1.

    *TLD limitations*: Some TLDs don't support DNSSEC at all (e.g., .im,
    popular for XMPP services). Organizations using these domains cannot
    deploy DNSSEC regardless of how motivated they are. For XMPP,
    changing domains isn't feasible since they're part of user
    identifiers (user@example.im)

 2.

    *Infrastructure breakage*: Some DNS forwarders, particularly home
    routers, truncate responses and lack EDNS support (see Table 2, p.
    583: https://www.usenix.org/system/files/sec20-zheng.pdf) This
    breaks DNSSEC validation even for domains that properly support it.

These limitations affect a significant portion of services that need 
secure delegation today. The SRV-ID certificate approach could provide a 
practical alternative where DNSSEC isn't viable.

Best regards,
Michel Le Bihan

Le 01/09/2025 à 05:43, Viktor Dukhovni a écrit :
> On Sun, Aug 31, 2025 at 09:18:38PM +0200, Michel Le Bihan wrote:
>
>> The Security Problem
>>
>> Without DNSSEC (which has very limited deployment according to Cloudflare
>> and SIDN statistics),
> Global average fraction of DNSSEC signed domains is ~6.5%, it is however
> rather unevenly distributed.  The below ccTLDs have 20% or more of their
> delegations DNSSEC-signed:
>
>      https://stats.dnssec-tools.org/#/?top=tlds&tld_tab=3
>
>      TLD     #Zones      #Signed     %Signed #DANE   %DANE
>      TOTAL   370990810   23951119    6.46    4277775 17.86
>      er      53          40          75.47   0       0.00
>      dk      1303448     863667      66.26   367844  42.59
>      cz      1504173     945604      62.87   137880  14.58
>      nl      6109695     3817016     62.47   1054927 27.64
>      se      1386049     837283      60.41   338179  40.39
>      sk      466674      266802      57.17   22761   8.53
>      no      855870      488932      57.13   150899  30.86
>      nu      203088      114855      56.55   33337   29.03
>      ch      2535106     1325679     52.29   587647  44.33
>      li      68737       22104       32.16   7182    32.49
>      be      1704076     499395      29.31   143082  28.65
>      fo      8414        2465        29.30   233     9.45
>      ee      174818      43054       24.63   18794   43.65
>      re      39807       9705        24.38   931     9.59
>      yt      5453        1179        21.62   214     18.15
>      tf      4001        841         21.02   209     24.85
>      fr      4256065     887877      20.86   77439   8.72
>      br      5501608     1147110     20.85   2494    0.22
>      eu      3681490     758904      20.61   115688  15.24
>
>      where the DANE counts are for SMTP (_25._tcp TLSA RRs for the
>      domain's MX hosts) and %DANE is as a fraction of the *signed*
>      domains.  [ Yes, the .er (Eritrea) outlier is not a compelling data
>      point, but that's also not a compelling reason to exclude it. ]
>
>> these SRV-based delegations are vulnerable to DNS spoofing attacks. An
>> attacker who can manipulate DNS responses can redirect users to
>> malicious servers, potentially intercepting credentials and
>> communications.
> One obvious suggestion for those facing the issue is to deploy DNSSEC,
> which is now a well-established technology.
>
>> I've evaluated several approaches, each with significant drawbacks:
>>
>>      DANE (RFC 6698): Requires DNSSEC, which remains impractical due to low
>> adoption
> Can you explain what makes generally modest adoption rates a barrier for
> those who are motivated to take advantage of DANE.
>

v2.37.1 | Report a Bug | By Email | System Status