aboutsummaryrefslogtreecommitdiff
path: root/doc/proposals/2022-01-domain-hint
diff options
context:
space:
mode:
authorRasmus Dahlberg <rasmus@mullvad.net>2022-01-31 15:36:29 +0100
committerRasmus Dahlberg <rasmus@mullvad.net>2022-01-31 15:36:29 +0100
commitf8d61a93109656e89cbbdeae56ca778127a0eafe (patch)
treed1f935122336a93254fc869ebf63c7636a7d56ba /doc/proposals/2022-01-domain-hint
parent9d5eee35a5fd7f145916043de3e94e14044946a7 (diff)
moved some persisted pads to proposal directory
See doc/proposals/2022-01-how-to-use-proposal-folder for details.
Diffstat (limited to 'doc/proposals/2022-01-domain-hint')
-rw-r--r--doc/proposals/2022-01-domain-hint51
1 files changed, 51 insertions, 0 deletions
diff --git a/doc/proposals/2022-01-domain-hint b/doc/proposals/2022-01-domain-hint
new file mode 100644
index 0000000..322d9cc
--- /dev/null
+++ b/doc/proposals/2022-01-domain-hint
@@ -0,0 +1,51 @@
+Proposal: stricter domain hint requirements
+
+Background
+---
+Right now a log is expected to look up a submitter's public key hash via DNS. A
+domain hint, say, example.com, specifies the location of a TXT RR that contains
+the appropriate key hash in hex-encoding. "Some domain knows about the key".
+
+Downsides with this:
+1. A log can be instructed to look up arbitrary TXT records
+2. No versioning
+
+As far as we know there are no amplification threats with (1), but ideally it
+would only be possible to query TXT RRs that are actually relevant for Sigsum.
+
+Not having any versioning could potentially become a headache. All other log
+endpoints are versioned. There is no good reason to not have versioning here,
+unless that would imply something like registering many different things with
+IANA as a result.
+
+Proposal
+---
+Require that a domain hint is formatted as:
+
+ _sigsum_v0.*
+
+Examples of valid domain hints:
+
+ _sigsum_v0.com
+ _sigsum_v0.example.com
+ _sigsum_v0.sub.example.com
+
+Examples of invalid domain hints:
+
+ _sigsum_v0hello.example.com
+
+This change addresses both (1) and (2), without making DNS configs harder.
+
+Notes
+---
+For v1 we need to consider if something should be registered with IANA. Credit
+to Patrik Wallström who pointed us towards documentation about labels with
+underscores:
+ * https://www.rfc-editor.org/rfc/rfc8552.html
+ * https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#underscored-globally-scoped-dns-node-names
+
+Note also that the dependency on TXT look-ups means that a "hidden log" via Tor
+would need help from a resolver that is also available over Tor (preferably an
+onion but at minimum reachable over TCP). This is because TXT records cannot be
+resolved over Tor. This proposal allows the used resolver to be restricted to
+only resolve _sigsum_*.