Re: [dane] Behavior in the face of no answer?

[Nicholas Weaver <nweaver@icsi.berkeley.edu>]

On May 3, 2012, at 7:10 PM, Andrew Sullivan wrote:

> On Thu, May 03, 2012 at 03:44:57PM -0700, Eric Rescorla wrote:
>> 
>> Well, I absolutely have a problem.... I'm under active attack :)
>> 
>> However, if you choose option (a) and hard fail, then all the attacker
>> can do is create a failure. However, if you choose option (b) then
>> the attacker is able to cause you to connect to his server even
>> though the domain operator is trying to serve you a DNSSEC-signed
>> DANE record which tells you not to accept that cert (if you
>> could only get that record).
> 
> No, I think I still don't understand.  Under (b), how can the attacker
> get you to connect to "his server"?  The attacker can get you to
> connect to some server and foil your attempt to use the TLSA-provided
> credential, but how do you go to the wrong server?
> 
> You can't get the A or AAAA record if the attacker is fiddling with
> the DNS, because that RRset will fail DNSSEC validation in the first
> place.  Remember, we're already depending on DNSSEC.  If you _can_ get
> the right address, then the problem is that you use the wrong
> certificate (i.e. you fall back to the X.509 chain)?  Unless the X.509
> chain is somehow subverted, though -- but how is that any more of a
> danger than "compromised key in TLSA"?

An IN-path adversary doesn't need to manipulate the A or AAAA records to get you to connect to their server.

Since the adversaries of concern are likely to be in-path, not just on-path, this is a serious concern and DANE when it can't get the record it MUST hard fail lest it be useless in the face on an in-path attacker, which is critical since the goal of all this cryptomagic is to deal with in-path attackers.