Re: [dane] Where to flesh out a DNSSEC extension proposal?

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 26 April 2015 19:41 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A6A71A036C for <dane@ietfa.amsl.com>; Sun, 26 Apr 2015 12:41:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Au5N4HJToMF0 for <dane@ietfa.amsl.com>; Sun, 26 Apr 2015 12:41:35 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03BCC1A0368 for <dane@ietf.org>; Sun, 26 Apr 2015 12:41:34 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 9AC78283031; Sun, 26 Apr 2015 19:41:33 +0000 (UTC)
Date: Sun, 26 Apr 2015 19:41:33 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150426194133.GZ25758@mournblade.imrryr.org>
References: <CAAr_crykwpOEQoqN_w1c5=k+q35XsPobF_xSPK_vfMiqnzCL5w@mail.gmail.com> <alpine.LFD.2.10.1504261436100.21450@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LFD.2.10.1504261436100.21450@bofh.nohats.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/FkPHKwCiBn9S6L2vAQXhOXfoXxI>
Subject: Re: [dane] Where to flesh out a DNSSEC extension proposal?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2015 19:41:36 -0000

On Sun, Apr 26, 2015 at 02:37:08PM -0400, Paul Wouters wrote:

> >I've blogged a proposal for a couple of DNS/ DNSSEC extensions that I would be interested in taking forward to the next stage.
> >
> >Would anyone be able to direct me to the correct channel for my proposal?
> >http://pirate.london/2015/04/using-dns-records-to-build-a-more-secure-web/
> 
> Why publish HSTS information when you can publish the public key as well
> using a TLSA record? Basically, the presence of a TLSA record means the
> same as HSTS, "do connect with encryption please".

Yes, to harden opportunistic TLS via DNSSEC, use DANE TLSA RRs,
which for clients that support the approach kill two birds with
one stone:

    * Whether to authenticate
    * How to authenticate

    https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-16#section-2.2
    https://tools.ietf.org/html/draft-ietf-dane-srv-13#section-4

-- 
	Viktor.