Re: [dane] domain hijacking

Alice Wonder <alice@domblogger.net> Thu, 13 April 2017 05:02 UTC

Return-Path: <alice@domblogger.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B33C11293E4 for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 22:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.103
X-Spam-Level:
X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=domblogger.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1v89UtOKu86y for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 22:02:19 -0700 (PDT)
Received: from mail.domblogger.net (mail.domblogger.net [104.200.18.67]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBD93128B90 for <dane@ietf.org>; Wed, 12 Apr 2017 22:02:19 -0700 (PDT)
Received: from localhost.localdomain (68-189-44-253.dhcp.rdng.ca.charter.com [68.189.44.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPSA id 8445B601 for <dane@ietf.org>; Thu, 13 Apr 2017 05:02:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domblogger.net; s=default; t=1492059738; bh=2Kz4rrDsQgEGlA6YR5hDG4g0+0k6ODZj4r/Y0FlTaZM=; h=Subject:To:References:From:Date:In-Reply-To; b=qF19EJrI+U33+YA+0rrzwnb4j/fR7cEjsgknrg2hXroedfD2L/vLePZGE9de+KIWr VPbXroRyP0mbzY+WlusX5YTnstdzYme2FKGPtJHSB+IJihbrArFr062YC75CDrk43T 1r7c0yxyU3a9lney7+lkvN9UHa6YmLo1QM840oGE=
To: dane@ietf.org
References: <20170413031124.79969.qmail@ary.lan>
From: Alice Wonder <alice@domblogger.net>
Message-ID: <5e781877-0c0c-5d11-2c64-3e66c0fd6f21@domblogger.net>
Date: Wed, 12 Apr 2017 22:02:17 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170413031124.79969.qmail@ary.lan>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/dBaivB8JPA3r2jykG-h5iH6nIlI>
Subject: Re: [dane] domain hijacking
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 05:02:26 -0000

On 04/12/2017 08:11 PM, John Levine wrote:
>> If my suspicion is correct, has there
>> been thought of re-signing the DS record signed with the older private key
>> in a way that proves ownership through the key change?
>
> This sounds to me like shutting the barn door after the horse is gone.
>
> If it's important to you that your domain isn't hijacked, we all know
> what to do, pick a registrar with good security and 2FA and so forth,
> and monitor your own DNS with alarms if there are unauthorized changes.
>
> Also, if we were to invent some sort of change signing, now you have
> the other problem where the guy with the private key quits and takes
> it with him, and you have to rebootstrap the zone somehow.
>
> R's,
> John

I wonder if the future DANE equivalent of EV type validation is DS 
records at a well known location at the root of the domain (e.g. 
/ds.signed) signed by a trusted third party that clients can use to 
validate what is in their TLD.

The only commercial CA issued certificates I personally have any 
confidence in as an end user are EV and that would give even more 
confidence.

Use DANE to secure to public x.509 and when more confidence than DANE is 
needed, expensive commercial CA to secure the DS records. Cheap 
commercial CA wouldn't be needed because DANE already provides far more 
than domain validation certs can, only DS record certs that involve 
human validation would make sense, for things like banking or commerce 
or major social network.

To work with more than HTTPS third party DS records could be sent with a 
future version of TLS or some kind of blockchain technology.