Re: [dane] domain hijacking
Alice Wonder <alice@domblogger.net> Thu, 13 April 2017 06:04 UTC
Return-Path: <alice@domblogger.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD388128D3E for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 23:04:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.103
X-Spam-Level:
X-Spam-Status: No, score=-0.103 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=domblogger.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0E2ZBLOHjRXH for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 23:04:23 -0700 (PDT)
Received: from mail.domblogger.net (mail.domblogger.net [104.200.18.67]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F4F61293E9 for <dane@ietf.org>; Wed, 12 Apr 2017 23:04:22 -0700 (PDT)
Received: from localhost.localdomain (68-189-44-253.dhcp.rdng.ca.charter.com [68.189.44.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.domblogger.net (Postfix) with ESMTPSA id DE82611F1 for <dane@ietf.org>; Thu, 13 Apr 2017 06:04:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domblogger.net; s=default; t=1492063462; bh=T7QxIRQ61t5S8CXvoRm9t/KRk2FTyPJBXs5SI6Y27Cs=; h=Subject:To:References:From:Date:In-Reply-To; b=juxyNEXgwtxKLHfRiE1cemHwoBhgU5JmpeLnWbtxaBt1PwqF9I+eRVA1a9bQoxPNo 03FbYGqvv9r7xq1z7Z2oOKjD+2u2hIl+qKVzQHoMGqPsQM+lf4tCBmjXApj7Hu7Q7r 0ZedUONJLcVOMITGCHhW2OcnAE0PpcrE46APJ/fw=
To: dane@ietf.org
References: <20170413031124.79969.qmail@ary.lan> <5e781877-0c0c-5d11-2c64-3e66c0fd6f21@domblogger.net> <428eca20-a5b9-26e8-3f67-bc3ce770acf2@domblogger.net>
From: Alice Wonder <alice@domblogger.net>
Message-ID: <6a605bbc-6c19-94de-b0fc-dcd49c946f67@domblogger.net>
Date: Wed, 12 Apr 2017 23:04:20 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <428eca20-a5b9-26e8-3f67-bc3ce770acf2@domblogger.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/tvSplTded1GmGWa4uLTCmgafA6U>
Subject: Re: [dane] domain hijacking
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 06:04:25 -0000
On 04/12/2017 10:04 PM, Alice Wonder wrote: *snip* > > Meant to type "third party *signed* DS records" Okay this is how I would do it. I'm new to list and kind of a nobody but... DANE is used to secure the long-term private key as an alternate to commercial DV certificates. For OV and EV level of confidence - a company can get an x.509 certificate using their zone as the CN and extensions specifying the DS records that is signed by a trusted third party commercial CA. This x.509 is only used as verification that the DNSSEC validated DS records are genuine and to give the consumer confidence the zone has been validated using OV or EV standards. It does not replace DS records secured by DNSSEC, only adds a second validation in addition to DNSSEC. Only OV and EV make sense for this type of x.509. To compromise a zone protected by this second x.509 a bad actor would need to both obtain a fraudulently signed x.509 from a trusted authority *and* get fraudulent DS records into the zone's parent zone. I'm not an expert on TLS but I think this would even work with existing TLS, just send this x.509 along with the DANE protected x.509 as part of the TLS handshake. Would that work and solve the problem?
- [dane] domain hijacking Wei Chuang
- Re: [dane] domain hijacking Frederico A C Neves
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Ken O'Driscoll
- Re: [dane] domain hijacking Ken O'Driscoll
- Re: [dane] domain hijacking John R Levine
- Re: [dane] domain hijacking Wei Chuang
- Re: [dane] domain hijacking Hugo Salgado-Hernández
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Ken O'Driscoll
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking Alice Wonder
- Re: [dane] domain hijacking John Levine