[keyassure] Asserting DANE exclusivity for an entire domain
Matt McCutchen <matt@mattmccutchen.net> Tue, 01 February 2011 15:45 UTC
Return-Path: <matt@mattmccutchen.net>
X-Original-To: keyassure@core3.amsl.com
Delivered-To: keyassure@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E93EF3A6C28 for <keyassure@core3.amsl.com>; Tue, 1 Feb 2011 07:45:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wmVG0WVv6qn7 for <keyassure@core3.amsl.com>; Tue, 1 Feb 2011 07:45:44 -0800 (PST)
Received: from homiemail-a61.g.dreamhost.com (caiajhbdcbef.dreamhost.com [208.97.132.145]) by core3.amsl.com (Postfix) with ESMTP id 462323A6DFC for <keyassure@ietf.org>; Tue, 1 Feb 2011 07:45:44 -0800 (PST)
Received: from homiemail-a61.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTP id 9B33757806C for <keyassure@ietf.org>; Tue, 1 Feb 2011 07:49:01 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:content-type:date:message-id:mime-version: content-transfer-encoding; q=dns; s=mattmccutchen.net; b=tqwATut 03pI7P0YubOVMfDmMlCVC3Nx1rVTLI9LvMl/8aYRvX+CQFrvuCuUSAwZ9Jy1bCXw VORi6T/3JW1ZG6oZg8Xvzg9Y/Eg0/7he29Q4qPZuOg0CVRQjKgB9ADBL7MLfgA/R VYjaU3z3ri0BWjwjYjJTScKkiTO6fams+0OY=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:content-type:date:message-id:mime-version: content-transfer-encoding; s=mattmccutchen.net; bh=5mSzm6iWTkDLZ PR87NUmy0bllHY=; b=i0UP+N3msFv3R8QQGJ1wu1SBl4c2bD7+/MV1mb09m2N4J alqc2bqKlrNTmOiUlaMrvO7IviHh3yRi0hZ+njQ4Ab/Qg28g3dlYXafz9lwSq4N8 pi3MMR+H9EGSNoxq9UYpscB66jHx8S/eElf/6tTlxwJre3VhYc+OTMTNyF0Dsw=
Received: from [192.168.1.10] (static-173-66-73-45.washdc.fios.verizon.net [173.66.73.45]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a61.g.dreamhost.com (Postfix) with ESMTPA id 23430578073 for <keyassure@ietf.org>; Tue, 1 Feb 2011 07:49:01 -0800 (PST)
From: Matt McCutchen <matt@mattmccutchen.net>
To: keyassure <keyassure@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 01 Feb 2011 10:49:00 -0500
Message-ID: <1296575340.1888.27.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.32.2
Content-Transfer-Encoding: 7bit
Subject: [keyassure] Asserting DANE exclusivity for an entire domain
X-BeenThere: keyassure@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <keyassure.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyassure>
List-Post: <mailto:keyassure@ietf.org>
List-Help: <mailto:keyassure-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyassure>, <mailto:keyassure-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2011 15:45:45 -0000
I would like to assert DANE exclusivity for the entire domain mattmccutchen.net so that, with respect to clients that check DANE first and fall back to a mainstream public CA list, a shady CA cannot impersonate my existing TLS services /or/ fabricate TLS services I do not offer. I know I can achieve that by adding enough wildcard dummy TLSA records to cover the entire namespace as an automated postprocessing step, but that is a little ugly. One solution would be to have the client, when no TLSA exists at the desired host/transport/port after following CNAMEs, search from the host name up for a "DANE options" record with an exclusivity flag (which could be on or off). If no such record is found all the way up to the root zone, the default is "off". Do people think this would be worth the implementation effort and the extra queries? -- Matt
- [keyassure] Asserting DANE exclusivity for an ent… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Nicholas Weaver
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Martin Rex
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Jakob Schlyter
- Re: [keyassure] Asserting DANE exclusivity for an… Ondřej Surý
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… James Cloos
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… James Cloos
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Nicholas Weaver
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Mark Andrews
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Martin Rex
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Andrew Sullivan
- Re: [keyassure] Asserting DANE exclusivity for an… Zack Weinberg
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Paul Wouters
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Ilari Liusvaara
- Re: [keyassure] Asserting DANE exclusivity for an… Phillip Hallam-Baker
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Ilari Liusvaara
- Re: [keyassure] Asserting DANE exclusivity for an… Matt McCutchen
- Re: [keyassure] Asserting DANE exclusivity for an… Olafur Gudmundsson