Re: [keyassure] Objective: Restrictive versus Supplementary Models

"Richard L. Barnes" <> Thu, 31 March 2011 09:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 21E7C3A6919 for <>; Thu, 31 Mar 2011 02:13:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.551
X-Spam-Status: No, score=-102.551 tagged_above=-999 required=5 tests=[AWL=0.048, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9307jSi6KA77 for <>; Thu, 31 Mar 2011 02:13:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2F01D28C1A7 for <>; Thu, 31 Mar 2011 02:13:57 -0700 (PDT)
Received: from [] (port=65125 helo=[]) by with esmtps (TLSv1:AES128-SHA:128) (Exim 4.74 (FreeBSD)) (envelope-from <>) id 1Q5DyZ-0000Dg-9y; Thu, 31 Mar 2011 05:15:35 -0400
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset=us-ascii
From: "Richard L. Barnes" <>
In-Reply-To: <>
Date: Thu, 31 Mar 2011 11:15:31 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <>
To: Paul Wouters <>
X-Mailer: Apple Mail (2.1082)
Subject: Re: [keyassure] Objective: Restrictive versus Supplementary Models
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Key Assurance With DNSSEC <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Mar 2011 09:13:58 -0000

>>> If the attacker injects fake dns records pointing to a fake server, they
>>> can include a dane rr.  It only makes the attack slightly harder, doesn't it?
>> Yes, but as ekr pointed out, injecting fake DANE RRs can only cause the connection to fail, it won't result in the client connecting to a bogus server.   That's why it's RECOMMENDED instead of REQUIRED.
> Not if you are a MITM on the wire as well (more star bucks wifi use cases) and
> you're directing the user to your own website with a dane rr matching public key.

You're confusing the "Cert Lock" and "Install TA" use cases.  If all the server doing is "Cert Lock", then the bogus DANE record will simply cause the client to reject the server's cert and the connection to fail.  In the "Install TA" case, DNSSEC would be REQUIRED, for exactly the reason you note.