Re: [perpass] DNS confidentiality

[Karl Malbrain <malbrain@yahoo.com>]

CGA-TSIG seems to be a trust on first use protocol for subsequently updating records within DNS.  It doesn't seem to address the problem of an arbitrary client securely obtaining the IP/Public Key for an arbitrary host from DNS without the possiblity of MITM.  Perhaps you could explain further.
 
Karl Malbrain  

________________________________
 From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Karl Malbrain' <malbrain@yahoo.com> 
Cc: 'perpass' <perpass@ietf.org>; 'Stephen Farrell' <stephen.farrell@cs.tcd.ie> 
Sent: Wednesday, September 25, 2013 1:08 PM
Subject: Re: [perpass] DNS confidentiality
  


Not if you use another approach as well as a signature. This means that if  the two nodes know the IP address of each other, then nobody can play a role of MITM if they are using CGA-TSIG (http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig)as a means of DNS authentication.
 
 
Hosnieh
 
From:perpass-bounces@ietf.org [mailto:perpass-bounces@ietf.org] On Behalf Of Karl Malbrain
Sent: Wednesday, September 25, 2013 9:38 PM
To: Hosnieh Rafiee
Cc: 'perpass'; 'Stephen Farrell'
Subject: Re: [perpass] DNS confidentiality
 
Yes, MITM can be prevented if you have a copy of the public certificate obtained through exteriour means to check the signature over the data.  If your certificate is provided by MITM you naturally lose that signature protection.
 
From:Hosnieh Rafiee <ietf@rozanak.com>
To: 'Karl Malbrain' <malbrain@yahoo.com> 
Cc: 'perpass' <perpass@ietf.org>; 'Stephen Farrell' <stephen.farrell@cs.tcd.ie> 
Sent: Tuesday, September 24, 2013 2:08 PM
Subject: Re: [perpass] DNS confidentiality
 
MITM attack can be prevented by signing the data. Please check cga-tsig draft.
 
 
Hosnieh
 
 
From:perpass-bounces@ietf.org [mailto:perpass-bounces@ietf.org] On Behalf Of Karl Malbrain
Sent: Tuesday, September 24, 2013 10:31 PM
To: Stephen Farrell; perpass
Subject: Re: [perpass] DNS confidentiality
 
To obviate the harvesting of meta-data, we do need a secure interface to DNS.
 
MITM resistance (authentication) is also going to be required in DNS server connections. Maybe well known certificates for DNS servers incorporated into browser software
 
Given the reluctance of browser writers to implement DANE,  we're going to need something like encrypted QUIC available as a transport first.
 
Karl Malbrain  
 
From:Stephen Farrell <stephen.farrell@cs.tcd.ie>
To: perpass <perpass@ietf.org> 
Sent: Tuesday, September 24, 2013 1:43 AM
Subject: [perpass] DNS confidentiality


Hiya,

I've not seen mention of this so far here that I recall.

Even as we improve the security of loads of protocols, there
will still be issues with meta-data monitoring based on
DNS queries for example. This point was sort of raised on
the IETF list e.g. in [1].

DNSSEC doesn't provide any confidentiality. There are
proposals that do try do that.

Do we think this is worth looking at?
If so, anyone up for doing some work on that?
If so, how, or starting from what?

S.

[1] http://www.ietf.org/mail-archive/web/ietf/current/msg82696.html
_______________________________________________
perpass mailing list
perpass@ietf.org
https://www.ietf.org/mailman/listinfo/perpass

_______________________________________________
perpass mailing list
perpass@ietf.org
https://www.ietf.org/mailman/listinfo/perpass


_______________________________________________
perpass mailing list
perpass@ietf.org
https://www.ietf.org/mailman/listinfo/perpass