[websec] HSTS at DNS level

Anne van Kesteren <annevk@annevk.nl> Wed, 29 October 2014 18:56 UTC

Return-Path: <annevankesteren@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07A191A88AD for <websec@ietfa.amsl.com>; Wed, 29 Oct 2014 11:56:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.621
X-Spam-Level:
X-Spam-Status: No, score=0.621 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8EIhOrek3v0F for <websec@ietfa.amsl.com>; Wed, 29 Oct 2014 11:55:58 -0700 (PDT)
Received: from mail-qc0-x22a.google.com (mail-qc0-x22a.google.com [IPv6:2607:f8b0:400d:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 945721A88A9 for <websec@ietf.org>; Wed, 29 Oct 2014 11:55:58 -0700 (PDT)
Received: by mail-qc0-f170.google.com with SMTP id l6so2967280qcy.1 for <websec@ietf.org>; Wed, 29 Oct 2014 11:55:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=RxCCMUpx+e1z+ssOkdIrC4wHYdLrpRzYD8yiXBNl5KY=; b=XW1ge72JmeElCUlDhYNsFxIRqwDHnDTskOh5NamuxwytGyGc+rsga0lwHNYmHjUzY+ 5FfMLdBiP2c2OWeBsJN5dYecSvINn1hZgqrjGsRrVPixY2B2XjkMYaEF0D7ykArcw9zp MH5beToyuRJPrqmWPLwwvvu/IIBM2e8SABZfQYIwzKNPwHttgViLZIJ5WDrtaKNcZCtr sZPAt3+z48LcKOHqQvuqcj9iy340SQJYaxUeW9aCtGm0FQlYAyRfrhFm0mEOP6yeJUXG dID7MK/Cm3mEd08dU9tR0NHldFvvnNRQAlcvgrCeggvqbJorXm5xuC+GTVBId8i8SkJt 63pg==
MIME-Version: 1.0
X-Received: by 10.140.51.102 with SMTP id t93mr17816152qga.72.1414608957752; Wed, 29 Oct 2014 11:55:57 -0700 (PDT)
Sender: annevankesteren@gmail.com
Received: by 10.229.174.134 with HTTP; Wed, 29 Oct 2014 11:55:57 -0700 (PDT)
Date: Wed, 29 Oct 2014 19:55:57 +0100
X-Google-Sender-Auth: 60jYjE7VozFimzf6astHiOqXyQw
Message-ID: <CADnb78icRLaiLur1e+=0dTBxwm5kP3jaspK-CvJfdrS0-+snww@mail.gmail.com>
From: Anne van Kesteren <annevk@annevk.nl>
To: websec <websec@ietf.org>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/QMZPeEZ0ManRH9kEpt3UY7NNrCc
X-Mailman-Approved-At: Wed, 29 Oct 2014 21:48:10 -0700
Subject: [websec] HSTS at DNS level
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 18:56:00 -0000

Is there some way we could add an annotation to DNS that makes it
clear a given domain for the purposes of HTTP is only available over
port 443 using TLS? DNS can be easily spoofed of course so you also
want HSTS, but perhaps it would be sufficient to be able to disable
port 80 entirely.


-- 
https://annevankesteren.nl/