On Fri, 12 Oct 2012, Marc Lampo wrote:
Before the draft was adopted as RFC I asked how to cope with proxies.
And we had the same discussion we are having now.
On Sector 2012, last week, I was quite shocked to hear a speaker (also reading this, I assume) to simply state to get rid of them !
I clearly stated when when making remark that it was my _person_ view, with no hats on. I personally believe MITM proxies are bad for security. I understand that there is a need for them both in the enterprise and at the dictatorship levels, neither of which affect me personally.
I'd rather see continued work on how to make the principle of DANE apply/work even in the presence of proxies.
Please go re-read RFC 1984. If you are legitimately needing to dictate local policy to ignore TLSA records, ask your vendor (browser, OS, etc) for support in enforcing such an override on the application/OS level. It cannot ever be part of the protocol level.
The other security remark is that, in order for the browser to use info in TLSA record, the host needs access to public DNS. (with the use of a proxy, a setup with internal-roots is possible, internal hosts don't need access to public IP addresses if they use proxies)
As I explained during that talk, but perhaps not clearly enough, is that you have the option of using a SOCKS proxy, in which case DNS lookups should done by your SOCKS proxy server, and any DNS and DANE processing would be done there. I would assume any browser supporting SOCKS would disable TLSA checking when SOCKS is enabled. If not, file a bug with the vendor. i.e. see: http://kb.mozillazine.org/Network.proxy.socks_remote_dns
However, TLSA is not "an address", so access to public DNS is needed.
No, when configured using SOCKS, you should not need to do DNS yourself. You just get your TCP streams.
Regarding DNSSEC : do not forget that adding signatures without verifying them is almost useless. And since *lots* of networks use AD, with its (non DNSSEC capable) DNS servers, only few users actually benefit, at this moment.
Give it another year or so and you'll see the proliferation of validating resolvers on lots of end nodes.
So, wether or not the TLSA record is coming from a signed domain, most users are not capable of noticing this anyway.
"most users" would dramatically change if say firefox, chrome or android would start validating DNSSEC. And that's really a matter of "when", not "if". Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
