Marc Lampo wrote: > Before the draft was adopted as RFC I asked how to cope with proxies. > > On Sector 2012, last week, I was quite shocked to hear a speaker (also > reading this, I assume) to simply state to get rid of them ! > I'd rather see continued work on how to make the principle of DANE > apply/work even in the presence of proxies. > > The other security remark is that, in order for the browser to use > info in TLSA record, the host needs access to public DNS. > (with the use of a proxy, a setup with internal-roots is possible, > internal hosts don't need access to public IP addresses > if they use proxies) > However, TLSA is not "an address", so access to public DNS is needed.
"Proxy" is a very generic term and means different things to different people. What would need to have extended is the information exchange between the TLS client and the proxy when performing the proxy traversal. A solution for client-side HTTP Proxies that support the "HTTP CONNECT" method would be to have the Proxy perform the TLSA lookups just the way that it performs the DNS lookup for the target hostnames, and return all relevant raw DNS records base64-encoded in header fields of the proxy response to the HTTP CONNECT method. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
