In message <[email protected]>, Paul Wouters w rites: > On Tue, 23 Oct 2012, Guangqing Deng wrote: > > > 2012/10/23 Alexander Gurvitz <[email protected]> > > Hello. > >  > > http://tools.ietf.org/html/rfc6394#section-3.1 : > >  > > Continuing to require PKIX validation also limits the degree to > which > > DNS operators (as distinct from the holders of domains) can > interfere > > with TLS authentication through this mechanism. As above, even if > a > > DNS operator falsifies DANE records, it cannot masquerade as the > > target server unless it can also obtain a certificate for the > target > > domain. > > > > > > This seems like a mistake to me - DNS operator can always issue a > fraudulent usage 2/3 record, > > and thus skip the CA validation. > > > >  > > > > Remind that the section 3.1 just discusses the âCA Constraintsâ which > refers to usage 0 TLSA record but not usage 2/3 TLSA records, which > > is discussed in other sections. So, the statement âeven if a DNS > operator falsifies DANE records, it cannot masquerade as the target > > server unless it can also obtain a certificate for the target domainâ > is correct. > > But it can, just by updating the A/AAAA record to a server it owns.
It can masquerade as the machine hosting the server/service, not the server/service itself. > I vague remember pointing out this exact mistake in the draft. I guess > we all kind of missed updating it in the end. > > Paul > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
