2012/10/24 Paul Wouters <[email protected]> > On Wed, 24 Oct 2012, Guangqing Deng wrote: > > usage 0 TLSA record but not usage 2/3 TLSA records, which >> is discussed in other sections. So, the statement “even if a >> DNS operator falsifies >> DANE records, it cannot masquerade as the target >> server unless it can also obtain a certificate for the target >> domain” is correct. >> >> >> But it can, just by updating the A/AAAA record to a server it owns. >> >> >> What you pointed out is about the incorrect configuration of DNS resource >> records, which may be another >> story. Just as previously discussed in this mailing list, DNSSEC may add >> data integrity protection and data >> origin authentication but definitely not the trustworthiness for the DNS >> resource records that it protects. >> If the DNS operator is going to do something bad (such as incorrectly >> configuring DNS resource records) >> intentionally or unintentionally, DNSSEC cannot stop the DNS operator >> from doing that. >> > > And if DNSSEC TLSA records claim things about PKIX, that can be changed > too. >
Definitely, DNSSEC TLSA records claiming things about PKIX can be changed by the DNS operator. And one goal of DANE protocol is to restrict the scope of certificate used by the TLS client to authenticate the TLS server. For example, DNS operator can put the public key of a specific CA in the TLSA record to tell the TLS client that just the certificate issued by that CA is reliable. If the currently recommended CA is not reliable any more, of course, DNS operator can modify the TLSA record and add the information of a newly chosen CA in the TLSA record. > > So I still don't understand your point (or Mark's) > > Paul > -- Guangqing Deng
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
