On Wed, Mar 25, 2015 at 11:57:29AM -0500, Nico Williams wrote:
> > - It kind-of defeats the purpose of this WG
No, not really. DANE secures the location of the lookup service.
> > - No NSEC3-like protection from address leakage (see sections 9.2 and
> > 9.3 of RFC7033)
>
> No, if you discover the lookup service using DNSSEC and the service's
> public keys with DANE, then the lookup service is as an extension of the
> DNS, and it can provide secure non-existence answers.
One way to understand that is to think this a new type of DNS
delegation, instead of NS+DS records securely delegating queries
to an authoritative server that still speaks DNS, you have TLSA
(or similar if the lookup protocol is over something more light-weight
than TLS) RRs that delegate the lookup to an authoritative server
that speaks a different protocol.
Either way, queries from the client go to the domain that controls
the names. Either way, there's scope for "directory harvesting
attacks". If we don't force the queries into the DNS:
* We don't explode DNS caches with negative TTL replies for
100's of millions of user names.
* We can eliminate hashing (needed to deal with case folding
and limits on DNS label lengths).
* Eliminating hashing makes it possible for the owner domain
to perform lookup key canonicalization.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
