On Fri, 3 Jul 2015, Yoav Nir wrote:
Seems like a limitation of DNS security. DNSSEC can authenticate that “mallory claimed that mallory.example.com is at 8.8.8.8”, but DNSSEC does nothing to tell me whether the claim is true. Ordinarily you gain nothing by pointing your DNS name at a wrong IP address.
Yes it is.
This fails even without malice. Suppose both www.example.com and tools.example.com are on the same server. We can get the right identity by using IDr in IKE_AUTH or SNI in TLS. Depending on which of these you resolved last, you will get a mapping in the SPD from 93.184.216.34 to one of the public keys. You will use that to initiate IKE, and you might use the wrong one.
No because you would either use one key for both or publish both keys in DNSSEC.
If we really wanted secure opportunistic, we’d need to authenticate claims tying IP addresses to names. Perhaps the resource PKI from BGP security could get us there.
But I doubt that information will be easilly acessable to endusers. It would be nice. Paul _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
