> On Jul 28, 2015, at 5:37 PM, Ian Maddison <[email protected]> wrote: > > >> On 29 Jul 2015, at 01:46, Viktor Dukhovni <[email protected]> wrote: >> >> On Wed, Jul 29, 2015 at 12:42:52AM +0200, Ian Maddison wrote: >> >>> I'm looking for a way to run a recursive name server on a public IP address >>> restricted to pre-configured roaming clients. >>> >>> Is, or will it be feasible to leverage DANE-TA to reliably authenticate >>> both the clients and server in order to run this type of service? >> >> No, not possible. >> >> And I am afraid this is not an end-user help/support forum, so this >> type of question belongs elsewhere, e.g. the BIND or unbound users >> list, or similar. >> >> -- >> Viktor. > > > Oh ok, I'm sorry about that. > > Although I’ve followed this list for several years, improved readability for > one of your drafts and helped fix an an error or two, it seems I may have > missed details regarding client authentication and would appreciate a > pointer, if that’s not too much to ask :)
The key issue I see is that you said “roaming” clients. DANE requires the cooperation of the system administrator and the operators of the DNS infrastructure. That’s great where the server administrators work with the local DNS operators, either as they are the same people or they work for the same company. I would not trust DNS operators of “roaming” clients. I would not trust the DNS operators of a random cafe your clients are using for connectivity. I do not know of a good way for your clients to upload TLSA records each time the client gets an IP address nor would I really trust what a coffee company tried to tell me was the right certificate information for the client even IF it were plausible that the client provided it. DANE is really great for telling a connecting agent security information about the system it is connecting to. That would be the client and server respectively. I think the server should just require client certs in its TLS negotiation and decide if it likes or dislikes (trusts or doesn’t trust) the certificate it gets. Take care, Bill _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
