Am 02.04.20 um 20:50 schrieb Lee:
On 4/1/20, Paul Wise wrote:
On Wed, Apr 1, 2020 at 6:01 PM vince@ wrote:
Did the discussion of continuing support for DANE end??
In case I mislead anyone, a clarification:
Debian itself isn't going to actively work on removing support for
DANE from anything nor removing our DANE/DNSSEC records.
Support for DANE is never going to happen for the web (given the
opinions of the major browser makers)
Can you share a reference for that?
I can see browsers not trusting the client DNS since they can't tell
if the client resolver is using DNSSEC or not (ie. they can't tell if
the DANE answer is valid). But now that DOH is supported it seems
like browsers could trust DOH servers that [promise to] do DNSSEC, so
now they could trust DANE?
eg - the firefox DOH server seems to have DNSSEC enabled:
$ curl -H 'accept: application/dns-json' \
'https://mozilla.cloudflare-dns.com/dns-query?name=servfail.sidnlabs.nl&type=a'
{"Status": 2,"TC": false,"RD": true, "RA": true, "AD": false,"CD":
false,"Question":[{"name": "servfail.sidnlabs.nl.", "type":
1}],"Comment": "DNSSEC validation failure. Please check
http://dnsviz.net/d/servfail.sidnlabs.nl/dnssec/"}
so maybe the tlsa answer can be trusted?
$ curl -H 'accept: application/dns-json' \
'https://mozilla.cloudflare-dns.com/dns-query?name=_443._tcp.debian.org&type=tlsa'
{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD":
false,"Question":[{"name": "_443._tcp.debian.org.", "type":
52}],"Answer":[{"name": "_443._tcp.debian.org.", "type": 52, "TTL":
600, "data": "3 1 1
5F33491E2B2D267F7BFF096AD0DCB4AE5A22C0BE19DB0AB6728BED942F0719FC"}]}
Thanks,
Lee
There are a few reasons why I believe that DANE / TLSA DNS RR answers
are quite trustworthy:
* DNS responses are much faster than establishing a TCP connection
(1.5RTT), usually only about 40ms also because DNS servers tend to be
near the user if not provided by the ISP while the server you wanna
contact is usually in another country or another federal state. As we
know from the Snowden Revelations spoofing connections only works if the
spoofed response is faster than the original response. My idea about it
is that the NSA and related intelligence simply do not have an
infrastructure to spoof DNS responses.
* There is a public/private key signing infrastructure for DANE as well
but I consider that more secure than a gpg private key used on a system
with emailing or web browsing. I believe it is much more hard to get
into a server than is to get into a client.
Finally DANE has been invented for the reason to restore trust in the
internet - as it was there initially when there was no operation Quantum
insert or similar operations. I´d believe the DANE system has been
designed secure as to serve its purpose. Finally my own practical
experience with DANE is very positive. It appeared to be the only way to
prevent site spoofing:
https://lists.debian.org/debian-security/2020/01/threads.html
https://lists.debian.org/debian-security/2020/02/threads.html
https://lists.debian.org/debian-security/2020/03/threads.html
The reason why browser developers have not adopted DANE yet is that
they side with intelligence (secret services) as the following bug
report shows me:
https://bugzilla.mozilla.org/show_bug.cgi?id=1606802
I had also linked this report in my previous discussion at
debian-security.
