Not if you use another approach as well as a signature. This means that if the two nodes know the IP address of each other, then nobody can play a role of MITM if they are using CGA-TSIG (http://tools.ietf.org/html/draft-rafiee-intarea-cga-tsig) as a means of DNS authentication.
Hosnieh From: [email protected] [mailto:[email protected]] On Behalf Of Karl Malbrain Sent: Wednesday, September 25, 2013 9:38 PM To: Hosnieh Rafiee Cc: 'perpass'; 'Stephen Farrell' Subject: Re: [perpass] DNS confidentiality Yes, MITM can be prevented if you have a copy of the public certificate obtained through exteriour means to check the signature over the data. If your certificate is provided by MITM you naturally lose that signature protection. From: Hosnieh Rafiee <[email protected]> To: 'Karl Malbrain' <[email protected]> Cc: 'perpass' <[email protected]>; 'Stephen Farrell' <[email protected]> Sent: Tuesday, September 24, 2013 2:08 PM Subject: Re: [perpass] DNS confidentiality MITM attack can be prevented by signing the data. Please check cga-tsig draft. Hosnieh From: [email protected] [mailto:[email protected]] On Behalf Of Karl Malbrain Sent: Tuesday, September 24, 2013 10:31 PM To: Stephen Farrell; perpass Subject: Re: [perpass] DNS confidentiality To obviate the harvesting of meta-data, we do need a secure interface to DNS. MITM resistance (authentication) is also going to be required in DNS server connections. Maybe well known certificates for DNS servers incorporated into browser software Given the reluctance of browser writers to implement DANE, we're going to need something like encrypted QUIC available as a transport first. Karl Malbrain From: Stephen Farrell <[email protected]> To: perpass <[email protected]> Sent: Tuesday, September 24, 2013 1:43 AM Subject: [perpass] DNS confidentiality Hiya, I've not seen mention of this so far here that I recall. Even as we improve the security of loads of protocols, there will still be issues with meta-data monitoring based on DNS queries for example. This point was sort of raised on the IETF list e.g. in [1]. DNSSEC doesn't provide any confidentiality. There are proposals that do try do that. Do we think this is worth looking at? If so, anyone up for doing some work on that? If so, how, or starting from what? S. [1] http://www.ietf.org/mail-archive/web/ietf/current/msg82696.html _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
