Am 02.04.20 um 20:50 schrieb Lee:
There are a few reasons why I believe that DANE / TLSA DNS RR answers are quite trustworthy:On 4/1/20, Paul Wise wrote:On Wed, Apr 1, 2020 at 6:01 PM vince@ wrote:Did the discussion of continuing support for DANE end??In case I mislead anyone, a clarification: Debian itself isn't going to actively work on removing support for DANE from anything nor removing our DANE/DNSSEC records. Support for DANE is never going to happen for the web (given the opinions of the major browser makers)Can you share a reference for that? I can see browsers not trusting the client DNS since they can't tell if the client resolver is using DNSSEC or not (ie. they can't tell if the DANE answer is valid). But now that DOH is supported it seems like browsers could trust DOH servers that [promise to] do DNSSEC, so now they could trust DANE? eg - the firefox DOH server seems to have DNSSEC enabled: $ curl -H 'accept: application/dns-json' \ 'https://mozilla.cloudflare-dns.com/dns-query?name=servfail.sidnlabs.nl&type=a' {"Status": 2,"TC": false,"RD": true, "RA": true, "AD": false,"CD": false,"Question":[{"name": "servfail.sidnlabs.nl.", "type": 1}],"Comment": "DNSSEC validation failure. Please check http://dnsviz.net/d/servfail.sidnlabs.nl/dnssec/"} so maybe the tlsa answer can be trusted? $ curl -H 'accept: application/dns-json' \ 'https://mozilla.cloudflare-dns.com/dns-query?name=_443._tcp.debian.org&type=tlsa' {"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD": false,"Question":[{"name": "_443._tcp.debian.org.", "type": 52}],"Answer":[{"name": "_443._tcp.debian.org.", "type": 52, "TTL": 600, "data": "3 1 1 5F33491E2B2D267F7BFF096AD0DCB4AE5A22C0BE19DB0AB6728BED942F0719FC"}]} Thanks, Lee
* DNS responses are much faster than establishing a TCP connection (1.5RTT), usually only about 40ms also because DNS servers tend to be near the user if not provided by the ISP while the server you wanna contact is usually in another country or another federal state. As we know from the Snowden Revelations spoofing connections only works if the spoofed response is faster than the original response. My idea about it is that the NSA and related intelligence simply do not have an infrastructure to spoof DNS responses.
* There is a public/private key signing infrastructure for DANE as well but I consider that more secure than a gpg private key used on a system with emailing or web browsing. I believe it is much more hard to get into a server than is to get into a client.
Finally DANE has been invented for the reason to restore trust in the internet - as it was there initially when there was no operation Quantum insert or similar operations. I´d believe the DANE system has been designed secure as to serve its purpose. Finally my own practical experience with DANE is very positive. It appeared to be the only way to prevent site spoofing:
https://lists.debian.org/debian-security/2020/01/threads.html https://lists.debian.org/debian-security/2020/02/threads.html https://lists.debian.org/debian-security/2020/03/threads.htmlThe reason why browser developers have not adopted DANE yet is that they side with intelligence (secret services) as the following bug report shows me:
https://bugzilla.mozilla.org/show_bug.cgi?id=1606802I had also linked this report in my previous discussion at debian-security.