Seems perfectly reasonable. Just figured I’d mention it in case it had slipped by.
Support for TLSA
-
Isn’t DNSSEC required to make this useful? If someone is able to do a MITM attack on HTTPS, it won’t be a problem to forge a DNS reply too.
I guess this would not be a simple task, and the work should be a library which is actively maintained by experienced people.
-
On Fri, Apr 10, 2015 at 08:25:53AM -0700, rfc2822 wrote:
Isn’t DNSSEC required to make this useful? If someone is able to do a MITM attack on HTTPS, it won’t be a problem to forge a DNS reply too.
Yes, DNSSEC is required - but doesn’t xbill already take care of that for you?I have to admit I haven’t taken a close look at xbill yet.
-
It’s called “DANE TLS”… https://github.com/bitfireAT/davdroid/issues/3
-
Nice idea, but hard to implement (as you need to have access to a DNS resolver).
@rfc2822 said in Support for TLSA:
Isn’t DNSSEC required to make this useful?
Yes.
-
BTW why not move this thread to https://forums.bitfire.at/category/7/transport-level-security?
-
https://github.com/MiniDNS/minidns is library for Android supporting both DNSSEC and DANE. There are propably more libraries nowadays, I found this one very fast.
-
@дилян-палаузов It should be possible to couple it with https://square.github.io/okhttp/3.x/okhttp/okhttp3/Dns.html, but I’m still not convinced that things like DNS resolving belong into every single application’s code… shouldn’t such things be solved on system level?
-
My understanding is that curently DNSSEC and DANE are considered at application level and not at OS level
-
@дилян-палаузов said in Support for TLSA:
My understanding is that curently DNSSEC and DANE are considered at application level and not at OS level
DNSSEC has to be implemented in resolvers. Do you mean that every application should have its own resolver?
-
What about leaving quering of the DNS to the OS, but doing the validation of the answers in the application?
When openssh is linked with libldns is does DNSSEC validatation (evaluation of the SSHPF records). So has openDmarc to be linked with libunbound to do DNSSEC validation.
If an application wants nowadays to do DANE/DNSSEC is has to use the right libraries.