Support for TLSA

rfc2822

Isn’t DNSSEC required to make this useful? If someone is able to do a MITM attack on HTTPS, it won’t be a problem to forge a DNS reply too.

I guess this would not be a simple task, and the work should be a library which is actively maintained by experienced people.

AutoImport-jelmer

On Fri, Apr 10, 2015 at 08:25:53AM -0700, rfc2822 wrote:

Isn’t DNSSEC required to make this useful? If someone is able to do a MITM attack on HTTPS, it won’t be a problem to forge a DNS reply too.
Yes, DNSSEC is required - but doesn’t xbill already take care of that for you?

I have to admit I haven’t taken a close look at xbill yet.

AutoImport-ddblack

It’s called “DANE TLS”… https://github.com/bitfireAT/davdroid/issues/3

rugk

Nice idea, but hard to implement (as you need to have access to a DNS resolver).

@rfc2822 said in Support for TLSA:

Isn’t DNSSEC required to make this useful?

Yes.

rugk

BTW why not move this thread to https://forums.bitfire.at/category/7/transport-level-security?

Дилян Палаузов

https://github.com/MiniDNS/minidns is library for Android supporting both DNSSEC and DANE. There are propably more libraries nowadays, I found this one very fast.

rfc2822

@дилян-палаузов It should be possible to couple it with https://square.github.io/okhttp/3.x/okhttp/okhttp3/Dns.html, but I’m still not convinced that things like DNS resolving belong into every single application’s code… shouldn’t such things be solved on system level?

Дилян Палаузов

My understanding is that curently DNSSEC and DANE are considered at application level and not at OS level

rfc2822

@дилян-палаузов said in Support for TLSA:

My understanding is that curently DNSSEC and DANE are considered at application level and not at OS level

DNSSEC has to be implemented in resolvers. Do you mean that every application should have its own resolver?

Дилян Палаузов

What about leaving quering of the DNS to the OS, but doing the validation of the answers in the application?

When openssh is linked with libldns is does DNSSEC validatation (evaluation of the SSHPF records). So has openDmarc to be linked with libunbound to do DNSSEC validation.

If an application wants nowadays to do DANE/DNSSEC is has to use the right libraries.

Support for TLSA

Similar topics

Only birthday and anniversary dates for a contact
Ideas, future talk, development • enhancement • • herz_AG

nextCloud Calendar Subscription not shown
Ideas, future talk, development • solved enhancement nextcloud • • alan

Support a secure set of encryption settings (including TLSv1.2) by default
DAVx⁵ • 3rd-party issue enhancement • • rfc2822

Support for TLSA

Similar topics

Only birthday and anniversary dates for a contact Ideas, future talk, development • enhancement • • herz_AG

nextCloud Calendar Subscription not shown Ideas, future talk, development • solved enhancement nextcloud • • alan

Support a secure set of encryption settings (including TLSv1.2) by default DAVx⁵ • 3rd-party issue enhancement • • rfc2822

Only birthday and anniversary dates for a contact
Ideas, future talk, development • enhancement • • herz_AG

nextCloud Calendar Subscription not shown
Ideas, future talk, development • solved enhancement nextcloud • • alan

Support a secure set of encryption settings (including TLSv1.2) by default
DAVx⁵ • 3rd-party issue enhancement • • rfc2822