[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: wget2 | New option --dane (!522)
From: |
Viktor Dukhovni (@dviktor) |
Subject: |
Re: wget2 | New option --dane (!522) |
Date: |
Mon, 24 Apr 2023 20:52:15 +0000 |
Viktor Dukhovni commented on a discussion:
https://gitlab.com/gnuwget/wget2/-/merge_requests/522#note_1365441531
> I'm no expert on DNS, I confess I learned about it only two weeks ago, but I
> thought DNSSEC wasn't vulnerable to downgrade attacks owing to the way it
> works?
I am an expert in DNS, and while DNSSEC is not vulnerable to downgrades to
**insecure** responses, it is (as all distributed systems) vulnerable to denial
of service. If a DNS timeout, or other transient lookup failure (including a
"BOGUS" DNSSEC denial of existence) is tolerated and treated as absence of TLSA
records, then discovery of TLSA records is subject to downgrade for an
application that does not **mandate** TLSA record presence.
So the key question here is whether `--dane` **requires** TLSA records, or
merely *probes* for TLSA records, using them only *when found*, and what
happens when discovery of TLSA records runs into a transient failure (not
NODATA or NXDOMAIN, for which DNSSEC does provide denial of existence
authentication).
And, secondly, does "--dane" as only a fallback from WebPKI make a compelling
feature? The resulting protocol is as secure WebPKI or DANE, whichever is
weakest (compromising *either* for a given domain lets the attacker impersonate
the peer).
So the feature as implemented rather differs from what one would expect from
RFC6698, RFC7671, RFC7435, ... What is the actual design goal here? Is it
truly to fall back to DANE when WebPKI fails (WebPKI or DANE whichever is
weaker)?
--
Reply to this email directly or view it on GitLab:
https://gitlab.com/gnuwget/wget2/-/merge_requests/522#note_1365441531
You're receiving this email because of your account on gitlab.com.
- Re: wget2 | New option --dane (!522), (continued)
Re: wget2 | New option --dane (!522), @rockdaboot, 2023/04/23
Re: wget2 | New option --dane (!522), @rockdaboot, 2023/04/23
Re: wget2 | New option --dane (!522), @rockdaboot, 2023/04/23
Re: wget2 | New option --dane (!522), @rockdaboot, 2023/04/23
Re: wget2 | New option --dane (!522), Viktor Dukhovni (@dviktor), 2023/04/24