[Standards] Unsigned DANE records for TLS assertions

Michal 'vorner' Vaner vorner at vorner.cz
Sat Nov 23 13:37:24 UTC 2013


On Fri, Nov 22, 2013 at 10:07:51AM +0000, Dave Cridland wrote:
>  - If an attacker removes the record by fiddling with the DNS, then they
> can mount an MITM attack. Note that they can also fiddle the DNS into
> redirecting the connection too. It's not clear if this makes things any
> harder than before.
>  - If an attacker adds in a TLSA record, this could act as a denial of
> service.
> On reflection, I'm not sure if this is actually an overall benefit, but I
> thought I'd throw the idea out.

I didn't read the RFC, but my impression was that it mandated TLSA is always
signed by DNSSEC. So, the right thing should probably be to ignore and warn
about unsigned TLSA records, not to honor them.

With regards

Look! Behind you!

Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20131123/e4aba6a0/attachment.sig>

More information about the Standards mailing list