0

DANE has 4 modes of operation indexed 0-3 with mode 3 i.e. Domain issued certificate allowing for self-signed certificates. Can this mode be used in a trustable manner? and if so does that mean that traditional Certificate Authorities and their chain of trust can be made obsolete/redundant?, however still relying on the chain of trust in DNSSEC.

My understanding is that it would as long as a domain owner can prove ownership of a public key to their domain registrar/domain hosting service, in which case the domain registrar/domain hosting service will allow for the domain owner to enable DANE in mode 3 by allowing for the TLSA RR to be modified with for example a hash of the public key that the domain registrar just validated ownership off by the domain owner.

However this assumes that the domain registrar/domain hosting service does authenticity/validity checks on DNS Resource Records(in this case particularly the TLSA RR) in much the same way a CA would validate ownership of a public key, is this the case or can a domain owners specify any data to populate their TLSA records regardless of ownership?

MShakeG
  • 111
  • 5
  • "and if so does that mean that traditional Certificate Authorities and their chain of trust can be made obsolete/redundant" Maybe, but since browsers do not read `TLSA` records anyway, and HTTP being the biggest user of TLS, you can't reach those benefits. – Patrick Mevzek Mar 07 '21 at 22:55
  • 1) The Registrar is not involved with DANE. 2) DANE requires that DNSSEC is active and enabled which requires the parent to publish the DS resource record. 3) You can publish self-signed certificates using DANE. Remember "can" and "should" are different things. The answer depends on the clients and servers using your certificates and your security model. – John Hanley Mar 08 '21 at 02:39
  • Regarding your last update. A DANE resource record publishes the hash of a public key. Public keys are public for everyone. The owner of the public key possesses the private key. The registrar does not care what you publish and does not validate what you publish. The trust model is based upon the private key. I sign something with the private key. You verify that signing with the public key. The DANE record allows you to know that the public key is valid or which one to use. For encryption, you look up my public key and encrypt a message. Only the private key can decrypt the message. – John Hanley Mar 09 '21 at 19:06
  • @JohnHanley That makes sense, as domain owners have no way to benefit by lying about any of their DNS RR, but have multiple ways to harm his own interests by doing so. However, the chain of trust(in both DNSSEC and CAs) is still a major vulnerability as it's only as strong as its weakest link, so if the domain registrar/domain hosting server is hacked the entire domain subtree is vulnerable to attack. – MShakeG Mar 09 '21 at 19:15
  • There are published incidents of registrars being hacked. There is nothing you can do to prevent them from being hacked. You are overthinking the problem without understanding the fundamentals of how public key encryption works. What can a hacked registrar do to your DANE records? They can only replace the public key or corrupt the record. That would be a denial of service (DoS) for anyone that depends on validating the public key. They could not access/modify the data that is protected. For DNSSEC, modified records would result in the domain resource records failing with SERVFAIL (again DoS). – John Hanley Mar 09 '21 at 19:26
  • @JohnHanley I see, but if a hacker changes both the A/AAAA RR to point to an IP Address they control and the TLSA RR to a public key they also control of any given domain, wouldn't that basically give them full control over traffic routed to that domain if mode 3 DANE is used? – MShakeG Mar 09 '21 at 19:35
  • If the hacker can change your DNS resource records, they can just delete the DNSSEC and DANE records. Yes, they will own your domain. There are some problems that you cannot protect yourself against. You can set up monitoring and alerting (using external tools) to detect when key things change. DNSSEC is designed to allow the trust of the resource records. It does not protect against theft of the domain or the registrar. – John Hanley Mar 09 '21 at 19:47
  • @JohnHanley I see, does DNSSEC involve each parent domain registrar ONLY providing a certificate for a public key of child domain registrars? or does the certificate ALSO include the state(possibly computed as a merkel root of all DNS records managed by a child registrar)? and in so doing any corrupted state changes are not accepted by the client as changes any DNS record would result in a merkel root different from the one vouched for by the parent registrar, hence the client would compute the corrupted merkel root from the provided merkel path and detect state corruption. – MShakeG Mar 09 '21 at 20:00
  • When you "enable" DNSSEC, you provide the registrar (parent domain) with details on your DNSKEYs. This is called the DS record. They do not validate them. You can provide them junk if you want. They do validate that the fields are correct. If you do provide bad information, your domain will stop working with DNSSEC enabled resolvers. – John Hanley Mar 09 '21 at 20:06
  • DNS servers at the TLD level handle billions of requests. Anything that would get in the way of those requests would not become a standard (for the most part). Domain owners change resource records constantly. Anything like your proposed Merkel root would never get deployed. – John Hanley Mar 09 '21 at 20:06
  • I am leaving this conversation. If you have an on-topic question create a new post. – John Hanley Mar 09 '21 at 20:09
  • Appreciate the insight @JohnHanley – MShakeG Mar 09 '21 at 20:12

1 Answers1

2

DANE can be used with self-signed certificates, and DNSSEC provides a PKI based on another hierarchy. Currently SMTP is the most practical use case for DANE TLSA records: As email doesn't care for CA based PKI for backwards compatibility, DANE is the solution to declare TLS encryption mandatory, and also to define which certificates to accept, whether signed by a CA or not.

However, it's better to use a valid, CA signed certificate for many reasons:

  • To be backed up with two independent PKI.
  • For IMAP and submission. Some email clients (namely Android) only has an option to require a valid certificate for the hostname or accept all, but not to add exceptions for self-signed certificates.
  • With Let's Encrypt it's free, so it isn't about the costs anymore.

The second paragraph has a misunderstanding: the registrar doesn't validate any of this. You are free to publish the fingerprints on DNS and the SMTP client (DANE enabled mail server) performs the validation.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • "To be backed up with two independent PKI and" only if you trust the current "Web PKI" ecosystem. At least you should use `CAA` records and monitor CT Logs for any important name to be sure no certificates are issued outside of your control. As for clients refusing self signed certificate even if TLSA records say it is fine (your second point), I think they are wrong and show the same erroneous vision that browsers do when they show self signed certificate as something being insecure. As for LE, free is great, but also creates other problems (you need to keep same key or update TLSA records) – Patrick Mevzek Mar 07 '21 at 22:59
  • thanks for the answer, why does the domain registrar not validate ownership of the public key before allowing for it or its digest to be stored in the TLSA record. I guess it only harms the domain owner if they choose to deliberately add incorrect information? – MShakeG Mar 08 '21 at 06:35
  • does that mean that the domain registrar does not validate any DNS RR such as A/AAAA IP address to ensure that the domain owner does indeed own an IP? – MShakeG Mar 08 '21 at 09:55
  • That's not their job or even relevant: it's typical to point a DNS name to an IP address you don't own, like hosting services, cloud services... – Esa Jokinen Mar 08 '21 at 11:04
  • so you can lie about your IP address and the DNS server that hosts your domain will list a false A/AAAA record? – MShakeG Mar 08 '21 at 13:01
  • 1
    Well, yes, but you could lie about your bank account number, too; that doesn't harm anyone else, as it's you that won't get the money. Likewise, you pointing a hostname from your domain at someone else's IP address enables them to use it as they wish - not the other way around. – Esa Jokinen Mar 08 '21 at 14:41