Curtis Villamizar

Time to revisit DNSSEC & DANE/TLSA discussion?

Discussion created by Curtis Villamizar on Jan 22, 2017
Latest reply on Apr 18, 2017 by Martin Seitl

Time to revisit?

 

There has been discussion on checking DNSSEC and DANE/TLS.  Prior threads are at:

 

https://community.qualys.com/message/31145?commentID=31145#comment-31145 

https://community.qualys.com/message/29916?commentID=29916#comment-29916 

https://community.qualys.com/message/30448?commentID=30448#comment-30448

Support DANE Checking (at least negative checks) 

OCSP Best Practices 

 

The most recent reply seems to be July 15, 2015 (18 months ago) in the thread:

https://community.qualys.com/message/29916?commentID=29916#comment-29916

That reply says (briefly) "we'll start to check for DANE support when that makes sense".  Browsers do support DANE but with add-ons.  In 2015 plugins for Chrome, Firefox, Opera, and Safari were available.  IE can be added to that list.

 

All major browsers currently support DNSSEC.  There is very little excuse for not checking DNSSEC on at least the A and/or AAAA lookup and that check would be very easy.  Since DNSSEC is very effective at preventing all sorts of attacks on DNS (such as rogue DHCP/DNS server on WiFi, all too common) a check with a strong penalty might be called for.  Sites that don't use DNSSEC are clearly lacking.  BTW- The 1024 bit root or gTLD argument no longer applies.

 

It also makes sense to check for DANE/TLSA and if nothing else at least provide an informational message (for now).  You check for CAA (which does nothing to thwart a rogue CA).  DANE/TLSA is effective and once deployed in browsers (by default, rather than by add-on) would make a number of unscalable bandaids such as CA pinning obsolete.  It would also be a better alternative to OSCP (again if widely implemented).

 

It would also be useful to note instances where a self-signed cert matched the DANE/TLSA record and perhaps even mark it as "trusted only in browsers with DANE/TLSA add-on installed" (perhaps with a smaller penalty).

 

Alternately if you didn't want to affect the scoring at all, you could initially just include under "Handshake Simulation" {Firefox, Chrome, Safari, IE} with cz.nic add-on and indicate whether warnings would be issues with these browsers.  This would be less desirable but better than nothing.

 

DANE/TLSA with self-signed certificates or a self-signed CA is fine for a closed community as a previous thread pointed out.  Some corporations with company issued computers and laptops add their own CA (and give the cert plus install instructions to anyone buying their own) and use it for web based apps inside the enterprise (in some cases to also snoop at the firewall which is uncool, but done).

 

DANE/TLSA would also help identify cases where there was a MITM, such as a firewall with CA cert or other snooping.  OTOH - that might be why there is so much resistance to DANE/TLSA.

 

Curtis

Outcomes