Wednesday , October 28 2020

DNSSEC: DANE chain for browsers is practically dead

The project to extend the chain from DNSSEC to TLS has officially expired, as evidenced by the documentation of the Internet Task Force (IETF) Task Force. APNIC's chief scientist, Geoff Huston, reports on the organization's blog that extension obviously does not "Orphans" it was. This was discussed at a meeting of DNS operators and researchers (DNS-OARC).

job market

  1. MMV Bank GmbH, Koblenz
  2. operating services GmbH & Co. KG, Berlin, Braunschweig

The extension of the DNSSEC chain was originally planned to map the security and trust gains associated with DANE and DNSSEC in browsers as well. But it probably will not come to that. DNSSEC signs DNS records, which results in authentication of DNS protocol responses. Users can thus ensure that the IP address obtained actually belongs to the requested domain.

The DNS Based Entity Name Authentication (DANE) protocol builds on this and seeks the idea of ​​distributing more information about DNS responses, if they are secure and therefore reliable. The implicit promise was to neutralize the sick system of certification bodies for TLS. For example, certificate fingerprints can be distributed via DANE, which can be trusted. In a comment four years ago, described the many issues with DNSSEC and also with DANE a bit further and also explains protocol details.

Do not DANE in the browser

The purpose of DNSSEC chain extension was to model the described mechanism of DANE in TLS communication. TLS clients, above all browsers, must be able to perform DANE authentication from a TLS server without having to query more DNS entries. So also the validation must be accelerated. However, the address entries of the TLS entries should not be validated.

The work on the extension was mainly driven by the browser maker Mozilla, who also worked on an implementation. But the work on it is obviously defined now. APNIC researcher Huston describes the ending as follows: "The result is that DANE is practically dead for browsers",

Also, instead of distributing and verifying data to TLS by DNS, there are now protocols that follow the opposite route. For DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH), requests and responses to DNS are transmitted over a connection already protected by TLS. DoH is also supported and guided by Mozilla and can be used in Firefox. Google Chrome browser developers try DoH. In addition, Cloudflare's large public DNS servers, IBM, and Google offer DoH name resolution.

Source link