[dns-operations] A Deep Dive on the Recent Widespread DNS Hijacking Attacks

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 25 17:46:01 UTC 2019


On Sat, Feb 23, 2019 at 10:17:05PM -0800, Bill Woodcock wrote:

> Longer-term, we’ve increased the amplitude of our badgering of Apple Product
> Security regarding DNSSEC and DANE validation in the OS, rather than via
> recursive resolver.  Both of those should be end-to-end, not dependent on
> an external resolver.

In which application protocols are you asking for DANE support?
Mobile devices don't generally do MTA-to-MTA SMTP.  And there's no
traction on DANE for HTTPS, my attempt to get meaningful support
for the requisite TLS extension got thoroughly rebuffed (ambushed)
at the last IETF.  The CA/Bal(^H^H-forum :-) don't seem to be
interested in DANE just yet. :-(

I'd like to see DANE outside SMTP someday, but it is not happening
just yet.  It'll take a few more years before (MTA-to-MTA) SMTP
adoption can get to a level where it becomes possible to start
shaming the other application stacks for dragging their feet.

We can start making a stronger case once mx[1-4].smtp.goog (already
DNSSEC signed) also have TLSA records (feel free to nudge Google
if you're a customer of their MX hosting service and your own domain
is signed).

Beyond Google and Microsoft, I wonder what it would take for Godaddy
and the other US-based hosting providers to get behind DNSSEC, and
sign their 10s of millions of SOHO customer domains (and provide
DANE MX hosting).  [ The first step might be to not discourage DNSSEC
by charging more for signed domains. ]

-- 
	Viktor.


More information about the dns-operations mailing list