Handicapping New DNS Extensions and Applications (O'ReillyNet)
The DNS system is not static; there are several proposed new extensions and applications under development and adoption. DNS expert Cricket Liu explores five for updates and their future: the Sender Policy Framework, IPv6 support, Internationalized Domain Names, ENUM, and the DNS Security Extensions."
Posted Jan 13, 2007 17:26 UTC (Sat)
by weasel (subscriber, #6031)
[Link] (1 responses)
Maybe something like
In the absense of such a CERT record clients would behave the same as now, that is do their CA verification dance and all.
If a CERT record is found but the fingerprint does not match the certificate a warning should be issued.
If a CERT record is found and we do not have a trusted (DNSSEC signed) answer then we still do the CA thing, but whether that fails or not we can still inform the user of what we found.
And last and most importantly, when we have a trusted CERT record and it matches we can just accept the certificate, even if it is signed by a CA we do not recognize or even if it is just self signed.
--
Posted Jan 13, 2007 17:50 UTC (Sat)
by micha (guest, #42747)
[Link]
But what would be the downsides? Wouldn't it make easier for phishers to fool the innocent users by providing a fully accepted SSL certificate by simply a CERT record? You would require the users to trust the DNS even more, but spammers and phishers currently have no problem to register domains on the fly and will have no problem to manage their DNS.
I don't know whether DNS can bear this burden of trust.
Micha
Posted Jan 21, 2007 15:57 UTC (Sun)
by job (guest, #670)
[Link] (1 responses)
Posted Jan 24, 2007 1:43 UTC (Wed)
by ldo (guest, #40946)
[Link]
Why do you say that? The article seems to assert quite the opposite:
What I would really like to see is SSL (x509) certificates or better just their fingerprint in DNS, and browsers (and other programs like your jabber client, MUA, etc.) making use of it.CERT records
_443._tcp.example.org. CERT <magicbytes that say what this is> 17:37:8B:EE:E4:FF:96:D9:0A:B4:5B:57:56:08:D6:8E
(One could also imagine using the service name instead of the port number, but I guess the port is the smarter choice).
Peter
Peter wrote: "And last and most importantly, when we have a trusted CERT record and it matches we can just accept the certificate, even if it is signed by a CA we do not recognize or even if it is just self signed."CERT records
SPF is broken by design and won't get fixed. Those looking for spam filters are better off looking elsewhere.Handicapping New DNS Extensions and Applications (O'ReillyNet)
Re: SPF
SPF is broken by design and won't get fixed. Those looking for spam filters are better off looking elsewhere.
We suggested in the webinar that there was no reason not to implement SPF: it's easy to set up, and there are no disadvantages to publishing a list of mail servers that are allowed to send email from your domain names.