[Yeti DNS Discuss] Chain Extension for TLS and the root key
willem at nlnetlabs.nl
Tue Jul 11 09:57:11 UTC 2017
Op 10-07-17 om 12:34 schreef Stephane Bortzmeyer:
> The IETF draft "A DANE Record and DNSSEC Authentication Chain
> Extension for TLS" draft-ietf-tls-dnssec-chain-extension is currently
> in Working Group Last Call (ending 12 July).
> I'm wondering if it is compatible with "alternative roots": the TLS
> server returns all the DNSSEC keys and signatures, from the root to
> its own domain. It means the TLS client *must* use the same DNSSEC
> root key as the TLS server.
That is correct. This extension is a perfect fit for authenticating
DNS-over-TLS. The Yeti DNS-over-TLS servers provides the authentication
chain with their own trust anchor, which Yeti stub resolvers can validate.
For applications between clients and servers using *different* DNS
roots, there is an issue yes. Provided that the delegation in the two
root zones are the same though, a client using the extension could still
verify a chain if it knows or can find out securely somehow the DS of
the tld (i.e. the first delegation in the chain). A single additional
query to one of the alternative roots in this case perhaps?
We should say something about these complexities in the draft.
> If it cannot work with alternative roots, this is certainly an issue.
> discuss mailing list
> discuss at lists.yeti-dns.org
More information about the discuss