?
Solved

DANE and Convergence Questions

Posted on 2016-09-02
2
Medium Priority
?
122 Views
Last Modified: 2016-09-08
I had this question after viewing DANE and Convergence.

Who sets up the notaries in convergence?  Is an administrator required to oversee and how can we be assured that there will be many notaries to choose from?  For DANE it seems as the trust is left with the domain owner rather than a third party.  Isn't this still a concern for man-in-the-middle attacks?  What are some negatives for using these methods if they do gain traction?
0
Comment
Question by:K K
2 Comments
 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 1000 total points
ID: 41782958
DANE is secured by a chain of trust throughout the DNS authorities. So, in the end, you still have to rely on the integrity at that end. As for MITM, an attacker would have to compromise both the DNS level with the signatures, as well as the access to the server.
The more probable danger IMO is rather in the accidental (or on purpose) compromise of the signatures, causing in remote sites not delivering mail to your server as the chain of trust isn't intact ...
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 41782960
Who sets up the notaries in convergence?  
anyone can setup the notaries as long as it runs those service (the notary pack can be download/ed & installed )
https://github.com/moxie0/Convergence/wiki/Running-a-Notary
Is an administrator required to oversee and how can we be assured that there will be many notaries to choose from?  
Notary should adhere the protocol as spelled out here and the list of notary is available from the starter in github @ https://github.com/moxie0/Convergence/wiki/Notary-Protocol
Note the high and low available type and you notice there are security company like Qualys running notary service too, I will probably give them greater trust as compare to other stated in the list. https://github.com/moxie0/Convergence/wiki/Notaries
For DANE it seems as the trust is left with the domain owner rather than a third party. Isn't this still a concern for man-in-the-middle attacks?  
Yes but at least we need to put trust in the security protocol. DANE needs the DNS records to be signed with DNSSEC for its security model to work. Even CA can be breach and still work in compromised stated impacting whoever is using them as the trust entities. This why DANE is supposed to work for TLS w/o CA. In fact, DANE can still allows a domain owner to specify which CA is allowed to issue certificates for a particular resource.  We trust but always verify.
What are some negatives for using these methods if they do gain traction?
There is no foolproof option as shared CAN can be compromised so can the notaries and DANE domain owner. Actually the "limitation" is shared in the RFC (6698) for DANE which is on the weakest link "DNSkey" e.g.
- Risk of Key Compromise
the root DNSKEY has protections and controls comparable
      to or exceeding those of public CAs.  On the other end of the
      spectrum, small domains might provide no more protection to their
      keys than they do to their other data.
- Impact of Key Compromise
Only the compromise of the root DNSKEY would have the
      equivalent impact of an unconstrained public CA.
- Detection of Key Compromise
If a key is compromised, rapid and reliable detection is important in
   order to limit the impact of the compromise.  In this regard, neither
   model prevents an attacker from near-invisibly attacking their
   victim, provided that the necessary keys are compromised.
- Spoofing Hostnames
an attacker can attempt to
   circumvent this restriction by finding a CA willing to issue the
   certificate anyway.  However, by using DNSSEC and TLSA, the attacker
   can circumvent this check completely.
https://tools.ietf.org/html/rfc6698#section-8.1

Actually the limit is close to  saying the limit of securing DNS using DNSSEC and highly dependent on the owner to "go by the book" including the basic of DNS such as they MUST observe the TTL information reported by DNS and trust put on those  (if any) DNS recursive resolver. Otherwise  lax implementations that fail to follow the DNS rule could be spoofed and really depends on DNS client to detect this spoofed entity - can be non-trivial
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question