New issue
Advanced search Search tips

Issue 914519 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 14
Cc:
swarnasree.mukkala@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Feature



Sign in to add a comment

DNSSEC and DANE/TLSA

Reported by agowa...@gmail.com, Dec 12 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36

Steps to reproduce the problem:
Now that HTTP Public Key Pinning has shown it's weaknesses in practical use, I think it's time to reevaluate the issue  https://crbug.com/50874  for implementing DNSSEC with DANE/TLSA.
Also dane is getting more widely adopted (ok, currently only for mail servers) and does increase security by a huge factore.
This would also allow using self signed certificates for tls without losing security, as the chain of trust can be validated through dns instead of through X.509. And it grants much more flexibility than HTTP Public Key Pinning did and the changes for long user/visitor lockouts are also much lower.

What is the expected behavior?
DANE/TLSA being validated and used to validate the tls certificate instead/together (depending on mode) of the X.509 Trust chain, if also DNSSEC/DNS-over-TLS/DNS-over-HTTPS is present/used for that domain.

What went wrong?
DANE/TLSA does not seem to be validated.

Did this work before? N/A 

Chrome version: 70.0.3538.110  Channel: n/a
OS Version: 10.0
Flash Version:

Comment 1 by swarnasree.mukkala@chromium.org, Dec 13

Labels: Needs-Triage-M70

Comment 2 by swarnasree.mukkala@chromium.org, Dec 13

Cc: swarnasree.mukkala@chromium.org
Components: Internals>Network
Labels: Triaged-ET FoundIn-73 Target-73 M-73 FoundIn-71 FoundIn-70 FoundIn-72 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Thanks for filing the issue...

As per comment#0 it seems to be a feature request, hence marking it as untriaged and requesting someone from the dev team to look into the issue. Tentatively adding Internals>Network.

Comment 3 by rsleevi@chromium.org, Dec 14

Status: WontFix (was: Untriaged)
Marking this as WontFix.

For the present and forseeable future, there are no product plans to support DANE/TLSA records. While the reasons range from technical - such as DNSSEC validation issues with clients - to policy - such as cryptographic policies regarding such records - to avoid any ambiguity, I'm closing this as WontFix.

We continue to follow the conversations within relevant SDOs, such as the IETF, and continue to invest in technical solutions to ensure more reliable DNS, such as DNS-over-HTTPS, but there are no plans to implement such support at this time.

Sign in to add a comment