Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uni

> On 6 mar 2015, at 07:14, John C Klensin <john-ietf(_at_)jck(_dot_)com> wrote:
>
> > One description of
> > a threat model    to DNS, including description of what
> > threats DNSSEC is intended to    defend against can be found
> > in RFC 3833 [RFC3833].
> >
> >   If for example the URI resource record is not signed with
> > the help of    DNSSEC and validated successfully, trusting the
> > non-signed URI might    lead to a downgrade attack.
> While this may be obvious to experts, the experts probably don't
> need it.  For everyone else, you are probably missing a
> statement about interception, changes to the query or URI, and a
> system that won't respond as intended to STARTTLS or equivalent.
> Note, in particular, that if one started out with:
>
>
>  foo.example.com. IN URI 0 0  good.example.com.
>
> and a query for that produced a response that contained
>  foo.example.com. IN URI 0 0  evil.example.com.
>
> That would clearly be a problem for DNSSEC but, if both of the
> hosts designated by "good" and "evil" responded to STAETTLS by
> opening TLS connections at desired degrees of security, there
> would be no downgrade attack, "only" a MITM host diversion
> attack.
Well, I to some case disagree and I also thought that that was what Sam pointed 
out...one wanted to communicate with something at foo.example.com, and if one 
"normally" did use HTTP over TLS and got a 301 or 302 back, and now instead do 
a similar change of target with the help of DNS, you do get something very 
similar at least to a downgrade attack.

But I understand what your point is -- I claim ;-)

   Patrik

signature.asc
Description: Message signed with OpenPGP using GPGMail