Bug 1450674 Comment 11 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Alexey Chernyak

on 2023-06-01 10:06:56 PDT

Bug WONTFIXED for invalid reason.
Reopening.

There is no need to implement DNSSEC validation in order to implement DANE validation.
Just need to ensure that a validating Trusted Recursive Resolver (TRR) (e.g. DoT, DoH, DoQ) is being used which does all the DNSSEC heavy lifting.
We already have TRR interface for DoH implemented, just need to use it for DANE.

To implement DANE:
1. Ensure TRR is used for DNS queries
2. Check that the TLS server FQDN DNS records are DNSSEC-valid by checking that the DNS response received from TRR has either:
    * AD bit set (see RFC 4035), or
    * AA bit set
3. Check if TLSA records exist
4. Check if TLSA records are also DNSSEC valid (check for AD/AA bit)
5. If TLS server certificate validates against any one of the returned TLSA records - pass cert validation and don't do PKIX (unless matching TLSA wants PKIX as well).

if TRR
   if FQDN is valid
      Check for TLSA over TRR
      if TLSA is valid
          validate TLS server cert against TLSA

To speed things up could do TLS ClientHello and TLSA DNS query in parallel.

In terms of complexity, this would be the easiest to implement.
Implementing this bug is a lot easier than implementing bug 672600 which actually does require DNSSEC validation code.

Revision 1 by

Alexey Chernyak

on 2023-06-01 10:09:06 PDT

Bug WONTFIXED for invalid reason.
Reopening.

There is no need to implement DNSSEC validation in order to implement DANE validation.
Just need to ensure that a validating Trusted Recursive Resolver (TRR) (e.g. DoT, DoH, DoQ) is being used which does all the DNSSEC heavy lifting.
We already have TRR interface for DoH implemented, just need to use it for DANE.

To implement DANE:
1. Ensure TRR is used for DNS queries
2. Check that the TLS server FQDN DNS records are DNSSEC-valid by checking that the DNS response received from TRR has either:
    * AD bit set (see RFC 4035), or
    * AA bit set
3. Check if TLSA records exist
4. Check if TLSA records are also DNSSEC valid (check for AD/AA bit)
5. If TLS server certificate validates against any one of the returned TLSA records - pass cert validation and don't do PKIX (unless matching TLSA wants PKIX as well).
```
if TRR
   if FQDN is valid
      Check for TLSA over TRR
      if TLSA is valid
          validate TLS server cert against TLSA
```
To speed things up could do TLS ClientHello and TLSA DNS query in parallel.

In terms of complexity, this would be the easiest to implement.
Implementing this bug is a lot easier than implementing bug 672600 which actually does require DNSSEC validation code.

Back to Bug 1450674 Comment 11