DNSSEC for DOH
Categories
(Core :: Networking: DNS, defect, P3)
Tracking
()
People
(Reporter: jones.john, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [dnssec][necko-triaged][trr])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Steps to reproduce:
User Story :
User ( Chemist whistleblower) visit a website of a Foreign Country within a network that intercepts traffic and manipulates responses.
Actual results:
The network manipulates the DNS responses and allows it to Intercept all traffic.
Expected results:
The network resolver that responded with the DNS response Over HTTP such as Cloudflare or NextDNS allow the user to Automatically validate the authenticity of DNS answers. However these responses are not acted upon.
why is it important :
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
Previously patches to add DNSSEC however with DOH there is a chance for a clean implementation.
This would also Improve trust in DOH resolvers.
Trust But Verify.
Comment 1•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
Comment 2•5 years ago
|
||
This seems like a nice-to-have.
Reporter | ||
Comment 3•5 years ago
|
||
I would appreciate if you looked again at this,
DNSSEC is a valuable tool for improving the trust and integrity of DNS, the backbone of the modern Internet.
It would be nice if Mozilla products such as FireFox would be secure in this regard and would be a MAJOR differentiator
Some background :
https://www.cloudflare.com/dns/dnssec/how-dnssec-works/
legal :
https://nvd.nist.gov/800-53/Rev4/control/SC-20
https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1515759784644&uri=CELEX:32017D2288
(web and email security within the EU)
DNSSEC solves a lot of the Trust on First Use issues
Thank you.
Trust but Verify
Comment 4•5 years ago
|
||
Thanks for the info. I don't think anyone is disputing the value of DNSSEC.
However, in the context of TRR it seems less useful than it otherwise would be, as the trusted DoH server could and usually does perform the DNSSEC check for you.
Reporter | ||
Comment 5•5 years ago
|
||
Thank you, its good to see you value DNSSEC.
While yes the server in the TRR can verify however to increase the trust (and offload + potentially speed up) a local verification would be advisable.
Having the DNSSEC within the Mozilla core would allow verification in other scenarios/paths as well.
please see : https://stats.dnssec-tools.org/
Comment 6•3 years ago
|
||
(In reply to John Jones from comment #5)
Having the DNSSEC within the Mozilla core would allow verification in other scenarios/paths as well.
only with local validation it becomes feasible that servers pro actively push resolution results for other hostnames you might need.
Updated•2 years ago
|
Description
•