Open Bug 1609835 Opened 5 years ago Updated 2 months ago

DNSSEC for DOH

Categories

(Core :: Networking: DNS, defect, P3)

74 Branch
defect

Tracking

()

People

(Reporter: jones.john, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [dnssec][necko-triaged][trr])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36

Steps to reproduce:

User Story :
User ( Chemist whistleblower) visit a website of a Foreign Country within a network that intercepts traffic and manipulates responses.

Actual results:

The network manipulates the DNS responses and allows it to Intercept all traffic.

Expected results:

The network resolver that responded with the DNS response Over HTTP such as Cloudflare or NextDNS allow the user to Automatically validate the authenticity of DNS answers. However these responses are not acted upon.

why is it important :
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en

Previously patches to add DNSSEC however with DOH there is a chance for a clean implementation.
This would also Improve trust in DOH resolvers.

Trust But Verify.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Networking: DNS
Product: Firefox → Core

This seems like a nice-to-have.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Whiteboard: [necko-triaged][trr]

I would appreciate if you looked again at this,

DNSSEC is a valuable tool for improving the trust and integrity of DNS, the backbone of the modern Internet.

It would be nice if Mozilla products such as FireFox would be secure in this regard and would be a MAJOR differentiator

Some background :

https://www.cloudflare.com/dns/dnssec/how-dnssec-works/

legal :
https://nvd.nist.gov/800-53/Rev4/control/SC-20

https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1515759784644&uri=CELEX:32017D2288
(web and email security within the EU)

DNSSEC solves a lot of the Trust on First Use issues

Thank you.

Trust but Verify

Thanks for the info. I don't think anyone is disputing the value of DNSSEC.
However, in the context of TRR it seems less useful than it otherwise would be, as the trusted DoH server could and usually does perform the DNSSEC check for you.

Thank you, its good to see you value DNSSEC.

While yes the server in the TRR can verify however to increase the trust (and offload + potentially speed up) a local verification would be advisable.

Having the DNSSEC within the Mozilla core would allow verification in other scenarios/paths as well.

please see : https://stats.dnssec-tools.org/

Whiteboard: [necko-triaged][trr] → [dnssec][necko-triaged][trr]

(In reply to John Jones from comment #5)

Having the DNSSEC within the Mozilla core would allow verification in other scenarios/paths as well.
only with local validation it becomes feasible that servers pro actively push resolution results for other hostnames you might need.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.