With @icing's help, we made our first transfers with #curl respecting HTTPS RR records (RFC 9460) today. Kind of cool. Needs more work before it becomes truly useful, and in particular to use it without DoH, but hey. It's a step. There will be many more.
Conversation
Notices
-
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 16-Jan-2025 07:31:17 JST 
daniel:// stenberg://
-
Embed this notice
:debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse: (selea@social.linux.pizza)'s status on Thursday, 16-Jan-2025 07:31:16 JST 
:debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse:
Nice! Congratz!
When we are into the the topic, does curl honor TLSA (DANE) records too? -
Embed this notice
feld (feld@friedcheese.us)'s status on Thursday, 16-Jan-2025 08:57:37 JST 
feld
@bagder @jelu @icing If someone can present a valid certificate to the client after hijacking the DNS response or poisoning their recursor in 2025 when our trusted roots are not so poorly managed and evade the certificate transparency logs I'll be impressed.
But I'm still not gonna use DNSSEC 🙃 -
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:38 JST
daniel:// stenberg://
@jelu @icing and I repeatedly talk about *transfers* and *connections* "protected" with TLS - for which DNSSEC does not add a lot
-
Embed this notice
Jerry Lundström :catjam: (jelu@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:39 JST 
Jerry Lundström :catjam:
@bagder @icing that was unneeded.
We seem to have talked about different things.
I was only pointing the importance of validating DNS data, nothing to do with the HTTP TLS connection.
-
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:40 JST
daniel:// stenberg://
@jelu @icing I'm sorry, but it sounds like you need to read up on what TLS does for a connection. I know what DNSSEC does. No, I'm not going to the netnod meeting.
-
Embed this notice
Jerry Lundström :catjam: (jelu@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:40 JST
Jerry Lundström :catjam:
@bagder @icing and I'm sorry because it doesn't sound like you understand DNSSEC then. Maybe I'm missing a part but if you only relying on DoH to give you validated DNS data then you're doing it wrong. It should be DoH(/DoT/DoQ)+DNSSEC.
-
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:40 JST
daniel:// stenberg://
@jelu @icing I know that but that's irrelevant for the connection since it is proven with TLS. Now stop making a fool of yourself.
-
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:41 JST
daniel:// stenberg://
@jelu @icing curl does transfers. TLS makes sure those are not done from any DNS poisoned address
-
Embed this notice
Jerry Lundström :catjam: (jelu@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:41 JST
Jerry Lundström :catjam:
@bagder @icing how can you be sure of that without validating the DNS data you get using DNSSEC.
Again, DNS-over-HTTPS only secures the communication, not the data!
You could be speaking to malicious/spoofed end-point or poisoned caches.
Only way to validate the DNS data you get is by using DNSSEC.
Happy to explain more the differences, you coming to Netnod spring meeting?
-
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:42 JST
daniel:// stenberg://
@jelu @icing I have no intentions of doing that now. Maybe in a distant future.
-
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:42 JST
daniel:// stenberg://
@jelu @icing there's simply no demand for that among our users. DNSSEC does not add much when we have TLS on top.
-
Embed this notice
Jerry Lundström :catjam: (jelu@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:42 JST
Jerry Lundström :catjam:
That's like comparing apples with oranges
TLS does not protect against cache poisoning or any other type of DNS data manipulation
-
Embed this notice
Jerry Lundström :catjam: (jelu@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:43 JST
Jerry Lundström :catjam:
@bagder @icing Woot! Nice! Let me know if you need help with the DNS part, kinda into that stuff 🙃
-
Embed this notice
daniel:// stenberg:// (bagder@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:43 JST
daniel:// stenberg://
@jelu @icing we already have a HTTPS record parser (over DoH) since the first ECH support was brought in so we're good for that. That's what made this first step so quick and easy. The much more complicated step is to fetch HTTPS records "on the side", when resolving the name with getaddrinfo(). But that's not really DNS related, it's more internal architecture fiddling. I'll use c-ares for that, and it offers HTTPS functionality as well.
-
Embed this notice
Jerry Lundström :catjam: (jelu@mastodon.social)'s status on Thursday, 16-Jan-2025 08:57:43 JST
Jerry Lundström :catjam:
@bagder @icing haven't looked at c-ares, but for the DNS if you go down the route with using libraries like getdnsapi (not sure how updated it is) or ldns, you could introduce proper client side DNSSEC validation for the HTTPS records also 🙂
-
Embed this notice
All GNU social JP content and data are available under the