Harald Tveit Alvestrand wrote:
We're probably rehashing the DNSEXT discussion here, but I wasn't part of
the DNSEXT discussion.....
LLMNR allows me to treat names in a different way than mDNS does.
If I have a name that I'm certain I own (this box is, with high certainty,
the only one in the world named HALVESTR-W2K02.emea.cisco.com), LLMNR
allows me to assert that name on a LAN even when the DNS is not available,
or when that name is not currently asserted in the DNS.
mDNS, as I understand it, doesn't allow me to do that - I would have to
assert "HALVESTR-W2K02.local", or "HALVESTR-W2K02.emea.cisco.com.local".
No, this is completely wrong.
There are *two* important goals of mDNS:
Goal 1: I have a legitimate FQDN, and connectivity with my peers, but no
connectivity to the greater Internet right now. In this mode, mDNS (like
LLMNR) is providing "fail-over" for unicast DNS. Even on Mac OS 9, five
years ago, if you looked up "www.ietf.org" and had no unicast DNS servers
configured, it would look it up via mDNS instead.
Goal 2: I have no legitimate FQDN. I just need a temporary no-frills name
I can use for the time being. This is so that, for example, every HP
printer can ship from the factory with the name "hp-printer.local", which
is at least good enough for bootstrapping until the customer has assigned
a legitimate FQDN for the printer. This is what mDNS uses the ".local"
namespace for. It's a free-for-all sand box where all names are up for
grabs and no names are quite trustworthy.
LLMNR seeks to solve the first goal but not the second, but in failing to
provide a sand box for ad hoc names, it makes the entire DNS namespace a
sand box for ad hoc names.
mDNS seeks to address both problems, but we're aware that looking up
general DNS names via unauthenticated local multicast queries has
horrible security implications, and we're aware that today we're not
confident that we know how to solve that problem, so the mDNS draft
recommends:
(14. Enabling and Disabling Multicast DNS)
The option to fail-over to Multicast DNS for names not ending
in ".local." SHOULD be a user-configured option, and SHOULD
be disabled by default because of the possible security issues
related to unintended local resolution of apparently global names.
(24. Security Considerations)
When DNS queries for *global* DNS names are sent to the mDNS
multicast address (during network outages which disrupt communication
with the greater Internet) it is *especially* important to use
DNSSEC, because the user may have the impression that he or she is
communicating with some authentic host, when in fact he or she is
really communicating with some local host that is merely masquerading
as that name.
The difference between LLMNR and mDNS here seems to be that mDNS
*requires* me to use two different names in the two different cases;
LLMNR, while it certainly *permits* me to do so, does not *require* it.
Absolutely not.
mDNS allows you to have a single FQDN, and answer those queries via
multicast, but recognizes that we need solid security mechanisms before
we can honestly recommend that.
LLMNR allows you to have a single FQDN, and ignores the security risks.
Stuart Cheshire <cheshire(_at_)apple(_dot_)com>
* Wizard Without Portfolio, Apple Computer, Inc.
* www.stuartcheshire.org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf