ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard

2015-02-24 16:01:13
from [Mark Andrews] [Permanent Link] 

In message 
<20150224172649(_dot_)GX1260(_at_)mournblade(_dot_)imrryr(_dot_)org>, Viktor 
Dukhovni writes:

On Tue, Feb 24, 2015 at 08:49:29AM -0800, Paul Hoffman wrote:


On Feb 23, 2015, at 8:33 AM, Sam Hartman <hartmans-ietf(_at_)mit(_dot_)edu> 
wrote:

Yes, I see significant security problems with this URI.


It sounds like you have issues with URIs in general, not in a DNS RTYPE
that carries a URI. That is, any URI that has a domain name that can lead
to redirection (though CNAME, DNAME, or SRV) would have the properties
that worry you. It that a fair summary?


That's not how I read it.  The issue here is that the draft introduces
a DNS-based rewrite of the TLS reference identifier.

      _mumble.example.com. IN URI "https://example.net/";

The draft language stipulates (correctly I think given that DNS
also specifies the URI scheme) that DNSSEC is required and the TLS
reference identifier becomes "example.net".  This is not the case
for HTTP with either CNAME or DNAME, and HTTP does not use SRV
records.

When pre-DANE MTAs use MX records with TLS securely (rather than
just going through the motions), they use the nexthop domain (not
the MX host domain) as the reference identifier.

Similar considerations come into play with RFC 6186 indirection of
IMAP and SMTP server locations.  RFC 6186 just drops the ball in
the user's lap.  A more comprehensive solution is hinted at in:

    http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-14#section-7

but I'm not sure where we are whether DNSSEC last-mile is as yet
sufficiently addressed for that.


DNSSEC works all the way to the application.  This has been specified
for approaching a decade now (March 2005).  Yes, RFC 4035 covers
how to do DNSSEC in the application.  Yes it is a myth that the last
mile requires something special.  It doesn't.

Validating nameservers are a example of a *application* that validates
answers received from nameservers.  Yes, nameserver are configured
to to talk through recursive nameservers and to validate the answers
they get.

The code to do this exists in libraries which can be called from
applications other than nameservers.  Named is just a application
that calls libdns to do most of its work.


Of course with the document under discussion, if mobile applications
are in scope, then of course we again need DNSSEC to be usable in
last-mile environments.

-- 
      Viktor.


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [92all] IETF Hackathon at IETF 92, March 21-22, Dallas, TX, Melinda Shore
Next by Date:  Re: Remote participation fees, Eric Burger
Previous by Thread:  Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Viktor Dukhovni
Next by Thread:  Re: (short version) Re: Last Call: <draft-faltstrom-uri-10.txt> (The Uniform Resource Identifier (URI) DNS Resource Record) to Proposed Standard, Patrik Fältström
Indexes:  [Date] [Thread] [Top] [All Lists]