Re: [Acme] dns challenges and dynamic dns services (security considerations for domain holders)

Andrew Ayer <agwa@andrewayer.name> Fri, 29 January 2016 17:38 UTC

Return-Path: <agwa@andrewayer.name>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 253ED1A88FF for <acme@ietfa.amsl.com>; Fri, 29 Jan 2016 09:38:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQeX0hMR8-Nn for <acme@ietfa.amsl.com>; Fri, 29 Jan 2016 09:38:10 -0800 (PST)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [IPv6:2600:3c00:e000:6c::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5133B1A6EDB for <acme@ietf.org>; Fri, 29 Jan 2016 09:38:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=alcazar2; t=1454089087; bh=6lU1wmuhqWBFfsXMAiJtwlfkUJpiAEvSghG2ekjZSvY=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=xMqAJ+vbFmmc+dE50tUlvWSdEa5jqOemZa0Nj2H5IZLw0TbRg+gHOfEKTo7N0zp0D 1YJTfSbThHDPwQdQrkQDZRC3ofFDrqL5Pez/0nUxjUxPxOP6ifPBn59A1USM7gATap 0Z5GFEE81Z1Nm33E+Gqi8P0TfVqXZTYl7JLLLityQMMDEQHOL6p0VZXIvtZ3b2Hjzg FnVo4pjH8ECnFCjUPBQCerSQWEnShmTZTA5bS3+IpanVCBY71wFoqg0+2+WFK2NRi4 ifWB7+iWGS7F2ArYFsfvRhOqlqSlY7bg9WLYQxbLb7yVPWVCxvfdh+RVgfQgkMscLa eMrgMDPTS1bxA==
Date: Fri, 29 Jan 2016 09:38:06 -0800
From: Andrew Ayer <agwa@andrewayer.name>
To: James Cloos <cloos@jhcloos.com>
Message-Id: <20160129093806.e512a4471ec468655b6b1723@andrewayer.name>
In-Reply-To: <m3y4b8gwg4.fsf@carbon.jhcloos.org>
References: <56AB6D8D.9010803@mozilla.com> <56AB8118.9020500@moparisthebest.com> <56AB8495.9000309@mozilla.com> <m3y4b8gwg4.fsf@carbon.jhcloos.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/-cqQQS2Jx_lHko1vfoWYCx85Bmo>
Cc: acme@ietf.org, Frederik Braun <fbraun@mozilla.com>
Subject: Re: [Acme] dns challenges and dynamic dns services (security considerations for domain holders)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 17:38:12 -0000

On Fri, 29 Jan 2016 11:52:11 -0500
James Cloos <cloos@jhcloos.com> wrote:

> >>>>> "FB" == Frederik Braun <fbraun@mozilla.com> writes:
> 
> FB> I'm concerned that everyone having to update their blacklists[1]
> FB> will lead to more trouble.
> 
> They really all ought to forbid any label which start with an
> underscore.

Agreed.  Underscores are not allowed in hostnames, so dynamic DNS
services should not allow registration of such names (I don't even
understand why they would allow TXT records).  If they do allow
registration of arbitrary TXT records for names starting with
underscores, then they are also allowing attackers to set arbitrary
DKIM and DMARC records for their domain, and probably inflict other
damage.

The dynamic DNS service in question[1] also claims support for SRV
records, so there's a good chance they're also allowing attackers to
hijack various services for their domain.

I consider this similar to (but less likely than) web hosts allowing
user uploads to the /.well-known directory.  Operators ought to know
better, and while there's a risk that some won't, it's a risk that has
to be tolerated if DV is to exist at all.

Andrew

[1] https://freedns.afraid.org/