Re: [Acme] dns challenges and dynamic dns services (security considerations for domain holders)
Andrew Ayer <agwa@andrewayer.name> Fri, 29 January 2016 17:38 UTC
Return-Path: <agwa@andrewayer.name>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 253ED1A88FF for <acme@ietfa.amsl.com>; Fri, 29 Jan 2016 09:38:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQeX0hMR8-Nn for <acme@ietfa.amsl.com>; Fri, 29 Jan 2016 09:38:10 -0800 (PST)
Received: from alcazar.beanwood.com (alcazar.beanwood.com [IPv6:2600:3c00:e000:6c::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5133B1A6EDB for <acme@ietf.org>; Fri, 29 Jan 2016 09:38:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=andrewayer.name; s=alcazar2; t=1454089087; bh=6lU1wmuhqWBFfsXMAiJtwlfkUJpiAEvSghG2ekjZSvY=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=xMqAJ+vbFmmc+dE50tUlvWSdEa5jqOemZa0Nj2H5IZLw0TbRg+gHOfEKTo7N0zp0D 1YJTfSbThHDPwQdQrkQDZRC3ofFDrqL5Pez/0nUxjUxPxOP6ifPBn59A1USM7gATap 0Z5GFEE81Z1Nm33E+Gqi8P0TfVqXZTYl7JLLLityQMMDEQHOL6p0VZXIvtZ3b2Hjzg FnVo4pjH8ECnFCjUPBQCerSQWEnShmTZTA5bS3+IpanVCBY71wFoqg0+2+WFK2NRi4 ifWB7+iWGS7F2ArYFsfvRhOqlqSlY7bg9WLYQxbLb7yVPWVCxvfdh+RVgfQgkMscLa eMrgMDPTS1bxA==
Date: Fri, 29 Jan 2016 09:38:06 -0800
From: Andrew Ayer <agwa@andrewayer.name>
To: James Cloos <cloos@jhcloos.com>
Message-Id: <20160129093806.e512a4471ec468655b6b1723@andrewayer.name>
In-Reply-To: <m3y4b8gwg4.fsf@carbon.jhcloos.org>
References: <56AB6D8D.9010803@mozilla.com> <56AB8118.9020500@moparisthebest.com> <56AB8495.9000309@mozilla.com> <m3y4b8gwg4.fsf@carbon.jhcloos.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/-cqQQS2Jx_lHko1vfoWYCx85Bmo>
Cc: acme@ietf.org, Frederik Braun <fbraun@mozilla.com>
Subject: Re: [Acme] dns challenges and dynamic dns services (security considerations for domain holders)
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2016 17:38:12 -0000
On Fri, 29 Jan 2016 11:52:11 -0500 James Cloos <cloos@jhcloos.com> wrote: > >>>>> "FB" == Frederik Braun <fbraun@mozilla.com> writes: > > FB> I'm concerned that everyone having to update their blacklists[1] > FB> will lead to more trouble. > > They really all ought to forbid any label which start with an > underscore. Agreed. Underscores are not allowed in hostnames, so dynamic DNS services should not allow registration of such names (I don't even understand why they would allow TXT records). If they do allow registration of arbitrary TXT records for names starting with underscores, then they are also allowing attackers to set arbitrary DKIM and DMARC records for their domain, and probably inflict other damage. The dynamic DNS service in question[1] also claims support for SRV records, so there's a good chance they're also allowing attackers to hijack various services for their domain. I consider this similar to (but less likely than) web hosts allowing user uploads to the /.well-known directory. Operators ought to know better, and while there's a risk that some won't, it's a risk that has to be tolerated if DV is to exist at all. Andrew [1] https://freedns.afraid.org/
- [Acme] dns challenges and dynamic dns services (s… Frederik Braun
- Re: [Acme] dns challenges and dynamic dns service… Patrick Burroughs
- Re: [Acme] dns challenges and dynamic dns service… moparisthebest
- Re: [Acme] dns challenges and dynamic dns service… Frederik Braun
- Re: [Acme] dns challenges and dynamic dns service… James Cloos
- Re: [Acme] dns challenges and dynamic dns service… Andrew Ayer