Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
Phillip Hallam-Baker <hallam@gmail.com> Thu, 03 March 2011 14:46 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5B933A67B2 for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 06:46:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.831
X-Spam-Level:
X-Spam-Status: No, score=-2.831 tagged_above=-999 required=5 tests=[AWL=-0.717, BAYES_00=-2.599, HTML_FONT_FACE_BAD=0.884, HTML_MESSAGE=0.001, J_CHICKENPOX_54=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ILbKB8mRMnsV for <dnsext@core3.amsl.com>; Thu, 3 Mar 2011 06:46:33 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id D7C783A69DC for <dnsext@ietf.org>; Thu, 3 Mar 2011 06:46:32 -0800 (PST)
Received: by bwz13 with SMTP id 13so1408960bwz.31 for <dnsext@ietf.org>; Thu, 03 Mar 2011 06:47:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=EQVL4VJXb7aqvJB55L+wN4I3m7S4vkKcmd/8EkOuPoM=; b=SpXxYp2ce8+huHoW7l1jYSdlxz/YIDS0+oTD/B8oD58W8jv/LNXby6J2Hqj2FINK9V N2nbFQ5qBFGMjreVp5XFnv96lGbwm+6fXm5ugZaaBUmnM6jQ2IGFLhd0q0ZJ/cKZF5I9 IidgoQIHgkhuPDCuAr4oaqpRVVlGN+nzS8y+o=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=j6QSP69ERVbKC1bCD9wHeOrGPxxZYjPmqMd/oIvctpXyrdoHnP4yLHO6JN2eMaLcfb CWMjoyFn3p1izDcAyRlbNqS2naCZNY4Bu6334NpXEvC86Th9wflK/0muHxVdv6tjqtIB z28ZrX8uimpNbENHJW6ikCcPlbm+LQmcxRKuM=
MIME-Version: 1.0
Received: by 10.204.231.66 with SMTP id jp2mr530713bkb.33.1299163659715; Thu, 03 Mar 2011 06:47:39 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Thu, 3 Mar 2011 06:47:39 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1103031127240.14985@hermes-1.csi.cam.ac.uk>
References: <20110227191542.6824.qmail@joyce.lan> <335963D7-3440-45E6-843C-38F419462792@cisco.com> <AANLkTi=4VuWBJ1i87xMkFj=Q59=0Q0aOLsxrSqRLf61s@mail.gmail.com> <alpine.LSU.2.00.1103031127240.14985@hermes-1.csi.cam.ac.uk>
Date: Thu, 03 Mar 2011 09:47:39 -0500
Message-ID: <AANLkTi=YWNH35Zxf_F2M8M=siaXRh5_kiTYjPb8YRawL@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: multipart/alternative; boundary="485b393ab62b714caf049d951cfa"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 14:46:34 -0000
OK, I am not yet convinced that this is acceptably secure, but I withdraw my earlier objection, see below. 2011/3/3 Tony Finch <dot@dotat.at>: > On Tue, 1 Mar 2011, Phillip Hallam-Baker wrote: >> >> 2) The Server performs the rewrite. >> >> This is really hard to achieve as it requires the server to know that >> the mapping even exists. >> >> Typically a server is responding to hundreds of domains. Even large >> production servers do this. If a server receives a request for a.com >> it has no means of knowing that it 'should' map that to b.com unless >> the DNS configuration is somehow mapped to the Web administration. >> >> This is quite straightforward to handle administratively when the >> mapping is www.b.com to b.com because the source and target are in the >> same administrative zone. But this is not going to work if the mapping >> is being controlled by a TLD. > > On the contrary, this is trivial for the server to do by dynamically > looking up a.com and seeing if it is a BNAME pointing at b.com. That would not meet my definition of 'straightforward'. From a security point of view, having my server mappings controlled by BNAMES in the TLD... > However the server administrator probably does not want the server to > accept requests for arbitrary domains just because they have a BNAME > pointer. So it is straightforward but stupid, OK we seem to agree here. > So there has to be a list of valid aliases somewhere accessible to the > server, either in the DNS for b.com (used like "paranoid" reverse DNS > checking) or in the server's configuration. > > Given the existence of HTTP redirects, I'm not entirely sure that it is > reasonable to forbid DNS aliasing. But server administrators are free to > choose between loose dynamic configurations and tight explicit > configurations without affecting clients. There is a big difference between a redirect issued by the administrator of the target and a redirect issued by a third party. > The question for this group is if we specify something like BNAME if we > should also specify how to put the corresponding back-references in the > canonical domain. That could help the situation. It could be quite efficiently encoded as a circular list. Each alias would have a link to the canonical name and the next alias in the list. This would also act to prevent an alias being effected without the consent of the target domain since they would have to recognize the list. Consider the following. let canonical.tld be the target and alias.tld and alias.atld be the aliases. An appropriate configuration would be: ! Records maintained by admin for tld and atld canonical.tld NS <blah> canonical.tld xlnk alias.tld alias.tld xname canonical.tld alias.tld xlnk alias.atld alias.atld xname canonical.tld alias.atld xlnk canonical.tld ! Records maintained locally canonical.tld A 10.0.0.1 canonical.tld AAAA 1:00:1 canonical.tld clnk www.canonical.tld canonical.tld xx www.canonical.tld cname canonical.tld www.canonical.tld clnk canonical.tld I can see a fairly strong separation of control there. This mechanism could in principle be used by either clients or servers. It could also be used by resolvers synthesizing up a dynamic HTTP response. That would give us a chance of getting a deployment to actually happen. So an aware resolver needs to be able to know if the server is capable of accepting the request or not. If the server accepts this type of alias it can simply return the records and get out of the way. Otherwise an HTTP redirect is going to be required. The resolver could do this by pinging the Web server, but it is better to have that information in the zone. Hence the need for the xx record which is basically a way to say 'this zone handles this extension'. -- Website: http://hallambaker.com/
- [dnsext] I-D Action:draft-ietf-dnsext-aliasing-re… Internet-Drafts
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Suzanne Woolf
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Ted Hardie
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Doug Barton
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Doug Barton
- Re: [dnsext] I-DAction:draft-ietf-dnsext-aliasing… George Barwood
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… John Levine
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Patrik Fältström
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Paul Hoffman
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Dan Schlitt
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Paul Vixie
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- [dnsext] How to bring discussion to a close (was:… Andrew Sullivan
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Phillip Hallam-Baker
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Phillip Hallam-Baker
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Masataka Ohta
- [dnsext] errata on RFC1034 for recursive aliasing… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] errata on RFC1034 for recursive alia… Andrew Sullivan
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Andrew Sullivan
- Re: [dnsext] errata on RFC1034 for recursive alia… Paul Vixie
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Brian Dickson
- Re: [dnsext] errata on RFC1034 for recursive alia… John Levine
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- [dnsext] pricing for equivalent localized domain … Masataka Ohta
- Re: [dnsext] pricing for equivalent localized dom… John Levine
- Re: [dnsext] errata on RFC1034 for recursive alia… Brian Dickson
- Re: [dnsext] pricing for equivalent localized dom… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Brian Dickson
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Doug Barton