Re: [DNSOP] Redefining name canonicalization
Florian Weimer <fweimer@redhat.com> Fri, 05 May 2017 14:04 UTC
Return-Path: <fweimer@redhat.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5E48127BA3 for <dnsop@ietfa.amsl.com>; Fri, 5 May 2017 07:04:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.223
X-Spam-Level:
X-Spam-Status: No, score=-4.223 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_HTco_bRjVI for <dnsop@ietfa.amsl.com>; Fri, 5 May 2017 07:04:31 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7F04126B6E for <dnsop@ietf.org>; Fri, 5 May 2017 07:04:30 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 10F08448D75; Fri, 5 May 2017 14:04:30 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 10F08448D75
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx05.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=fweimer@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 10F08448D75
Received: from oldenburg.str.redhat.com (ovpn-117-246.ams2.redhat.com [10.36.117.246]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 5C3D07ADD0; Fri, 5 May 2017 14:04:29 +0000 (UTC)
To: Bob Harold <rharolde@umich.edu>
Cc: dnsop <dnsop@ietf.org>
References: <24869f89-8335-6ad8-667d-300b852957a1@redhat.com> <CA+nkc8AT00gkd1RdQ21Xws=2iaiAxmT9ChZssiiw2qQ4vj2b=Q@mail.gmail.com>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <22dffab8-1459-4074-e519-3fdda0f3ed4f@redhat.com>
Date: Fri, 05 May 2017 16:04:28 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.0
MIME-Version: 1.0
In-Reply-To: <CA+nkc8AT00gkd1RdQ21Xws=2iaiAxmT9ChZssiiw2qQ4vj2b=Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Fri, 05 May 2017 14:04:30 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5UhCW8RWcvW-_KOBniwNvQuhFWU>
Subject: Re: [DNSOP] Redefining name canonicalization
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2017 14:04:33 -0000
On 04/21/2017 05:08 PM, Bob Harold wrote: > I can understand you wanting a "getfqdn" function to return the FQDN (fully > qualified domain name) without doing canonicalization. > > But just so we are clear on the DNS terms, > "access.redhat.com" and "access.redhat.com.edgekey.net" are "aliases" > "e133.b.akamaiedge.net" is the canonical name. > > access.redhat.com is an alias for access.redhat.com.edgekey.net. > access.redhat.com.edgekey.net is an alias for e133.b.akamaiedge.net. > e133.b.akamaiedge.net has address 104.67.69.246 I'm aware of the terminology. I just think that in terms of RFC 3493, it would make sense to restrict the name transformation applied with AI_CANONNAME on the current internet, i.e. clarify that here If the AI_CANONNAME flag is specified and the nodename argument is not null, the function shall attempt to determine the canonical name corresponding to nodename (for example, if nodename is an alias or shorthand notation for a complete name). “alias” does not refer to CNAME chain resolution, but other forms of alias processing (like the slightly historic HOSTALIASES processing). This would help to address long-standing security issues in name canonicalization, e.g. in Kerberos deployments. Thanks, Florian
- [DNSOP] Redefining name canonicalization Florian Weimer
- Re: [DNSOP] Redefining name canonicalization Bob Harold
- Re: [DNSOP] Redefining name canonicalization Florian Weimer
- Re: [DNSOP] Redefining name canonicalization Mark Andrews