Re: [DNSOP] DNS for Cloud Resources in draft-ietf-rtgwg-net2cloud-problem-statement-08

Michael StJohns <msj@nthpermutation.com> Wed, 11 March 2020 18:53 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4390F3A1174 for <dnsop@ietfa.amsl.com>; Wed, 11 Mar 2020 11:53:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZZhhsIXHb2E for <dnsop@ietfa.amsl.com>; Wed, 11 Mar 2020 11:53:07 -0700 (PDT)
Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA3573A1147 for <dnsop@ietf.org>; Wed, 11 Mar 2020 11:53:07 -0700 (PDT)
Received: by mail-qk1-x731.google.com with SMTP id m2so3152112qka.7 for <dnsop@ietf.org>; Wed, 11 Mar 2020 11:53:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=DsT6lfYYouR3ZtnWXsyDQErrPr4MfC6g8hhVee8eC5g=; b=sUiBBPkAtgVwXuTl9sMWaDy9nhbintdHKjvcHnnUXzsMIG5nT8/E3n+fQ+lWH0sARQ fDvIv6v+yOPeHml7uh8RGgRKATQzKkI/dWMiN+j7e1ScQIeo66futdu4AAyYDL+uVVxv nvyGzVqzpwETv38taKWo3bad6RquImu1sA2LAr7U3yirWiX4VnlwD8kUtXkEDT/sTJ8S m2upAmCbQTbEiP4OWcjpqfxDs2Q2No7K4Uos0rZWnmhn36u0hOR1UueLRRS/WUHTlRQl 31NbdiVx5YUNixZI80je6dfFUWLjPGYxUCV3ntkPW5Fi+gZFAx6NrngMOz1sxwG4Qftn sdsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=DsT6lfYYouR3ZtnWXsyDQErrPr4MfC6g8hhVee8eC5g=; b=ZxpbOQ6xM8cfj8qUM+gFjLHYWpbEwT6vhASah+WTgaU4izbFD0kvwy+oNDsyfCvbrJ ypYLZkJmpqrMXyjj9QF/B8xekCf8QExIJ1hjbj8brAGhlXGxurMjd0HKQuEjv/y1PByV TPbQqgBjmUJGLj6sHhz6suPqmCC/zrYxSEwSsscpeyIYy8yWYhVBfzl6gARept2dAntM M2bLFugo+Vm9l8pKbx+LrOosjuGGe1NWSHNvyk3ZIJZuIWK+Eksy3eK1Y2sHDYrGXjUc 61jPq1OXF8bcViZx183JMAMADJp/uqaAmi6bHQRLpdjGOqYjSm2y8U9M176ZHD6uWWNm vimw==
X-Gm-Message-State: ANhLgQ2oVN/DUo1VZhAE2e8kpGuaZ5ybdwTKZ8Z2LxVbqi6DTONxJTcK ztiZn7JpQw0EnUnNEYpGldeP7yX8vxc=
X-Google-Smtp-Source: ADFU+vtZrc7J0513YqGgMe4rBXI2g/wyNpJRbITlXAE7w7vMdHPE5GhAuqBIDAGHlfDwn+cJ2koj1Q==
X-Received: by 2002:a05:620a:2012:: with SMTP id c18mr3749506qka.242.1583952786317; Wed, 11 Mar 2020 11:53:06 -0700 (PDT)
Received: from [192.168.1.115] (pool-71-163-188-115.washdc.fios.verizon.net. [71.163.188.115]) by smtp.gmail.com with ESMTPSA id w18sm9178157qkw.130.2020.03.11.11.53.05 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 Mar 2020 11:53:05 -0700 (PDT)
To: dnsop@ietf.org
References: <a88c3dbefb2346239a4be8c11f37695f@verisign.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <2bf4ce41-4820-0db4-ed00-c5e030167ba3@nthpermutation.com>
Date: Wed, 11 Mar 2020 14:53:04 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <a88c3dbefb2346239a4be8c11f37695f@verisign.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TvUhIJ-wVIFduW-z0rIa0a9GDBM>
Subject: Re: [DNSOP] DNS for Cloud Resources in draft-ietf-rtgwg-net2cloud-problem-statement-08
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 18:53:16 -0000

On 3/11/2020 2:19 PM, Hollenbeck, Scott wrote:
> (Sorry, this is a late response to a review request original sent to the dnsop list on 11 February)
>
> Section 3.4 (DNS for Cloud Resources) includes these sentences:
>
> "Globally unique names do prevent any possibility of collision at the present or in the future and they make DNSSEC trust manageable. It's not as if there is or even could be some sort of shortage in available names that can be used, especially when subdomains and the ability to delegate administrative boundaries are considered."
>
> Could we make the last sentence stronger, perhaps with a statement like this from the US CERT WPAD Name Collision Vulnerability alert dated May 23, 2016?
>
> "Globally unique names do prevent any possibility of collision at the present or in the future and they make DNSSEC trust manageable. Consider using a registered and fully qualified domain name (FQDN) from global DNS as the root for enterprise and other internal namespaces."
>
> https://www.us-cert.gov/ncas/alerts/TA16-144A
>
> The alert actually says "other internal namespace", but I think that's a typo.
>
> Scott
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

Hi - I haven't read this document except for to scan it for context for 
the above.  What triggered me was the combination of "DNSSEC" and 
"unique names".

Either of these may not be accurate statements.   While DNS names can be 
globally unique, the glyph representations that we depend upon can map 
to multiple actual DNS names.  See 
https://en.wikipedia.org/wiki/IDN_homograph_attack

Please consider whether this is an issue here.  It may not be, but if 
not, probably worth a sentence in the security considerations section.

Later, Mike