Re: [DNSOP] Redefining name canonicalization
Bob Harold <rharolde@umich.edu> Fri, 21 April 2017 15:08 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D65C71294CF for <dnsop@ietfa.amsl.com>; Fri, 21 Apr 2017 08:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RqPrFj_TW_rR for <dnsop@ietfa.amsl.com>; Fri, 21 Apr 2017 08:08:39 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 018CD1294DF for <dnsop@ietf.org>; Fri, 21 Apr 2017 08:08:38 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id u70so54208899ywe.2 for <dnsop@ietf.org>; Fri, 21 Apr 2017 08:08:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K+ggW8q5ctc2kcImLfZEf8OGqlx+ZjGXG/85soBjlLQ=; b=nUM+ZVBsNrE4FVy/6kOSlafLKD/dM9///0iXAGTn2kf6mOHmyPqSeijxcBfiCIoZ69 doSjSY4sZgp91AZdamSA6L+OfUsMIJAYEkABjSA29gCTUyeey1AhASHPCN0kUIMPFGjL SEM7MTLm1SGvg0K9IxiGXTIh60JYQmWGZU6fsGPpbh6l+RaJqBd+RLaVhaakcL0ahpFV IYHn7SwglIcUyqwti+X8Ud9GSbEuvWFxpSejim0YKp/twUnA7ZkttGwnb5UixmaB3ERn cLTzA5liSllzBJopUMbqDvkTjn8TMGBw0qNQ9BGfajdjkS4Jo1WV/h7HWZa850mH8ZPC Ldqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K+ggW8q5ctc2kcImLfZEf8OGqlx+ZjGXG/85soBjlLQ=; b=LNiJFPFJ/nRQ1cuAoNyUK1JlGwHHbXfGW192KRryrAV0KS5hqiUs3VOjalbAY5jPk8 dlxeCUbJ+vX/1rdWxTiNJEtvcUbL/EWRZkQvHRjVYHxPhuDvfj68u96S0zP5lIQc5Kti TK7zPSpDL4o20crjZnw8MMisv4S/0KgFDFnBPHSe0xF38Asd53wBPxds6weyeJpZVR1d ZiLWbeCLCeDckj3Gh5UKEMWux9YHseifTwxtG1ya+w7MFQ2d+kc0sHt1uDTbn1KE3NPX pk4ehqsKqEluz7i4mlMNEo25HTFr7J8eI7xuUKpnT7P10YYIm9un+DudPGgtDBDSEy+E RVmg==
X-Gm-Message-State: AN3rC/4Gy6aWiI3z9D+rycaLdjvEWq6SwWPLBRBiL1MZ/mR4s1NDXbJd 8A0cqVo3/SpceFFvq1sDnMN3NIOU1281S4JZZA==
X-Received: by 10.129.75.9 with SMTP id y9mr13296017ywa.102.1492787317672; Fri, 21 Apr 2017 08:08:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.228.135 with HTTP; Fri, 21 Apr 2017 08:08:34 -0700 (PDT)
In-Reply-To: <24869f89-8335-6ad8-667d-300b852957a1@redhat.com>
References: <24869f89-8335-6ad8-667d-300b852957a1@redhat.com>
From: Bob Harold <rharolde@umich.edu>
Date: Fri, 21 Apr 2017 11:08:34 -0400
Message-ID: <CA+nkc8AT00gkd1RdQ21Xws=2iaiAxmT9ChZssiiw2qQ4vj2b=Q@mail.gmail.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a113f1b0acba80d054daea164"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZMCHNpIBYhW_D5VP6iUNojTuq4Q>
Subject: Re: [DNSOP] Redefining name canonicalization
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Apr 2017 15:08:43 -0000
On Thu, Apr 13, 2017 at 5:29 AM, Florian Weimer <fweimer@redhat.com> wrote: > I would like to propose the restrict name canonicalization (as performed > by stub resolvers) to forming a fully-qualified domain name with the help > of the search list. > > With the current rules based on resolving CNAME chains, we end up with the > following results: > > >>> socket.getfqdn('access.redhat.com') > 'a23-214-169-56.deploy.static.akamaitechnologies.com' > >>> socket.getfqdn('access') > 'a23-214-169-56.deploy.static.akamaitechnologies.com' > > This is pretty much useless. In fact, what is advertised here as the > canonical name is just a temporary, location-dependent name which bears no > direct relationship to the service being provided. There isn't anything > canonical about it. > > I think both calls should return 'access.redhat.com' (assuming that ' > redhat.com' is the search list entry which is used to form the FQDN). > > This also avoids issues related to insecure name canonicalization (based > on spoofable DNS data) which affects the use of some cryptographic > libraries, notably Kerberos. > > Comments? > > Thanks, > Florian > > I can understand you wanting a "getfqdn" function to return the FQDN (fully qualified domain name) without doing canonicalization. But just so we are clear on the DNS terms, "access.redhat.com" and "access.redhat.com.edgekey.net" are "aliases" "e133.b.akamaiedge.net" is the canonical name. access.redhat.com is an alias for access.redhat.com.edgekey.net. access.redhat.com.edgekey.net is an alias for e133.b.akamaiedge.net. e133.b.akamaiedge.net has address 104.67.69.246 -- Bob Harold
- [DNSOP] Redefining name canonicalization Florian Weimer
- Re: [DNSOP] Redefining name canonicalization Bob Harold
- Re: [DNSOP] Redefining name canonicalization Florian Weimer
- Re: [DNSOP] Redefining name canonicalization Mark Andrews