Re: [dnssd] UTF8 use in DNS populated by mDNS
Douglas Otis <doug.mtview@gmail.com> Tue, 25 November 2014 02:25 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30CD11A88CC for <dnssd@ietfa.amsl.com>; Mon, 24 Nov 2014 18:25:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gtglU70Q8fWe for <dnssd@ietfa.amsl.com>; Mon, 24 Nov 2014 18:25:05 -0800 (PST)
Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E39581A88C0 for <dnssd@ietf.org>; Mon, 24 Nov 2014 18:25:04 -0800 (PST)
Received: by mail-qg0-f51.google.com with SMTP id l89so7600010qgf.24 for <dnssd@ietf.org>; Mon, 24 Nov 2014 18:25:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5VPYQZOh7Oyvt3AGM29RGT9v+lRqRm3NbISNCbvC7jI=; b=z/S1vUkET+6u+N93mdelstfPg8gEilYIzviJllwo693ghy0O2SuVFWDsmACw8FdeNe L9MY4So1YsNPobtIEdgiGObrRBCQKSej6JeJ4WCR1kehCNifmpra2j/CnwLA640CyXlP W/+Vumt+5nhmmspE1CkWmFgovtL9Ri65HUG1/FpneM3uiyokyeUVp2SrToa8UHGLRGSy mVSAn8NhEjPMeQ5DbIheVjRSlY6zh/YbHObewLScOachHULWFXYs9XYj9H+7HMmpFMww QYV2AqQajfysEuDnprnA3oBZ4vlNzu3Dg4zy1HyWSFInZfWZSJEX56l+QD+/1TnIaHyn xYYw==
X-Received: by 10.140.46.52 with SMTP id j49mr15112069qga.30.1416882304220; Mon, 24 Nov 2014 18:25:04 -0800 (PST)
Received: from [192.168.0.54] (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id u8sm13611385qat.27.2014.11.24.18.25.03 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 24 Nov 2014 18:25:03 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Douglas Otis <doug.mtview@gmail.com>
In-Reply-To: <20141124164333.GK2860@mx1.yitter.info>
Date: Mon, 24 Nov 2014 18:25:02 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <1DCC9163-1439-4458-897F-9AAD1F9345CA@gmail.com>
References: <0996A6E1-5218-4AFB-8646-D1047266C9ED@gmail.com> <20141120221150.GA2345@mx1.yitter.info> <5C4A3890-E575-4A88-81E6-F1EFF9930FB1@gmail.com> <20141124164333.GK2860@mx1.yitter.info>
To: Andrew Sullivan <ajs@anvilwalrusden.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnssd/H13WPPDn9CvVsh4C-TWcvZgdQL0
Cc: dnssd@ietf.org
Subject: Re: [dnssd] UTF8 use in DNS populated by mDNS
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 02:25:07 -0000
On Nov 24, 2014, at 8:43 AM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote: > Hi, > > On Fri, Nov 21, 2014 at 06:29:12PM -0800, Douglas Otis wrote: >> Dear Andrew, >> >> DNS-SD generates: >> 'Service Instance Name = <Instance> . <Service> . <Domain>' > > Yes. > >> While there are restrictions on code points that define 'Instance' per RFC5198 with an additional stipulation not to include values between 0x00-0x1F and 0x7F > > Yes. > >> , how the 'Domain' portion is determined is far less clear. > > No. > > If you read RFC 6763 carefully, you will note that the Domain portion > is also restricted to RFC 5198, which is approximately UTF-8 in NFC. It does not clearly defined where this string is obtained however, and RFC5198 offers scant protection from trivially spoofed domains. >> This is a concern when derived from easily spoofed multicast mDNS responses. It is important a visual selection process does its best to preclude trivial domain spoofing which might resolve malicious sources. > > If what you're attempting to do is prescribe, in the output of this > WG, general rules for "anti-phishing" for domain names, I am going to > resist the creation of such rules by this WG. The WG doesn't have the > requisite expertise to do that, and DNSOP is an already-existing WG > that has a possibly relevant charter (though unfortunately almost > certainly inadequate clue about the relevant i18n issues). If so, a logical approach would be to specify rules currently defined for domains permitted by registrars using IDNA2008. Unless otherwise constrained by manual lists, this will still represent a difficult albeit vital check. >> The concern is specifically with visually deceptive resources. Limitations on what is allowed should ensure against abuse of right-to-left and left-to-right issues for example. > > LTR and RTL issues have remarkably little to do with phishing except > in some quite specific circumstances, and in those cases it is > _imposible_ for an application to cope with the edge case in > general, because of the distributed operation of the DNS. Strongly disagree. Some type of TLD restriction MUST be imposed to prevent rampant abuse. This might mean only allowing domains found in the search domain list, or those defined for local networks. >> Some TLDs protect users with additional rules enforced by registrars that extend beyond those imposed by IDNA2008. > > Yes. That's registration policy and it is way beyond the capability > of this WG to create in a perfectly general way. Being defined in the search list, or resolved within the Internet after conversion to A-Label form is well within the WG's ability. >> Allowing naive UTF-8 publication of mDNS resources into DNS without conversion to A-labels permitted for DNS suggests there will be an even greater need to qualify what appears to be external actually resides within the Internet. > > No. As Dave Thaler argued quite clearly in Honolulu, you can have all > the phishing problems you want using either IDNA2008 or plain UTF-8 > labels. These are totally orthoganal problems. Again strongly disagree. Only when there is a way to constrain the domains administrators may wish to permit, the there is no limit on the level of very nasty spoofing techniques possible. Leaving this open to any domain permitted by RFC5198 makes controlling this issue fairly impractical. >> A step facilitated by imposing use of ugly A-labels within local publication should also better guard against cache abuse as well. > > How? By constraining the range of domains local DNS is expected to handle prevents trivial exploits that may also overwhelm local storage. Such an impact might defeat TOFU methods for example. Regards, Douglas Otis
- [dnssd] UTF8 use in DNS populated by mDNS Douglas Otis
- Re: [dnssd] UTF8 use in DNS populated by mDNS Andrew Sullivan
- Re: [dnssd] UTF8 use in DNS populated by mDNS Patrik Fältström
- Re: [dnssd] UTF8 use in DNS populated by mDNS Douglas Otis
- Re: [dnssd] UTF8 use in DNS populated by mDNS Andrew Sullivan
- Re: [dnssd] UTF8 use in DNS populated by mDNS Douglas Otis