[dnssd] Review of draft-ietf-dnssd-mdns-dns-interop-01
"Hosnieh Rafiee" <ietf@rozanak.com> Wed, 22 July 2015 05:43 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33D1D1ACCF8; Tue, 21 Jul 2015 22:43:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.91
X-Spam-Level:
X-Spam-Status: No, score=-3.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8RfmWTUpHo8v; Tue, 21 Jul 2015 22:43:28 -0700 (PDT)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9ABE1ACCEB; Tue, 21 Jul 2015 22:43:27 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 260E525CA2AE; Wed, 22 Jul 2015 05:43:26 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTTwV7-UQd3o; Wed, 22 Jul 2015 07:43:24 +0200 (CEST)
Received: from kopoli (p200300864F13D155718B951C5C0ED2EF.dip0.t-ipconnect.de [IPv6:2003:86:4f13:d155:718b:951c:5c0e:d2ef]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id DFBA125CA0C0; Wed, 22 Jul 2015 07:43:23 +0200 (CEST)
From: Hosnieh Rafiee <ietf@rozanak.com>
To: dnsop@ietf.org
Date: Wed, 22 Jul 2015 07:43:21 +0200
Message-ID: <003b01d0c441$52043470$f60c9d50$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdDEQVFJFIHGft/mSFW37rCzAl65XA==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/HTvEtjW6hLzMuvFmkTXVuk5j3ok>
Cc: dnssd@ietf.org
Subject: [dnssd] Review of draft-ietf-dnssd-mdns-dns-interop-01
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2015 05:43:30 -0000
Hello, I reviewed this draft. to be clear, I am not expert in unicode or internationalized charactersets. My comments are as followings: I think there is attack on the interopration of mDNS and unicast DNS and I think applicable to this draft while in the security consideration, it is not mentioned any mitigation mechanism. - mixing mDNS and unicast DNS names poor implementation might allow an attacker to response to unicast DNS query request sent by a client for the purpose of resolving a global domain name. If the mDNS requests are prioterize, there is a possibility that the client accepts the mDNS response and prioterize it over unicast DNS names. Therefore, the attacker has a chance to offer a fake response . The risk of this attack is higher when the internationalized character set is allowed in unicast DNS server. The possible mitigation is authentication of a service as well as the unicast DNS Now the question is that is it possible also to cheat the recursive resolver with mDNS responses while looking up for a domain? If the priority for looking up names is first unicast DNS and then mDNS, then in this case there might be a lot of traffic to unicast DNS servers and if it is the other round, then there might be the possibility of the attack mentioned above mitigation: authentication of recursive resolver - section 3 <snip> U-labels cannot contain upper case letters </snip> For some languages, upper case letter does not make it different specially in some letters. Especially the languages that a word is the result of attaching the characters together. I think this is specially true for non-european languages. Two examples are Persian or Arabic. Therefore, one cannot differentiate between mDNS service and DNS names with only considering that DNS cannot use uppercase U-labels. - section 4.2 It is not the requirement of DNSSD to use underscoll character, as far as I can see it is only recommendation. please see https://tools.ietf.org/html/rfc6763#section-7 Therefore, the attacker can use the similar domain names as unicast DNS for its fake service which might result in confusion of the recursive DNS servers Thanks, Best, Hosnieh > -----Original Message----- > From: dnssd [mailto:dnssd-bounces@ietf.org] On Behalf Of Ralph Droms > (rdroms) > Sent: Tuesday, July 21, 2015 10:06 AM > To: dnsop@ietf.org > Subject: [dnssd] Requesting review of draft-ietf-dnssd-mdns-dns-interop-01 > > Hi - The dnssd chairs would like to get some reviews of draft-ietf-dnssd-mdns- > dns-interop-01, "On Interoperation of Labels Between mDNS and DNS," from > dnsop participants. draft-ietf-dnssd-mdns-dns-interop-01 is currently in dnssd > WG last call and last call comments will be discussed in the dnssd WG meeting > this week. > > Please post your feedback to dnsop or send to Tim and myself. > > - Ralph > > Bcc: dnssd@ietf.org >
- [dnssd] Review of draft-ietf-dnssd-mdns-dns-inter… Hosnieh Rafiee
- Re: [dnssd] Review of draft-ietf-dnssd-mdns-dns-i… Andrew Sullivan
- Re: [dnssd] Review of draft-ietf-dnssd-mdns-dns-i… Hosnieh Rafiee
- Re: [dnssd] Review of draft-ietf-dnssd-mdns-dns-i… Andrew Sullivan