IETF Logo Mail Archive

Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns-interop-01.txt

Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 20 July 2015 14:53 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ADD71A896A for <dnssd@ietfa.amsl.com>; Mon, 20 Jul 2015 07:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vx9aDb4EL2EY for <dnssd@ietfa.amsl.com>; Mon, 20 Jul 2015 07:53:38 -0700 (PDT)
Received: from mx2.yitter.info (mx2.yitter.info [50.116.54.116]) by ietfa.amsl.com (Postfix) with ESMTP id A77771A8A0E for <dnssd@ietf.org>; Mon, 20 Jul 2015 07:53:38 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx2.yitter.info (Postfix) with ESMTP id 3B93410012 for <dnssd@ietf.org>; Mon, 20 Jul 2015 14:53:38 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx2.yitter.info ([127.0.0.1]) by localhost (mx2.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MiUQcY_vXlAp for <dnssd@ietf.org>; Mon, 20 Jul 2015 14:53:37 +0000 (UTC)
Received: from mx2.yitter.info (unknown [IPv6:2001:67c:370:176:fcf7:b436:4322:f7c2]) by mx2.yitter.info (Postfix) with ESMTPSA id 0BA2910370 for <dnssd@ietf.org>; Mon, 20 Jul 2015 14:53:35 +0000 (UTC)
Date: Mon, 20 Jul 2015 16:53:32 +0200
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnssd@ietf.org
Message-ID: <20150720145331.GB659@mx2.yitter.info>
References: <20150704212511.22803.60661.idtracker@ietfa.amsl.com> <20150705002321.GB48722@mx2.yitter.info> <559B2A77.9030606@gmail.com> <20150707024239.GC52436@mx2.yitter.info> <559C83C1.9070103@gmail.com> <20150708024330.GA55186@mx2.yitter.info> <559CD5D9.4030000@gmail.com> <20150708142002.GE58386@mx2.yitter.info> <55ACC048.9060606@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55ACC048.9060606@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/_NDZIHv4vTZR3wqsrW32GVzfu6c>
Subject: Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns-interop-01.txt
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 14:53:41 -0000

On Mon, Jul 20, 2015 at 11:32:56AM +0200, Douglas Otis wrote:
> A split horizon DNS configuration is often used by
> enterprises

Yes.

> space as a valid security method to exclude external

No.  We know that split horizon systems leak stuff all over the place.
There is no reason at all to suppose that names in a split horizon
environment successfully keep any name secret.  Split horizon is
extremely popular snake oil.  

> queries.  Such split horizon DNS might be used within local
> environments as a method to overcome WiFi limitations.

I don't know what this means.

> There should be no expectation that a locally defined domain
> conforms with IDNA2008 and does not deserve an out-of-hand
> dismissal.

There is no expectations that any domain conforms with IDNA2008.
There is no protocol rule that DNS names are encoded in any way at
all.  What we know is that names near the root of the DNS have, as a
matter of policy, a restriction on what they'll accept, and it
conforms with IDNA.

If your argument is that someone with a split horizon has made up for
themselves some TLD (say, "corp"), and are sending queries toward that
which sometimes leak, well, they're doing the stupidest possible thing
you can do in the DNS, which is to make up a name that is not
registered and try to use it in the DNS.  If such names leak, well,
too bad.  That's what you get for making up a random name and using it
on the global Internet.

> This relates to Ambiguous Local Qualified Domain Name
> (ALQDN) space (see RFC7368), such as .home as suggested by
> the hybrid draft, or even a domain expressed using UTF-8
> label locally recognized (not encoded and without the 'xn--'
> prefix) can represent locally defined domains that contain
> sensitive information.  As such, the profiles you are
> attempting to construct might even consider bolstering such
> exclusions as an element in any developed profile.

No, because the profile that I'm attempting to describe the principles
for will _by definition_ produce things that are suitable for the DNS.
If what you're saying is that there might be stuff that by policy is
just as unlikely to appear in the public DNS near the root as raw
UTF-8, then I'm just as happy to refer to it.  But excluding the ALQDN
won't work, because the ALQDN only works if you can query it
somewhere, and this profile is intended to restrict the number of
things you can query.

> 
> Again, the general statement made in section 4.3 third sentence:

[&c.]  I think I already agreed to how this could change, so I'm
eliding this part.

> Remove any indication that DNS-SD structures contained in a
> locally defined domain are automatically assumed global.

There is no such assumption.

> It seems you misunderstood the objection to your statements
> regarding absolute assertions of TLDs seen within a local
> environment.

What are "TLDs seen within a local environment"?  If I do tcpdump on
my box, I see lots of .com and .org.  I presume that's not what you
mean?
 
> There are indeed separate global and local namespaces which

Yes, but _we don't know_ in principle which place we're supposed to
look something up.  If we knew that, we wouldn't need any of this
absurd stuff.

> expected in .local TLD.  A locally defined domain may not
> always be .home

You don't get to just make up TLDs and configure them locally.  I
should have thought that Verisign's site finder made this painfully
obvious to people, though the experience with home, corp, and mail
gives one pause.

> When a domain is locally defined and locally accessible, why
> not include encoding exceptions with a reasonable strategy
> how such zones are ascertained?

Because you have no idea whether a domain is "local", however that
works, or not.

> Our differences seem to relate to securing locally defined
> TLDs such as Ambiguous Local Qualified Domain Name (ALQDN)
> space referenced in RFC7368.

Well, it's hinted at by 7368.  It's not actually specified anywhere
yet.

> Placing such resources into locally defined and only locally
> accessible domains

There is no such thing as this beast.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email