Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns-interop-01.txt
Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 20 July 2015 14:53 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ADD71A896A for <dnssd@ietfa.amsl.com>; Mon, 20 Jul 2015 07:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vx9aDb4EL2EY for <dnssd@ietfa.amsl.com>; Mon, 20 Jul 2015 07:53:38 -0700 (PDT)
Received: from mx2.yitter.info (mx2.yitter.info [50.116.54.116]) by ietfa.amsl.com (Postfix) with ESMTP id A77771A8A0E for <dnssd@ietf.org>; Mon, 20 Jul 2015 07:53:38 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx2.yitter.info (Postfix) with ESMTP id 3B93410012 for <dnssd@ietf.org>; Mon, 20 Jul 2015 14:53:38 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx2.yitter.info ([127.0.0.1]) by localhost (mx2.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MiUQcY_vXlAp for <dnssd@ietf.org>; Mon, 20 Jul 2015 14:53:37 +0000 (UTC)
Received: from mx2.yitter.info (unknown [IPv6:2001:67c:370:176:fcf7:b436:4322:f7c2]) by mx2.yitter.info (Postfix) with ESMTPSA id 0BA2910370 for <dnssd@ietf.org>; Mon, 20 Jul 2015 14:53:35 +0000 (UTC)
Date: Mon, 20 Jul 2015 16:53:32 +0200
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnssd@ietf.org
Message-ID: <20150720145331.GB659@mx2.yitter.info>
References: <20150704212511.22803.60661.idtracker@ietfa.amsl.com> <20150705002321.GB48722@mx2.yitter.info> <559B2A77.9030606@gmail.com> <20150707024239.GC52436@mx2.yitter.info> <559C83C1.9070103@gmail.com> <20150708024330.GA55186@mx2.yitter.info> <559CD5D9.4030000@gmail.com> <20150708142002.GE58386@mx2.yitter.info> <55ACC048.9060606@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55ACC048.9060606@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/_NDZIHv4vTZR3wqsrW32GVzfu6c>
Subject: Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns-interop-01.txt
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 14:53:41 -0000
On Mon, Jul 20, 2015 at 11:32:56AM +0200, Douglas Otis wrote: > A split horizon DNS configuration is often used by > enterprises Yes. > space as a valid security method to exclude external No. We know that split horizon systems leak stuff all over the place. There is no reason at all to suppose that names in a split horizon environment successfully keep any name secret. Split horizon is extremely popular snake oil. > queries. Such split horizon DNS might be used within local > environments as a method to overcome WiFi limitations. I don't know what this means. > There should be no expectation that a locally defined domain > conforms with IDNA2008 and does not deserve an out-of-hand > dismissal. There is no expectations that any domain conforms with IDNA2008. There is no protocol rule that DNS names are encoded in any way at all. What we know is that names near the root of the DNS have, as a matter of policy, a restriction on what they'll accept, and it conforms with IDNA. If your argument is that someone with a split horizon has made up for themselves some TLD (say, "corp"), and are sending queries toward that which sometimes leak, well, they're doing the stupidest possible thing you can do in the DNS, which is to make up a name that is not registered and try to use it in the DNS. If such names leak, well, too bad. That's what you get for making up a random name and using it on the global Internet. > This relates to Ambiguous Local Qualified Domain Name > (ALQDN) space (see RFC7368), such as .home as suggested by > the hybrid draft, or even a domain expressed using UTF-8 > label locally recognized (not encoded and without the 'xn--' > prefix) can represent locally defined domains that contain > sensitive information. As such, the profiles you are > attempting to construct might even consider bolstering such > exclusions as an element in any developed profile. No, because the profile that I'm attempting to describe the principles for will _by definition_ produce things that are suitable for the DNS. If what you're saying is that there might be stuff that by policy is just as unlikely to appear in the public DNS near the root as raw UTF-8, then I'm just as happy to refer to it. But excluding the ALQDN won't work, because the ALQDN only works if you can query it somewhere, and this profile is intended to restrict the number of things you can query. > > Again, the general statement made in section 4.3 third sentence: [&c.] I think I already agreed to how this could change, so I'm eliding this part. > Remove any indication that DNS-SD structures contained in a > locally defined domain are automatically assumed global. There is no such assumption. > It seems you misunderstood the objection to your statements > regarding absolute assertions of TLDs seen within a local > environment. What are "TLDs seen within a local environment"? If I do tcpdump on my box, I see lots of .com and .org. I presume that's not what you mean? > There are indeed separate global and local namespaces which Yes, but _we don't know_ in principle which place we're supposed to look something up. If we knew that, we wouldn't need any of this absurd stuff. > expected in .local TLD. A locally defined domain may not > always be .home You don't get to just make up TLDs and configure them locally. I should have thought that Verisign's site finder made this painfully obvious to people, though the experience with home, corp, and mail gives one pause. > When a domain is locally defined and locally accessible, why > not include encoding exceptions with a reasonable strategy > how such zones are ascertained? Because you have no idea whether a domain is "local", however that works, or not. > Our differences seem to relate to securing locally defined > TLDs such as Ambiguous Local Qualified Domain Name (ALQDN) > space referenced in RFC7368. Well, it's hinted at by 7368. It's not actually specified anywhere yet. > Placing such resources into locally defined and only locally > accessible domains There is no such thing as this beast. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Andrew Sullivan
- [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns-int… internet-drafts
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Douglas Otis
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Andrew Sullivan
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Douglas Otis
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Andrew Sullivan
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Douglas Otis
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Andrew Sullivan
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Douglas Otis
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Andrew Sullivan
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Andrew Sullivan
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Douglas Otis
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Douglas Otis
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Andrew Sullivan
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Douglas Otis
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Tim Chown
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Douglas Otis