Re: [dnssd] draft-ietf-dnssd-mdns-dns-interop and draft-otis-dnssd-scalable-dns-sd-threats
Andrew Sullivan <ajs@anvilwalrusden.com> Wed, 04 November 2015 22:37 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E940E1B34E1 for <dnssd@ietfa.amsl.com>; Wed, 4 Nov 2015 14:37:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHOXukUWuBTK for <dnssd@ietfa.amsl.com>; Wed, 4 Nov 2015 14:37:25 -0800 (PST)
Received: from mx2.yitter.info (mx2.yitter.info [50.116.54.116]) by ietfa.amsl.com (Postfix) with ESMTP id 5A2A61B34DA for <dnssd@ietf.org>; Wed, 4 Nov 2015 14:37:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mx2.yitter.info (Postfix) with ESMTP id 1283110685 for <dnssd@ietf.org>; Wed, 4 Nov 2015 22:37:24 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx2.yitter.info ([127.0.0.1]) by localhost (mx2.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnh2y1ulal12 for <dnssd@ietf.org>; Wed, 4 Nov 2015 22:37:21 +0000 (UTC)
Received: from mx2.yitter.info (dhcp-28-138.meeting.ietf94.jp [133.93.28.138]) by mx2.yitter.info (Postfix) with ESMTPSA id F29B810647 for <dnssd@ietf.org>; Wed, 4 Nov 2015 22:37:20 +0000 (UTC)
Date: Wed, 04 Nov 2015 17:37:18 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnssd@ietf.org
Message-ID: <20151104223718.GA3933@mx2.yitter.info>
References: <20151102040738.1146.98238.idtracker@ietfa.amsl.com> <20151102054146.GC876@mx2.yitter.info> <5637E62E.2050105@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5637E62E.2050105@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/wRpetrNOJmQOY1dc78H0vZgn7V8>
Subject: Re: [dnssd] draft-ietf-dnssd-mdns-dns-interop and draft-otis-dnssd-scalable-dns-sd-threats
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 22:37:28 -0000
Hi Doug, I continue to think that you and I are divided here by a common language. I do also think that split-brain DNS is, when also mixing namespaces, dangerous (and yes, the "spinning knives" remark was intended to lighten a discussion that can otherwise get heated). But it sounds like we need to sit down at some point and see whether I can better understand how you want this draft to change. It'll be very difficult this week, though if you want to talk during bits & bytes this evening I'll be around. Alternatively, maybe we need to plan to talk once everyone has made it back home. We can try to co-ordinate off-list? Best regards, A On Tue, Nov 03, 2015 at 07:39:42AM +0900, Douglas Otis wrote: > > Dear Andrew, > > Your revised version would have been helpful. My > understanding of what you wish avoided in the threat review, > humorously referred to as advice on juggling spinning > knives, differs from WG agreements reached at the last meeting. > > This covers exceptions made by domain owners who are not > prohibited nor assured produce negative answers. Such > exceptions clearly demarcated with the use of DNS-SD > conventions permit more liberal repertoires to convey > locally defined network space under current protocol > conventions which may be published globally. Most of these > conventions have or are now undergoing last call. > > There was no mention of a parallel A-label namespace to be > created, nor expectations of negative answers becoming the norm. > > You assert DNS-SD conventions will result in a significant > increase in DNS lookup traffic of no value. Further you > assert that since adoption of RFC6763, increased use of IDNA > makes the situation worse. As such, your view is to rule > out considerations regarding this namespace. > > The <Domain> Portion of the Service Instance Name includes > what the DNS-SD Scalable Threats document describes as-- > > <Instance>._<sn>._<Proto>.<SrvDOM>.<ParentDOM>. > > <SrvDOM> is described in RFC6763 as <servicedomain> which > encourages use of a more liberal repertoire. At the last > meeting, it seemed agreement had been reached regarding > exceptions for the <SrvDOM> portion of the namespace. > > The modicum of advice was to use '_' in place of punctuation > or spaces to reduce errors in administrative review or those > caused by code expecting neither space or punctuation. This > advice can be removed if the WG considers it not warranted. > After all, since RFC6763 was written, applications have > become far better at handling UTF-8. The domain owner will > be impacted by any additional queries caused by erroneous > handling of DNS-SD resources and can assess the value of > allowing more liberal repertoires. > > RFC6763 states in section > 7.2. Service Name Length Limits > ,-- > Typically, DNS-SD service records are placed into subdomains > of their own beneath a company's existing domain name. > Since these subdomains are intended to be accessed through > graphical user interfaces, not typed on a command line, they > are frequently long and descriptive. Including the length > byte, the user-visible service domain may be up > to 64 bytes. > '-- > > RFC6763 further states in section > 4.1.3. Domain Names > ,-- > Because Service Instance Names are not host names, they are > not constrained by the usual rules for host names [RFC1033] > [RFC1034] [RFC1035], and rich-text service subdomains are > allowed and encouraged, for example: > > Building 2, 1st Floor . example . com . > ... > > In cases where the DNS server returns a negative response > for the name in question, client software MAY choose to > retry the query using the "Punycode" algorithm [RFC3492] to > convert the UTF-8 name to an IDNA "A-label" [RFC5890], > beginning with the top-level label, then issuing the query > repeatedly, with successively more labels translated to IDNA > A-labels each time, and giving up if it has converted all > labels to IDNA A-labels and the query still fails. > '-- > > The interop draft overlooks existing conventions surrounding > DNS-SD and offers far less guidance than that given in the > threat review. If your assertions are correct about the > risk, much more needs to be said and not less. > > Regards, > Douglas Otis > > _______________________________________________ > dnssd mailing list > dnssd@ietf.org > https://www.ietf.org/mailman/listinfo/dnssd -- Andrew Sullivan ajs@anvilwalrusden.com
- [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns-int… internet-drafts
- Re: [dnssd] I-D Action: draft-ietf-dnssd-mdns-dns… Andrew Sullivan
- [dnssd] draft-ietf-dnssd-mdns-dns-interop and dra… Douglas Otis
- Re: [dnssd] draft-ietf-dnssd-mdns-dns-interop and… Andrew Sullivan