Re: [dnssd] WG last call on draft-ietf-dnssd-mdns-dns-interop-01

Andrew Sullivan <ajs@anvilwalrusden.com> Sun, 19 July 2015 07:21 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ACDF1A0AC8 for <dnssd@ietfa.amsl.com>; Sun, 19 Jul 2015 00:21:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 13XqCvQdXn8i for <dnssd@ietfa.amsl.com>; Sun, 19 Jul 2015 00:21:18 -0700 (PDT)
Received: from mx2.yitter.info (mx2.yitter.info [IPv6:2600:3c03::f03c:91ff:fedf:cfab]) by ietfa.amsl.com (Postfix) with ESMTP id C87351A044D for <dnssd@ietf.org>; Sun, 19 Jul 2015 00:21:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx2.yitter.info (Postfix) with ESMTP id 4C94110370 for <dnssd@ietf.org>; Sun, 19 Jul 2015 07:21:18 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx2.yitter.info ([127.0.0.1]) by localhost (mx2.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jS7z8LZ3sd9O for <dnssd@ietf.org>; Sun, 19 Jul 2015 07:21:16 +0000 (UTC)
Received: from mx2.yitter.info (dhcp-b10d.meeting.ietf.org [31.133.177.13]) by mx2.yitter.info (Postfix) with ESMTPSA id E782610012 for <dnssd@ietf.org>; Sun, 19 Jul 2015 07:21:15 +0000 (UTC)
Date: Sun, 19 Jul 2015 09:21:13 +0200
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnssd@ietf.org
Message-ID: <20150719072113.GE18688@mx2.yitter.info>
References: <DA1638C9-346B-49A9-BA2D-8894785F43A0@cisco.com> <681D46F1-4DCA-442D-946D-AEE7D53C1F68@cisco.com> <BY2PR03MB412D01C2E26F5DAC3E84BF9A3870@BY2PR03MB412.namprd03.prod.outlook.com> <20150718202937.GC18337@mx2.yitter.info> <55AB2827.6080003@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55AB2827.6080003@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnssd/yffLt5-kqp3kQS5zNGwYFG9o4yk>
Subject: Re: [dnssd] WG last call on draft-ietf-dnssd-mdns-dns-interop-01
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of extensions to Bonjour \(mDNS and DNS-SD\) for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Jul 2015 07:21:20 -0000

Hi,

On Sun, Jul 19, 2015 at 06:31:35AM +0200, Douglas Otis wrote:
> As noted in
> https://www.kb.cert.org/vuls/id/550620
> https://tools.ietf.org/html/draft-rafiee-dnssd-mdns-threatmodel-03#section-3.9.4.1
> https://tools.ietf.org/html/draft-rafiee-dnssd-mdns-threatmodel-03#section-3.9.5
> 
> There are specific and significant security concerns related
> to locally defined resources conveyed by mDNS.

I'm sorry, but I simply do not agree with your interpretation of those
reports and _anyway_ I don't see how those are in related to the
question of how you make a lowest common denominator naming convention
across multiple resolution mechanisms.  You have repeated the claim
that these are relevant, but you have provided not one shred of
evidence for that claim, and you seem to be conflating mDNS and DNS-SD
in the way you talk about this matter.

> Interop
> details relating to profiles might benefit security by
> including a strategy to ascertain whether zones or labels
> may have been established using mDNS via a proxy into DNS.

Given the way the proxy document works, I don't believe that the risks
are the ones you seem to think.  Moreover, I think that would be a
security issue for the proxy document, not this one.
 
> This might include the detection of a non-compliant IDNA
> label or resources containing RFC1918 address space or
> addresses below a ULA prefix.

This document has absolutely nothing to say about the RDATA fields
returned in any resolution request, and I don't think that has
anything to do with what it is trying to address.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com