IETF Logo Mail Archive

Re: Last Call: 'Linklocal Multicast Name Resolution (LLMNR)' to Proposed Standard

Peter Dambier <peter@peter-dambier.de> Tue, 30 August 2005 14:09 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EA6nQ-0007mm-Qb; Tue, 30 Aug 2005 10:09:04 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EA6nO-0007mb-Jy for ietf@megatron.ietf.org; Tue, 30 Aug 2005 10:09:02 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA14408 for <ietf@ietf.org>; Tue, 30 Aug 2005 10:09:00 -0400 (EDT)
Received: from mail.gmx.de ([213.165.64.20] helo=mail.gmx.net) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1EA6ot-0002FT-OP for ietf@ietf.org; Tue, 30 Aug 2005 10:10:39 -0400
Received: (qmail invoked by alias); 30 Aug 2005 14:08:43 -0000
Received: from p54A7BC9A.dip.t-dialin.net (EHLO peter-dambier.de) [84.167.188.154] by mail.gmx.net (mp019) with SMTP; 30 Aug 2005 16:08:43 +0200
X-Authenticated: #8956597
Message-ID: <4314686B.1090207@peter-dambier.de>
Date: Tue, 30 Aug 2005 16:08:43 +0200
From: Peter Dambier <peter@peter-dambier.de>
Organization: Public-Root
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.2) Gecko/20040921
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: ietf@ietf.org
References: <200508260153.j7Q1rBPj000783@relay4.apple.com> <20050826072055.GA15833@nic.fr> <87ll2pkquy.fsf@windlord.stanford.edu> <430EFCFF.1010203@zurich.ibm.com> <17167.14936.141345.6653@chiark.greenend.org.uk> <43130559.5090503@zurich.ibm.com> <17172.13829.578376.489917@chiark.greenend.org.uk>
In-Reply-To: <17172.13829.578376.489917@chiark.greenend.org.uk>
X-Enigmail-Version: 0.76.8.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 5011df3e2a27abcc044eaa15befcaa87
Content-Transfer-Encoding: 7bit
Subject: Re: Last Call: 'Linklocal Multicast Name Resolution (LLMNR)' to Proposed Standard
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: peter@peter-dambier.de
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

Ian Jackson wrote:
> Brian E Carpenter writes ("Re: Last Call: 'Linklocal Multicast Name Resolution (LLMNR)' to	Proposed  Standard"):
> 
>>Ian Jackson wrote:
>>
>>>Sorry to be pejorative, but as a DNS implementor[1] I'm amazed to find
>>>senior IETF/IESG people seriously contemplating the kind of namespace
>>>confusion which is fundamental in the LLMNR protocol design.
>>
>>Can you spell that out please? Since it uses a different port number,
>>where does the confusion occur?

The confusion occurs on the root servers.

I dont really know if it was some LLMNR enabled windows machine, but
they definitely asked DNS first and on port 53. If we supply a dummy
zone like we do for localhost then those boxes do break.

> What does the port number have to do with it ?  That's an
> implementation detail (from the point of view of this complaint; many
> other complaints might well be about these kind of details).
> 
> The LLMNR model supposes that when an application asks for data of a
> certain type associated with a certain name (ie, when the application
> thinks it's asking for a DNS query) answers may come from either the
> real DNS system or, even if the real DNS is authoritative for the
> relevant name but denies that it exists, from LLMNR.

You name it: The implementation asks DNS for garbadge.local and if we
say 127.0.0.1 then windows breaks.

If we dont supply the krutch then 25% of our root server traffic is
for .local because they repeat their question again and again on all
13 if the root servers.

> See draft-ietf-dnsext-mdns-42 s2 bullet point [2].
> 
> It is not true that separating LLMNR out on a different port, and
> introducing other incompatibilities, prevents confusion between LLMNR
> and the real DNS.  Applications will still see a bizarre mix of real
> and LLMNR data.
> 
> On the other hand, mDNS has a much better scheme: the mDNS
> specification defines the tree under `.local' for mDNS use.  Names in
> .local are looked up with mDNS and names elsewhere via the real DNS.
> This means that applications always either see the data intended for
> them, or (transient) failure if the relevant mechanism isn't
> available.
> 
> Stuart Cheshire makes IMO a very cogent argument in
> <200508251931.j7PJV7aR006028@relay4.apple.com>, where he says:
> ] What's weird about LLMNR is that it blurs what's global and what's local.
> ] With LLMNR you can call your television "tv.ietf.org" if you want, and as
> ] long as the IETF's name server returns NXDOMAIN (which it does today)
> ] then a LLMNR-compliant host will fail over to local multicast and resolve
> ] that name to your television's address. This sends a very strange message
> ] to end users -- it suggests they can use any name they want in any domain
> ] they want without having to communicate with any registry. It also means
> ] that every failed DNS query will result in a LLMNR multicast on the local
> ] network, and (worse) every intentional LLMNR query needs to be preceded
> ] by a failed DNS query to some unsuspecting DNS server somewhere.
> ] 
> ] mDNS says that "local" is a free-for-all playground where anyone can use
> ] any name and no one has any more right to a particular name than anyone
> ] else. LLMNR didn't want to do that, but what they've effectively ended up
> ] doing instead is saying that the root of the DNS namespace (and
> ] everything below it) is a free-for-all playground where anyone can use
> ] any name they want.
> 
> In addition, mDNS's limitation to `.local' means that deliberate
> additional incompatibilities to avoid cache pollution in the real DNS
> is not necessary; since mDNS is only used for names in `.local',
> normal precuations against unsolicited DNS replies will prevent the
> main DNS namespace being polluted with mDNS data.
> 
> If we are to so strongly fear pollution, mDNS's wide deployment ought
> to provide some evidence for this from operational experience !  Where
> is that evidence ?

mDNS is mostly free of bugs. The dont ask DNS for garbage.local . That is
why we dont see them.


Regards,
Peter Dambier

-- 
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
mail: peter@peter-dambier.de
http://iason.site.voila.fr
http://www.kokoom.com/iason


_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email