IETF Logo Mail Archive

Re: [dnsext] the same in old days, was making names the same NEED protocol changes?

Phillip Hallam-Baker <hallam@gmail.com> Mon, 28 February 2011 15:06 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 49ADE3A6C20; Mon, 28 Feb 2011 07:06:30 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C745F3A6A06 for <dnsext@core3.amsl.com>; Mon, 28 Feb 2011 07:06:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.571
X-Spam-Level:
X-Spam-Status: No, score=-3.571 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 98o8yNrc6EFe for <dnsext@core3.amsl.com>; Mon, 28 Feb 2011 07:06:26 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 7A6603A6C20 for <dnsext@ietf.org>; Mon, 28 Feb 2011 07:06:26 -0800 (PST)
Received: by bwz13 with SMTP id 13so4338135bwz.31 for <dnsext@ietf.org>; Mon, 28 Feb 2011 07:07:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Xt5yk3SemtBIm1vYAyR8lNCD9JyBYvFQxmbY+UPy1uE=; b=osl9iWXUmz9ujxyWDWyciQjUnZkhRIfplRVv1gZDiJtqVfHhpzuGZjPKza4ke6H4dK wmFlTOwiGZVbe5oBKzHN915oHqvCi8vUoPGk6C2JXEPzTnAtP9prdPze2bGmZOBURr5Y ZV5sjFAphNmucnhG3o7Yzsiu5/c16wRUzHBKg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=r6ZX+3ah/ndGN8PV5yR3I8Y7u7zDY1B1z8P1SM/+EheYLVJT9mwGovCJkBWovQgbc6 MwpcMmoaY1ueePrl/sXvQtd6PR3XyaMQa1m5FVP2uf5lsPHJVRanZyGOdWFjzCFXQ4oh HHB71N2j0UkWoYF/jjL46gr5dMePOQty+uvc0=
MIME-Version: 1.0
Received: by 10.204.7.213 with SMTP id e21mr4837867bke.47.1298905646082; Mon, 28 Feb 2011 07:07:26 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Mon, 28 Feb 2011 07:07:26 -0800 (PST)
In-Reply-To: <alpine.BSF.2.00.1102271457570.7355@joyce.lan>
References: <20110227182720.6537.qmail@joyce.lan> <552AB7D12FAB50296E795CF5@Ximines.local> <alpine.BSF.2.00.1102271336340.6604@joyce.lan> <AF3A2DE418832E7A91CD07A5@Ximines.local> <alpine.BSF.2.00.1102271457570.7355@joyce.lan>
Date: Mon, 28 Feb 2011 10:07:26 -0500
Message-ID: <AANLkTi=DLzBEQFLqAmPccbdt63LDSp1cRzShnYkuiDQB@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "John R. Levine" <johnl@iecc.com>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] the same in old days, was making names the same NEED protocol changes?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

John is completely right here and it really demonstrates the need to
have application level input into this discussion.


Modern application protocols bind to DNS names and NOT to IP
addresses. As far as we are concerned a DNS name is the only essential
part of the Internet architecture.

Applications do not and should not care about IP addresses. The few
protocols that do rely on IP addresses break on modern NAT-ed networks
as a result unless there is specific protocol level fixup.


So attempting to make two names resolve alike without change at either
the application client or the application server is a fools errand. It
is not going to work because that is simply not how the applications
see the world.

If someone wants a2.com to work in exactly the same way as a1.com,
then either the application client has to know to substitute a1 for a2
when it makes the request or the application server has to know to
redirect a2 to a1.


The security model of Web applications is complex and convoluted
enough as it is. We have had almost 20 years now of protocol
extensions being thrown in by people whose idea of a security
consideration is 'tell me why it might be bad, too late its deployed'.
And this proposal seems to be more of the same.

I know that there are some people who will have just written in their
response to the above something along the lines 'well thats their
issue' or 'well they should fix it'. And that is exactly the type of
thinking that got us into this problem. Security is real easy when you
decide the hard part is someone else's problem.


If we are going to change the security model we have to change the
application client or things are going to break.

If we decide we can change the application client, this whole problem
becomes pretty straightforward. Either adopt the 'did you mean'
pointer style approach or allow domains to nominate mappings of one
charset to another.


On Sun, Feb 27, 2011 at 3:00 PM, John R. Levine <johnl@iecc.com> wrote:
>> I think I'm being thick here. Doesn't the BNAME reference go the
>> wrong way to autoconfigure a server based on it in a manner where
>> there can be a security problem as a result?
>
> You're quite right.  SHADOW goes the right way, but requires a zone cut
> everywhere that there's aliases.
>
> I'm not seeing any particularly pretty ways to fix BNAME to tell which ones
> are approved.  It's not unlike the rDNS problem.
>
> Regards,
> John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for
> Dummies",
> Please consider the environment before reading this e-mail. http://jl.ly
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
>



-- 
Website: http://hallambaker.com/
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email