On 5 Feb. 2018 16:52, "Mark Andrews" <ma...@isc.org> wrote:
> On 5 Feb 2018, at 5:10 pm, Ted Lemon <mel...@fugue.com> wrote: > > On Feb 5, 2018, at 12:18 AM, Mark Andrews <ma...@isc.org> wrote: >> The original problem is that HTTP doesn’t specify that names learn across the >> wire, including from on disk html files, need to be treated as absolute names. >> This is HTTP’s mess due to allowing relative names in what is transmitted over >> the wire. This should be sent back to HTTP say FIX YOUR INSECURE PROTOCOL. > > That's totally orthogonal to the question we are considering. No it is not! The browser knows where the name came from. If HTTP treated ALL NAMES AS ABSOLUTE then href="http://localhost/"; would result in EXACTLY ONE possible lookup in the DNS, /etc/hosts, NIS(YP), LDAP etc. Similarly href=“http://some.partially.complete.name/“ won’t resolve to some.partially.complete.name.example.com when run by a employee of example.com. HTTP is a security nightmare because it is specified that those names may not be absolute. Fix that security hole and there is no need to touch this draft for the reason it was brought up. In fact it is specified that they may not be DNS names at all. However... RFC 3986, on which HTTP relies for the 'host' part of its URIs, says to use "http://localhost./"; for an absolute FQDN. So it's actually the users' problem. But catching it somewhere convenient seems a hell of a lot less problematic than trying to fix the users. And catching it in DNS seems a lot less problematic than rewriting RFC 3986 (or rewriting HTTP to not use that part of 3986). > It's also nonsense. How does HTTP, a protocol, know the source of an IP address that it's been given by the name resolution API? Does the API even give you a way to tell? What you mean is that the implementation should know the difference. This is what the document is doing. It's saying that the API should never look this name up in the DNS. SMTP all names are absolute. You call the name API’s with searching disabled. The implementation is broken is search is enabled. And if it's broken, it currently fails open. This proposal makes it fail closed. HTTP names may be relative. You don’t call the name API’s with searching disabled and you get a security mess as a result. STOP SEARCHING!!!! IT IS NOT NEEDED. It can be handy, though. "http://dev01/"; or "http://dev02/"; is much easier to type. >> The second bugtraq issue is also HTTP’s insecure security model that doesn’t >> take into account that addresses have scopes. Again that is for HTTP to fix. > > HTTP should certainly be smart about scopes, and I would argue that "machine scope" is not a scope in which connections should be assumed to be trustworthy, so indeed in a sense that you are right. > > But the reason for wanting the DNS to not return answers for localhost is that implementations may get this wrong, and if they do we want it to fail safe. So again, your premise is valid, but doesn't apply. Just fix the browsers. IT IS NOT THE DNS’S JOB TO FIX UP HTTP’S MESS and in doing so BREAK OTHER THINGS!!!!!!!!!!!! > As for search lists, I think it's reasonable to say that search lists, which are not part of the DNS protocol, should not be applied to the bare label 'localhost.' If the document said that DNS servers should treat FQDNs containing the label 'localhost' specially other than when it is the top-level label, that would be wrong. But it doesn't say that. It just specifies the handling of localhost with respect to searchlists, and what it says is correct and important. If I can supply you a search list and use that to trick you into connecting to a remote service rather than a local one, that's a significant attack surface. Search lists should not be applied to any name learnt over the wire. What about the name I type in the address bar? Cheers -- Matthew Kerwin
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
