On 3/11/2020 2:19 PM, Hollenbeck, Scott wrote:
(Sorry, this is a late response to a review request original sent to the dnsop
list on 11 February)
Section 3.4 (DNS for Cloud Resources) includes these sentences:
"Globally unique names do prevent any possibility of collision at the present or in
the future and they make DNSSEC trust manageable. It's not as if there is or even could
be some sort of shortage in available names that can be used, especially when subdomains
and the ability to delegate administrative boundaries are considered."
Could we make the last sentence stronger, perhaps with a statement like this
from the US CERT WPAD Name Collision Vulnerability alert dated May 23, 2016?
"Globally unique names do prevent any possibility of collision at the present or in
the future and they make DNSSEC trust manageable. Consider using a registered and fully
qualified domain name (FQDN) from global DNS as the root for enterprise and other
internal namespaces."
https://www.us-cert.gov/ncas/alerts/TA16-144A
The alert actually says "other internal namespace", but I think that's a typo.
Scott
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Hi - I haven't read this document except for to scan it for context for
the above. What triggered me was the combination of "DNSSEC" and
"unique names".
Either of these may not be accurate statements. While DNS names can be
globally unique, the glyph representations that we depend upon can map
to multiple actual DNS names. See
https://en.wikipedia.org/wiki/IDN_homograph_attack
Please consider whether this is an issue here. It may not be, but if
not, probably worth a sentence in the security considerations section.
Later, Mike
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop