DNS Extensions (dnsext)

Niall O'Reilly | 1 Mar 2011 01:37

Picon

Re: I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

On 27/02/11 20:08, Patrik Fältström wrote:
> There are a few things I think makes this discussion hard...and that
> is that the overall usability is a requirement in the usability,
> manageability etc while what we talk about is "only" what we do in
> DNS. What we should (and can) do in DNS must then match whatever
> application layer/protocol behaviour, which in turn depends on how
> the protocol works.

	Or, should we look at the use cases at a higher level,
	and identify which components, including (but not limited to)
	the DNS, need to be adjusted to achieve the desired result?

	In this case, the question becomes no longer one of matching
	the DNS to how the other components actually work, but to
	how they will work in the future to support a coherent, rather
	than a fragmented, "aliasing" concept.

	I'm pretty sure that solving "the aliasing problem", whatever
	it is, cannot be done by adjusting only the DNS.

> What I *think* could be interesting is one of these things as very
> high level issues to look at, that btw I think sort of is written in the
> draft, but using DNS terminology 

	I'm not sure quite what you're saying.

	Expressing higher-level issues in DNS terminology can either
	help us to visualize those issues, or blind us to the non-DNS
	aspects;  perhaps both of these effects occur at the same time.

(Continue reading)

Alex Bligh | 1 Mar 2011 10:28

Picon

Re: I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

--On 1 March 2011 00:37:39 +0000 Niall O'Reilly <Niall.oReilly <at> ucd.ie> 
wrote:

> 	SMTP has MX; others have SRV; HTTP is an outlier in that it
> 	avoids this kind of assistance from the DNS.  It's a significant
> 	and pathological outlier because of the way HTTPS works.

I'd look at it another way:
* SMTP has email forwarding (rewrite envelope TO)
* HTTP has 301 Permanent redirect.
* SIP has 3xx REFER (from memory)

All these make traffic to one place go to another. However in each
case in the 'S' variant of the protocol, you need to provide a separate
certificate for the alias to the canonical name, which means you
can't automatically configure / synthesise the alias config in
the same way you can for the non-'S' variant. What MX / SRV
are allowing you to do for services that support them is hide
this with another level of indirection.

For that indirection to be applied to http (e.g. use SRV records) you'd
need a change at the client end (to use SRV records or whatever) but also
at the server end, so if a.example.com = b.example.com, and both have SRV
records to c.example.com, then server c must use the cert for a or b as
appropriate. In https that's hard as the cert is chosen before the GET line
comes through. As solving this latter problem is enough to solve the entire
issue for https, I am not sure the SRV record thing helps if it works like
a normal SRV record.

(Continue reading)

Stephane Bortzmeyer | 1 Mar 2011 10:49

Picon

Re: I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

On Mon, Feb 28, 2011 at 12:40:55PM -0500,
 Dan Schlitt <schlitt <at> world.std.com> wrote 
 a message of 38 lines which said:

> Weren't we told that we weren't dealing with "words" even though
> some things might look like words. This means that we don't have to
> deal with things like the difference between american english and
> british english.

In that case, it has to be said explicitely in the I-D (with
explanations of why english/american is less important than
simplified/traditional chinese).

But I understand the current draft as saying "We will not decide if
the difference between color.example and colour.example is significant
or not. We will just provide a neutral mechanism to make them 'the
same', should someone - typically the registry - decides they are the
same."  Am I correct in this reading of the I-D?

_______________________________________________
dnsext mailing list
dnsext <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

Niall O'Reilly | 1 Mar 2011 11:25

Picon

Re: I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt


On 1 Mar 2011, at 09:28, Alex Bligh wrote:

> For that indirection to be applied to http (e.g. use SRV records) you'd
> need a change at the client end (to use SRV records or whatever) but also
> at the server end, so if a.example.com = b.example.com, and both have SRV
> records to c.example.com, then server c must use the cert for a or b as
> appropriate.

	I'm thinking of a different way, which appears to avoid this problem.

	SRV maps a domain name (OK, a service,transport,name triple) to
	a (set of) host name(s).  If this mapping is provably legitimate
	(DNSSEC), then the browser need only verify that the cert matches
	the final host name.  Matching what I've chosen to call the
	'domain-part' of the http URL is no longer useful.  Used in this way,
	SRV gives us aggregation of certificates: one per target host rather
	than one per secure hosted web site.

	I may be missing something, but I think this needs only client-side
	code changes.  Service-side, certificate administration becomes
	different, but not code.

	ATB
	Niall

_______________________________________________
dnsext mailing list
dnsext <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

(Continue reading)

Niall O'Reilly | 1 Mar 2011 11:27

Picon

Re: I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt


On 1 Mar 2011, at 10:25, Niall O'Reilly wrote:

> 	code changes.  Service-side, certificate administration becomes

	Doh! s/Service/Server/
	N

_______________________________________________
dnsext mailing list
dnsext <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

Alex Bligh | 1 Mar 2011 12:28

Picon

Re: I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

--On 1 March 2011 10:25:45 +0000 Niall O'Reilly <Niall.oReilly <at> ucd.ie> 
wrote:

> 	SRV maps a domain name (OK, a service,transport,name triple) to
> 	a (set of) host name(s).  If this mapping is provably legitimate
> 	(DNSSEC), then the browser need only verify that the cert matches
> 	the final host name.  Matching what I've chosen to call the
> 	'domain-part' of the http URL is no longer useful.  Used in this way,
> 	SRV gives us aggregation of certificates: one per target host rather
> 	than one per secure hosted web site.
>
> 	I may be missing something, but I think this needs only client-side
> 	code changes.  Service-side, certificate administration becomes
> 	different, but not code.

So if a.example.com = b.example.com, and both have a SRV record to
c.example.com, then the client does an SRV lookup on (say) b.example.com,
receives the SRV record, then does an HTTP GET request to c.example.com
and (crucially) the GET line is
  GET http://c.example.com/
not
  GET http://b.example.com/
I believe that needs to be the case because the server needs to always
send back the same HTTP cert (as the decision in what cert to use is
prior to the GET line).

I'm a bit confused as to what you propose appears in the URL bar. IE
does the user know he's been redirected? Do local links on the
page appear as links from b.example.com or a.example.com?

(Continue reading)

Niall O'Reilly | 1 Mar 2011 13:36

Picon

Re: I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

	I'm inclined to tease this out off-list, and spare the others
	the blow-by-blow.

On 1 Mar 2011, at 11:28, Alex Bligh wrote:

> So if a.example.com = b.example.com, and both have a SRV record to
> c.example.com, then the client does an SRV lookup on (say) b.example.com,
> receives the SRV record, then does an HTTP GET request to c.example.com
> and (crucially) the GET line is [...]
_______________________________________________
dnsext mailing list
dnsext <at> ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

Phillip Hallam-Baker | 1 Mar 2011 17:08

Picon

Re: I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

2011/2/27 Patrik Fältström <paf <at> cisco.com>:

> 2. Support of more application layer aliases
>
> 2.1. In HTTP and a few other protocols, we have the ability to do a redirect inside the application layer
protocol itself. We do not have that in all protocols. In other we have things like the MX records. Do we with
IDN etc need more of these, and do we need a mechanism in DNS that "help" such redirect in a "lower" layer in
the resolution algorithm?
>
> 2.2. When using HTTP HOST header, and SSL where the DN of the cert is matched with the domain name used, it is
kind of problematic to match the application layer with what originally was entered by the user. Is there
some need for DNS layer aliases that changes what later is matched in the application layer comparisons?

I would say not.

The legacy HTTP protocol requires that the name presented in the Host
header be the name that is present in the URL. There is no provision
for rewriting as far as I am aware.

Let us imagine we want a mapping a.com = b.com and the name a.com is
presented. There are two design choices:

1) The client performs the rewrite.

The best way to achieve this in my view would be to present a Host
header for b.com and add in a new header to tell the server that the
original origin was a.com

This is compatible with legacy servers but not legacy clients.

(Continue reading)

Tony Finch | 3 Mar 2011 12:18

Picon

Re: I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

On Tue, 1 Mar 2011, Alex Bligh wrote:
>
> However in each case in the 'S' variant of the protocol, you need to
> provide a separate certificate for the alias to the canonical name,
> which means you can't automatically configure / synthesise the alias
> config in the same way you can for the non-'S' variant. What MX / SRV
> are allowing you to do for services that support them is hide this with
> another level of indirection.

The situation with TLS and SMTP is a mess. Inter-domain SMTP with TLS does
not work with certificate validation. There is no specification for how to
validate the TLS certificate for an MX server, and it is not obvious what
such a specification should say. In practice the vast majority of deployed
MX TLS certificates cannot be validated, neither against the MX owner name
nor against the MX target.

http://www.imc.org/ietf-smtp/mail-archive/msg05366.html

Message submission (RFC 4409) doesn't use MX records and works well with
certificate validation, just like POP and IMAP. Note that these three
protocols use the DNS in the same way as HTTP (and FTP, and telnet, and
ssh, etc.) so I don't think HTTP is an outlier as Niall said - it's just
old school.

> In https that's hard as the cert is chosen before the GET line comes
> through.

This is what TLS server name indication is for.

Tony.

(Continue reading)

Mark Andrews | 3 Mar 2011 12:41

Re: I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt


In message <alpine.LSU.2.00.1103031107460.14985 <at> hermes-1.csi.cam.ac.uk>, Tony F
inch writes:
> On Tue, 1 Mar 2011, Alex Bligh wrote:
> >
> > However in each case in the 'S' variant of the protocol, you need to
> > provide a separate certificate for the alias to the canonical name,
> > which means you can't automatically configure / synthesise the alias
> > config in the same way you can for the non-'S' variant. What MX / SRV
> > are allowing you to do for services that support them is hide this with
> > another level of indirection.
> 
> The situation with TLS and SMTP is a mess. Inter-domain SMTP with TLS does
> not work with certificate validation. There is no specification for how to
> validate the TLS certificate for an MX server, and it is not obvious what
> such a specification should say. In practice the vast majority of deployed
> MX TLS certificates cannot be validated, neither against the MX owner name
> nor against the MX target.

If you read RFC 821 the HELO response should be used to check that
you are talking to the machine you are expecting to.

   3.5.  OPENING AND CLOSING

      At the time the transmission channel is opened there is an
      exchange to ensure that the hosts are communicating with the hosts
      they think they are.

      The following two commands are used in transmission channel
      opening and closing:

(Continue reading)

Group

gmane.ietf.dnsext.

Advertisement

Search Archive

Page

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 34

Articles in period: 331

March 2011

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Protocol Action: 'Signaling Cryptographic Algorithm Understanding in D (17 May 2013)
Updates to draft-ietf-dnsext-dnssec-algo-signal draft as a result of I (11 May 2013)
SPF, a cautionary tale (8 May 2013)
SPF, a cautionary tale (6 May 2013)
SPF, a cautionary tale (6 May 2013)
SPF, a cautionary tale (5 May 2013)
SPF, a cautionary tale (5 May 2013)
SPF, a cautionary tale (5 May 2013)
SPF, a cautionary tale (4 May 2013)
loads of TXT records for fun and profit (3 May 2013)
Effects on DNS can be severe (3 May 2013)
Code generator for DNS RR parsing/emitting (3 May 2013)
[spfbis] Obsoleting SPF RRTYPE (28 Apr 2013)
Biggest Fake Conference in Computer Science (27 Apr 2013)
[spfbis] Obsoleting SPF RRTYPE (26 Apr 2013)
[spfbis] Obsoleting SPF RRTYPE (26 Apr 2013)
getting people to use new RRTYPEs (25 Apr 2013)
Draft for OID (25 Apr 2013)
[Editorial Errata Reported] RFC6891 (3604) (24 Apr 2013)
Obsoleting SPF RRTYPE (24 Apr 2013)
Fwd: New Version Notification - draft-jabley-dnsext-eui48-eui64-rrtype (23 Apr 2013)

Archives

55	May 2013
197	April 2013
42	March 2013
29	February 2013
10	January 2013
46	December 2012
9	November 2012
90	October 2012
31	September 2012
30	August 2012
65	July 2012
62	June 2012
22	May 2012
65	April 2012
137	March 2012
97	February 2012
120	January 2012
69	December 2011
41	November 2011
192	October 2011
72	September 2011
131	August 2011
51	July 2011
122	June 2011
85	May 2011
58	April 2011
331	March 2011
324	February 2011
210	January 2011
167	December 2010
74	November 2010
138	October 2010
206	September 2010
417	August 2010
171	July 2010
297	June 2010
275	May 2010
420	April 2010
288	March 2010
341	February 2010
199	January 2010
231	December 2009
116	November 2009
177	October 2009
277	September 2009
528	August 2009
343	July 2009
518	June 2009
344	May 2009
246	April 2009
143	March 2009
139	February 2009
135	January 2009
120	December 2008
158	November 2008
239	October 2008
272	September 2008
441	August 2008
297	July 2008
189	June 2008
32	May 2008
45	April 2008
203	March 2008
224	February 2008
208	January 2008
49	December 2007
119	November 2007
77	October 2007
44	September 2007
64	August 2007
49	July 2007
66	June 2007
33	May 2007
28	April 2007
111	March 2007
49	February 2007
96	January 2007
133	December 2006
86	November 2006
139	October 2006
54	September 2006
196	August 2006
144	July 2006
179	June 2006
99	May 2006
126	April 2006
254	March 2006
161	February 2006
76	January 2006
134	December 2005
268	November 2005
207	October 2005
135	September 2005
87	August 2005
71	July 2005
189	June 2005
67	May 2005
92	April 2005
271	March 2005
134	February 2005
281	January 2005
74	December 2004
134	November 2004
164	October 2004
239	September 2004
225	August 2004
142	July 2004
460	June 2004
391	May 2004
16	April 2004
107	March 2004
129	February 2004
121	January 2004
142	December 2003
145	November 2003
199	October 2003
209	September 2003
141	August 2003
109	July 2003
231	June 2003
195	May 2003
205	April 2003
255	March 2003
426	February 2003
70	January 2003
189	December 2002
267	November 2002
91	October 2002
211	September 2002
254	August 2002
308	July 2002
254	June 2002
41	May 2002
181	April 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template