Hello, I reviewed this draft. to be clear, I am not expert in unicode or internationalized charactersets. My comments are as followings:
I think there is attack on the interopration of mDNS and unicast DNS and I think applicable to this draft while in the security consideration, it is not mentioned any mitigation mechanism. - mixing mDNS and unicast DNS names poor implementation might allow an attacker to response to unicast DNS query request sent by a client for the purpose of resolving a global domain name. If the mDNS requests are prioterize, there is a possibility that the client accepts the mDNS response and prioterize it over unicast DNS names. Therefore, the attacker has a chance to offer a fake response . The risk of this attack is higher when the internationalized character set is allowed in unicast DNS server. The possible mitigation is authentication of a service as well as the unicast DNS Now the question is that is it possible also to cheat the recursive resolver with mDNS responses while looking up for a domain? If the priority for looking up names is first unicast DNS and then mDNS, then in this case there might be a lot of traffic to unicast DNS servers and if it is the other round, then there might be the possibility of the attack mentioned above mitigation: authentication of recursive resolver - section 3 <snip> U-labels cannot contain upper case letters </snip> For some languages, upper case letter does not make it different specially in some letters. Especially the languages that a word is the result of attaching the characters together. I think this is specially true for non-european languages. Two examples are Persian or Arabic. Therefore, one cannot differentiate between mDNS service and DNS names with only considering that DNS cannot use uppercase U-labels. - section 4.2 It is not the requirement of DNSSD to use underscoll character, as far as I can see it is only recommendation. please see https://tools.ietf.org/html/rfc6763#section-7 Therefore, the attacker can use the similar domain names as unicast DNS for its fake service which might result in confusion of the recursive DNS servers Thanks, Best, Hosnieh > -----Original Message----- > From: dnssd [mailto:dnssd-boun...@ietf.org] On Behalf Of Ralph Droms > (rdroms) > Sent: Tuesday, July 21, 2015 10:06 AM > To: dnsop@ietf.org > Subject: [dnssd] Requesting review of draft-ietf-dnssd-mdns-dns-interop-01 > > Hi - The dnssd chairs would like to get some reviews of draft-ietf-dnssd-mdns- > dns-interop-01, "On Interoperation of Labels Between mDNS and DNS," from > dnsop participants. draft-ietf-dnssd-mdns-dns-interop-01 is currently in dnssd > WG last call and last call comments will be discussed in the dnssd WG meeting > this week. > > Please post your feedback to dnsop or send to Tim and myself. > > - Ralph > > Bcc: dn...@ietf.org > _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
