New gTLDs & ccTLDs March 1, 2010 APTLD @ APRICOT Kuala Lumpur
Prohibiting Redirection & Synthesized DNS Responses in Top Level Domains Mar 2010 Kuala Lumpur APTLD...
-
Upload
dominic-ball -
Category
Documents
-
view
214 -
download
1
Transcript of Prohibiting Redirection & Synthesized DNS Responses in Top Level Domains Mar 2010 Kuala Lumpur APTLD...
Prohibiting Redirection & Synthesized DNS Responses in
Top Level Domains
Mar 2010
Kuala Lumpur
APTLD Meeting
Redirection of DNS Responses @ TLDs• Issue
– Wildcarding of DNS records at TLDs– Provides “valid” address and routing even when
domain names do not exist
• Consequences– Breaks core DNS systems & legacy applications– Erodes trust relationships– Creates new opportunities for malicious attacks,
without ability of affected parties to mitigate problem
Reference Document: SAC041
2
SSAC Advice:
Clear & Significant danger to security & stability of the DNS
3
ICANN Board Resolution (June ‘09):
Take all available steps with appropriate entities to prohibit such use
Prohibit redirection/synthesis for all TLDs (gTLD & ccTLD, including IDN TLDs)
• Revise new gTLD Guidebook• Consult with ccTLD community/GAC for new
ccTLDs• Revise existing gTLD agreements• Add appropriate guidelines to existing ccTLD
arrangements
4
Reference Document: SAC041
Architectural Violation
• Redirection at the TLD level violates fundamental Internet engineering principles– DNS Protocol is neutral about what protocols to answer
– Redirection assumes HTTP protocol (web browsing)
• All future protocols dependent on DNS affected by redirection– Unacceptable invasion of protocol boundaries
• For example, HTTP could use DNS even though HTTP is a recent invention, due to clear layering
5
Most basic Internet tools break• Systems that test for “existence” of a host fail
• Spam filters stop working (all forged addresses now appear to be real)
• URL link checkers will fail (all links appear to be valid)
• Systems that believe a host name is valid break• Mail to a mis-typed address will not bounce anymore
• And, the mail is delivered to a different address, without any notification or choice by the e-mail sender
– Search engines won’t be able to function as normal
• And other software, applications, and equipment that depends upon the DNS “working” will break
6
Every Internet Application Is Affected
Requires Testing of Impact & Side-Effects on:– Every mail server, mail agent– Every instant message program and agent– Every VOIP server, proxy and user agent– Every parental control system– Every anti-virus system– Every license management system– Every software update system
i.e., Every Application On The Internet7
Data Privacy Laws May Be Violated
Misspelling of domain would cause redirection to a different zone instead of a failed connection
In cross-border situtations, this can cause violation of privacy
Wildcard operator may now become liable for privacy breaches under law
8
Negative impact on e-commerce
HTTPS requests get spurious resultshttps://www.does-not-exist.tld/
Server is provided critical information about security capabilities of client browser, cryptography, data compression etc. – now sent to an unknown source
Browser may call site invalid because IP address/domain name of SSL certificate does not match request
9
Negative impact on SMTP (EMail)
Negative impact on the clarity and promptness of error reports returned to sending users
– No one will know what happened to the message, and it may take some time before anyone notices that it has disappeared, if anyone notices at all
– The recipient party suddenly has access to a mail message that was in no way intended for them, which is quite harmful from an integrity perspective
Wastes resources at mail operators (handling millions of mails per day)– System resources are wasted on the sending mail server to keep track of the
message and its status, to issue repeated DNS queries, to make repeated attempts to deliver it, etc.
Impacts the ability of mail servers to reject mail from illegitimate mail addresses (Helps Spammers)
– Spam usually sent from non-existent mail domains; adding wildcards stops checks of non-existent domains – i.e., helps spammers
10
Negative Impact on DNS Resolver Search Lists
DNS Resolver Search List allows users to specify partial domain names, where resolver auto-completes domain name
Adopted widely in commercial software—search lists are implemented in all Microsoft and UNIX systems
User with a computer in the <local.tld> zone would have <local.tld> in their resolver’s search list
Allows users to type in http://internal to reach http://internal.local.tld
11
Impact on IDN TLDs
IDN TLD are deployed in <language>, but are represented on the DNS in ASCII
Wildcards for IDN TLD can cause unexpected behavior:– Localization of content breaks
• User may request a web page in <language A> and gets a different page in <language B>, with no control
12
Redirection in .KR Name
Total .kr Responses : 1.52 billion• – Normal .kr Queries : 1.45 billion (96.73%)• – .kr DNS Redirection : 2.5 million (0.17%)
Total .kr Redirection : 2.5 million• Hangul .kr Domain Name : 1.7 million (67%)
13
Solves IE6 Problem:- IE6 or earlier ver. users can use
Hangul .kr domain name without plug-ins
- Garbage traffic by using wild character(*) in .kr Zone, causes system overload
http://sel.icann.org/meetings/.../presentation-kr-dns-redirection-28oct09-en.pdf
QUESTIONS?
Reference document s (need to complete)
http://www.icann.org/committees/security/ssac-report-09jul04.pdf
http://www.iab.org/documents/docs/2003-09-20-dns-wildcards.html
http://www.icann.org/committees/security/sac041.pdf
http://sel.icann.org/meetings/.../presentation-kr-dns-redirection-28oct09-en.pdf
14