Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-server-cookies

Dear WG, The WGLC period for draft-ietf-dnsop-server cookies has finished. There are editorial comments that the authors have already addressed. The chairs feel that the draft is ready to move forward. Thanks for the reviews, — Benno > On 12 Oct 2020, at 11:47, Willem Toorop wrote: > >

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

On Mon, Oct 26, 2020 at 04:39:10PM -0400, Ted Lemon wrote: > What actually hardens mDNS is that it’s a link-local protocol. > It doesn’t work across links. This limits the attack surface. Exactly. > But there’s no way to eliminate the attack surface. If I were in Ben’s > shoes, > I’d be

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

On Mon, Oct 26, 2020 at 04:39:10PM -0400, Ted Lemon wrote: > On Oct 26, 2020, at 4:14 PM, Toerless Eckert wrote: > > And the question from the AD was what could be done. So, do you have any > > implemention suggestion ? Are there any sugestions for mDNS ? > > There are no simple mitigations. If

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

On Oct 26, 2020, at 4:14 PM, Toerless Eckert wrote: > And the question from the AD was what could be done. So, do you have any > implemention suggestion ? Are there any sugestions for mDNS ? There are no simple mitigations. If there were, they would already be in the protocol. > Btw: I do

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

On Mon, Oct 26, 2020 at 04:09:41PM -0400, Ted Lemon wrote: > On Oct 26, 2020, at 4:05 PM, Jared Mauch wrote: > >> If the anwer of the experts is "do not harden implementations of existing > >> protocols", > >> but only improve protocols or eliminate security risks from underlays, i > >> think >

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

On Oct 26, 2020, at 4:05 PM, Jared Mauch wrote: >> If the anwer of the experts is "do not harden implementations of existing >> protocols", >> but only improve protocols or eliminate security risks from underlays, i >> think >> that is not a good strategy to show to implementors trying to

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

On Mon, Oct 26, 2020 at 06:42:21PM +0100, Toerless Eckert wrote: > Thanks, Jared > > Somehow everybody tries to escape answering the question asked by giving > their correct but orthogonal pet problem space answer. Ted correctly claims > the protocols suck security wise, and you correctly claim

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

On Oct 26, 2020, at 1:30 PM, Toerless Eckert wrote: >> If you???re going to do that, you might as well just turn off mDNS entirely. > > How is this worse than NOT doing this heuristic ? It’s likely exactly the same. My expectation would be that the port in the SRV record is literally never

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Thanks, Jared Somehow everybody tries to escape answering the question asked by giving their correct but orthogonal pet problem space answer. Ted correctly claims the protocols suck security wise, and you correctly claim that there are a lot more deployment considerations in face of risky

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

On Mon, Oct 26, 2020 at 01:05:42PM -0400, Ted Lemon wrote: > On Oct 26, 2020, at 12:59 PM, Toerless Eckert wrote: > > The networks where i am worried are not home networks, > > but something like an office park network, where supposedly each > > tenant (company) should have gotten their disjoint

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

> On Oct 26, 2020, at 1:05 PM, Ted Lemon wrote: > > On Oct 26, 2020, at 12:59 PM, Toerless Eckert wrote: >> The networks where i am worried are not home networks, >> but something like an office park network, where supposedly each >> tenant (company) should have gotten their disjoint L2

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

On Oct 26, 2020, at 12:59 PM, Toerless Eckert wrote: > The networks where i am worried are not home networks, > but something like an office park network, where supposedly each > tenant (company) should have gotten their disjoint L2 domains, ... and then > they didn't. And one of the tenants has

Re: [DNSOP] DNSOP: question about hardening "something like mDNS" against attacks

Thanks, Ted. I agree with your overall assesment, but the question was what an implementation should do in the face of a particular pre-existing condition: Aka: With mDNS or GRASP as they both stand today (me of course right now primarily interest in GRASP< but if implementation/operational

Re: [DNSOP] draft-ietf-dnsop-svcb-https: HTTPS RRtype versus STS

> Il 26/10/2020 08:41 Ralf Weber ha scritto: > > I also think that any list hardcoded in browser/OS deployments is a bad > idea for a long term solution (that include auto upgrades of DoH servers > ;-) and it looks like STS has already shown that. DNS being an > distributed mechanism is

Re: [DNSOP] draft-ietf-dnsop-svcb-https: HTTPS RRtype versus STS

Moin! On 25 Oct 2020, at 21:21, Paul Hoffman wrote: See . Emily is a well-known developer on the security side of Chrome browser development. Upgrading the user to https is only one use