[dns-operations] Injection Attacks Reloaded: Tunnelling Malicious Payloads over DNS

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Aug 18 13:53:10 UTC 2021


> On 18 Aug 2021, at 2:27 am, Paul Vixie <paul at redbarn.org> wrote:
> 
> I urge you to reconsider your position. apps should be calling things like
> getnameinfo() and getaddrinfo(), and those should fail early and often if
> their expectations are not met. that's what shared libraries are for, and
> that's what a 64K codepoint space is for.

I already mentioned that I am supportive of validation in the
system libraries above the raw (qname, qtype) DNS lookup.  Thus
in particular getaddrinfo() and getnameinfo() or per my example,
new APIs that return validated TLSA records.  All such validation
should be *on host*, and not delegated to remote servers.

I believe it would be a mistake to enforce syntax in off-host
iterative resolvers (whether public, home or enterprise).  There's
no way to know what they've validate and bypass opportunities for
MiTM attacks.

-- 
	Viktor.




More information about the dns-operations mailing list