Hi Joe,
On Fri, Jul 8, 2022 at 8:05 PM Joseph Salowey via Datatracker <noreply@xxxxxxxx> wrote:
- Section 8.1.2 - good description of this problem, it seems like some of this
should have been discussed in the doh document, but I couldn't find any. If
there is relevant considerations in the doh document then you should reference
them here.
This topic is not addressed in RFC 8484 because that standard assumes that the URI template is configured from a single source, so all its components are equally authentic. The strange thing here is that the hostname comes via a (unspecified) trusted channel, but the port and path do not.
It seems that the recommendation "To mitigate redirection attacks,
a client of this SVCB mapping MUST NOT identify or authenticate itself when
performing DNS queries, except to servers that it specifically knows are not
vulnerable to such attacks." would be difficult to implement since its not
clear how the client gets this information and really should be a consideration
for the server implementations/deployments that require authentication.
How about "... except under private arrangement with a server operator who has made sure that there are no such vulnerable services on $HOSTNAME"?
I'm
not really sure what to do about this except as a consideration for a revision
of DoH.
I don't think RFC 8484 has a problem of this kind, because an adversary cannot alter any portion of the URI template (unless it controls the whole template). (There is still the ALPACA attack, but that is not specific to DoH.)
<<attachment: smime.p7s>>
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
