Dave Singer wrote:
I'm a by-stander on this discussion, maybe off-base or out of it -- but
something other than the undesirable traffic struck me.
Isn't it also true that I might *deliberately break* all sorts of things
by introducing 'blocking' names into DNS responses, so that an LLMNR
request is never issued. So an ISP could 'grab' traffic that the users
thought was local, by replying to a DNS request in a proxy (or
converting a negative reply into an answer).
Yes,
we have done that accidently. We were told we have broken things on
windows by publishing ".local" in the Public-Root.
We stopped publishing that domain immediately. But yes, all you have
to do is send some random packets, resolving '.local' to the windows
box. The thing will happily cache them and next time ...
Also, ISPs might be tempted to start turning around DNS requests in
their proxies for names that they *think* should be answered by LLMNR,
returning resolution failure, so as not to send too much traffic
outbound. This pre-empts the real DNS from ever actually replying.
The whole idea that 'real DNS' can arbitrarily pre-empt local name
resolution seems, well, wrong, and needs serious study for security
implications for the services using those names, no?
--
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-179-108-3978 (O2 Genion)
+49-6252-750308 (VoIP: sipgate.de)
+1-360-448-1275 (VoIP: freeworldialup.com)
mail: peter@xxxxxxxxxxxxxxxx
http://iason.site.voila.fr
http://www.kokoom.com/iason
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf