Re: Summary of the LLMNR Last Call

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> You might note that in the technical discussion, I argued _against_ the idea
> that this is a problem with LLMNR.  Personally, I consider the fact that mDNS
> attaches special semantics to .local to be a problem with mDNS.

If the DNSEXT WG wants to document recommended resolver behavior with 
respect to the .local domain, it can do so.  However, your message essentially 
*orders* the WG to do so, as a precondition for publishing any documents on 
the topic.  That is inappropriate. 

> Absent any mandatory-to-implement security, we sometimes accept an
> applicability statement that explains the environments in which it is safe to
> use a protocol without any protocol-specific security mechanism, but I didn't
> find that in the LLMNR document either.  Is it there?

Yes, it is. 

>From Section 5.2:

   Limiting the situations in which LLMNR queries are sent, as described
   in Section 2, is the best protection against these attacks.  

>From Section 2:

   While these conditions are necessary for sending an LLMNR query, they
   are not sufficient.  While an LLMNR sender MAY send a query for any
   name, it also MAY impose additional conditions on sending LLMNR
   queries.  For example, a sender configured with a DNS server MAY send
   LLMNR queries only for unqualified names and for fully qualified
   domain names within configured zones.

Is this issue only about whether the MAYs are to be upgraded to a SHOULD 
or MUST?

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]