The Two Lookups Approach (was Re: Parsing the issues and finding a middle ground -- another attempt)

Marcos Sanz/Denic sanz at denic.de
Fri Mar 6 15:03:24 CET 2009


Catching up with the archives...

> (iv) For the four "changed interpretation" cases, we make it
> clear that the IDNA2008 interpretation is the important one and
> that registries have a lot of responsibility here.   However,
> if an application is in a position to deliver two different
> answers to the user, then it MAY reasonably do both lookups and
> then do whatever with them seems appropriate (obviously, a "did
> you really mean?" dialogue would be one such option).
> 
> Agreed as well. That, I think, is the only option I've heard for 
handling for whatever characters end up in IDNA 2008 with changed
> interpretations that would help mitigate the security problems. 
> 
> The specified order of lookup will be important. The did you mean option 
could be recommended for user-facing code. That isn't, of
> course, much use for a lot of software like search engines, but for UIs 
could be useful.

This "two lookups" approach pops up again and again and I have a very bad 
feeling about it. Let me check first if I get the idea right: So the 
suggestion is that a DNS client (or a layer on top of a DNS client) 
produces two outputs, one with let's say the ZWNJ in a domain name mapped 
to nothing, and the other one leaving ZWNJ in it. Then these two labels 
are converted to (two different) Punycode and two DNS lookups take place. 
Then the client compares the DNS answers and if they are different, this 
is handled accordingly (UI interaction, abortion if no user interation 
possible, whatever). Is that right? Because I think this is broken.

First of all, two identical answers are not an unambiguous indicator that 
there are no "security problems". The "real" and the "phishing" webpage 
(let's concentrate for a moment on web for the sake of simplicity) could 
incidentally be hosted on the same server (same IP) by a big registrar.

And there are plenty of operational situations in which *two consecutive 
identical DNS queries can lead to two different replies*:
* Replies are returned from a cache. Caches naturally change in time.
* No cache gets involved: One query is sent to one authoritative 
nameserver, the second is sent to a different authoritative nameserver. 
These servers have unfortunately different states of zone content.
* Or your resolver has sent the two queries to the same nameserver, but 
they are delivered to, for instance, two different anycast instances 
(again with different states of zone content).
* Or both are delivered to one and the same nameserver instance, but one 
query is dealt with before a content change, the second is dealt with 
after the content change.
* Or no content changes take place at all, but different answers are sent 
as part of a DNS load balancing scheme.
If we not only take the answer section of the reply into account for the 
comparison, but also authority and the additional sections, the 
possibilities of something not going as expected grow.

Summary: Different replies to the two lookups is neither a sufficient nor 
a necessary condition for a "security situation", the mechanism produces 
plenty of false positives/negatives, which by themselves, would be very 
difficult to debug. We don't want to go down that path.

Best regards,
Marcos


More information about the Idna-update mailing list