The Two Lookups Approach (was Re: Parsing the issues and finding a middle ground -- another attempt)
sanz at denic.de
Fri Mar 6 15:03:24 CET 2009
Catching up with the archives...
> (iv) For the four "changed interpretation" cases, we make it
> clear that the IDNA2008 interpretation is the important one and
> that registries have a lot of responsibility here. However,
> if an application is in a position to deliver two different
> answers to the user, then it MAY reasonably do both lookups and
> then do whatever with them seems appropriate (obviously, a "did
> you really mean?" dialogue would be one such option).
> Agreed as well. That, I think, is the only option I've heard for
handling for whatever characters end up in IDNA 2008 with changed
> interpretations that would help mitigate the security problems.
> The specified order of lookup will be important. The did you mean option
could be recommended for user-facing code. That isn't, of
> course, much use for a lot of software like search engines, but for UIs
could be useful.
This "two lookups" approach pops up again and again and I have a very bad
feeling about it. Let me check first if I get the idea right: So the
suggestion is that a DNS client (or a layer on top of a DNS client)
produces two outputs, one with let's say the ZWNJ in a domain name mapped
to nothing, and the other one leaving ZWNJ in it. Then these two labels
are converted to (two different) Punycode and two DNS lookups take place.
Then the client compares the DNS answers and if they are different, this
is handled accordingly (UI interaction, abortion if no user interation
possible, whatever). Is that right? Because I think this is broken.
First of all, two identical answers are not an unambiguous indicator that
there are no "security problems". The "real" and the "phishing" webpage
(let's concentrate for a moment on web for the sake of simplicity) could
incidentally be hosted on the same server (same IP) by a big registrar.
And there are plenty of operational situations in which *two consecutive
identical DNS queries can lead to two different replies*:
* Replies are returned from a cache. Caches naturally change in time.
* No cache gets involved: One query is sent to one authoritative
nameserver, the second is sent to a different authoritative nameserver.
These servers have unfortunately different states of zone content.
* Or your resolver has sent the two queries to the same nameserver, but
they are delivered to, for instance, two different anycast instances
(again with different states of zone content).
* Or both are delivered to one and the same nameserver instance, but one
query is dealt with before a content change, the second is dealt with
after the content change.
* Or no content changes take place at all, but different answers are sent
as part of a DNS load balancing scheme.
If we not only take the answer section of the reply into account for the
comparison, but also authority and the additional sections, the
possibilities of something not going as expected grow.
Summary: Different replies to the two lookups is neither a sufficient nor
a necessary condition for a "security situation", the mechanism produces
plenty of false positives/negatives, which by themselves, would be very
difficult to debug. We don't want to go down that path.
More information about the Idna-update