Aug 2, 2011, 5:03:26 AM (8 years ago)

rewrite DNS spoofing advice section, taking Henrik's text (see #100)

1 edited


  • draft-ietf-httpbis/latest/p1-messaging.xml

    r1368 r1369  
    4013 <section title="DNS Spoofing" anchor="dns.spoofing">
    4014 <t>
    4015    Clients using HTTP rely heavily on the Domain Name Service, and are
    4016    thus generally prone to security attacks based on the deliberate
    4017    mis-association of IP addresses and DNS names. Clients need to be
    4018    cautious in assuming the continuing validity of an IP number/DNS name
    4019    association.
    4020 </t>
    4021 <t>
    4022    In particular, HTTP clients &SHOULD; rely on their name resolver for
    4023    confirmation of an IP number/DNS name association, rather than
    4024    caching the result of previous host name lookups. Many platforms
    4025    already can cache host name lookups locally when appropriate, and
    4026    they &SHOULD; be configured to do so. It is proper for these lookups to
    4027    be cached, however, only when the TTL (Time To Live) information
    4028    reported by the name server makes it likely that the cached
    4029    information will remain useful.
    4030 </t>
    4031 <t>
    4032    If HTTP clients cache the results of host name lookups in order to
    4033    achieve a performance improvement, they &MUST; observe the TTL
    4034    information reported by DNS.
    4035 </t>
    4036 <t>
    4037    If HTTP clients do not observe this rule, they could be spoofed when
    4038    a previously-accessed server's IP address changes. As network
    4039    renumbering is expected to become increasingly common <xref target="RFC1900"/>, the
    4040    possibility of this form of attack will grow. Observing this
    4041    requirement thus reduces this potential security vulnerability.
    4042 </t>
    4043 <t>
    4044    This requirement also improves the load-balancing behavior of clients
    4045    for replicated servers using the same DNS name and reduces the
    4046    likelihood of a user's experiencing failure in accessing sites which
    4047    use that strategy.
     4013<section title="DNS-related Attacks" anchor="dns.related.attacks">
     4015   HTTP clients rely heavily on the Domain Name Service (DNS), and are thus
     4016   generally prone to security attacks based on the deliberate misassociation
     4017   of IP addresses and DNS names not protected by DNSSec. Clients need to be
     4018   cautious in assuming the validity of an IP number/DNS name association unless
     4019   the response is protected by DNSSec (<xref target="RFC4033"/>).
     4700<reference anchor='RFC4033'>
     4701  <front>
     4702    <title>DNS Security Introduction and Requirements</title>
     4703    <author initials='R.' surname='Arends' fullname='R. Arends'/>
     4704    <author initials='R.' surname='Austein' fullname='R. Austein'/>
     4705    <author initials='M.' surname='Larson' fullname='M. Larson'/>
     4706    <author initials='D.' surname='Massey' fullname='D. Massey'/>
     4707    <author initials='S.' surname='Rose' fullname='S. Rose'/>
     4708    <date year='2005' month='March' />
     4709  </front>
     4710  <seriesInfo name='RFC' value='4033' />
    47284713<reference anchor="RFC4288">
    47294714  <front>
    59745959  <list style="symbols">
    59755960    <t>
     5961      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/100"/>:
     5962      "DNS Spoofing / DNS Binding advice"
     5963    </t>
     5964    <t>
    59765965      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/270"/>:
    59775966      "\-escaping in quoted strings"
Note: See TracChangeset for help on using the changeset viewer.