Changeset 1369 for draft-ietf-httpbis/latest/p1-messaging.xml
- Timestamp:
- 02/08/11 12:03:26 (11 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
draft-ietf-httpbis/latest/p1-messaging.xml
r1368 r1369 4011 4011 </section> 4012 4012 4013 <section title="DNS Spoofing" anchor="dns.spoofing"> 4014 <t> 4015 Clients using HTTP rely heavily on the Domain Name Service, and are 4016 thus generally prone to security attacks based on the deliberate 4017 mis-association of IP addresses and DNS names. Clients need to be 4018 cautious in assuming the continuing validity of an IP number/DNS name 4019 association. 4020 </t> 4021 <t> 4022 In particular, HTTP clients &SHOULD; rely on their name resolver for 4023 confirmation of an IP number/DNS name association, rather than 4024 caching the result of previous host name lookups. Many platforms 4025 already can cache host name lookups locally when appropriate, and 4026 they &SHOULD; be configured to do so. It is proper for these lookups to 4027 be cached, however, only when the TTL (Time To Live) information 4028 reported by the name server makes it likely that the cached 4029 information will remain useful. 4030 </t> 4031 <t> 4032 If HTTP clients cache the results of host name lookups in order to 4033 achieve a performance improvement, they &MUST; observe the TTL 4034 information reported by DNS. 4035 </t> 4036 <t> 4037 If HTTP clients do not observe this rule, they could be spoofed when 4038 a previously-accessed server's IP address changes. As network 4039 renumbering is expected to become increasingly common <xref target="RFC1900"/>, the 4040 possibility of this form of attack will grow. Observing this 4041 requirement thus reduces this potential security vulnerability. 4042 </t> 4043 <t> 4044 This requirement also improves the load-balancing behavior of clients 4045 for replicated servers using the same DNS name and reduces the 4046 likelihood of a user's experiencing failure in accessing sites which 4047 use that strategy. 4013 <section title="DNS-related Attacks" anchor="dns.related.attacks"> 4014 <t> 4015 HTTP clients rely heavily on the Domain Name Service (DNS), and are thus 4016 generally prone to security attacks based on the deliberate misassociation 4017 of IP addresses and DNS names not protected by DNSSec. Clients need to be 4018 cautious in assuming the validity of an IP number/DNS name association unless 4019 the response is protected by DNSSec (<xref target="RFC4033"/>). 4048 4020 </t> 4049 4021 </section> … … 4726 4698 </reference> 4727 4699 4700 <reference anchor='RFC4033'> 4701 <front> 4702 <title>DNS Security Introduction and Requirements</title> 4703 <author initials='R.' surname='Arends' fullname='R. Arends'/> 4704 <author initials='R.' surname='Austein' fullname='R. Austein'/> 4705 <author initials='M.' surname='Larson' fullname='M. Larson'/> 4706 <author initials='D.' surname='Massey' fullname='D. Massey'/> 4707 <author initials='S.' surname='Rose' fullname='S. Rose'/> 4708 <date year='2005' month='March' /> 4709 </front> 4710 <seriesInfo name='RFC' value='4033' /> 4711 </reference> 4712 4728 4713 <reference anchor="RFC4288"> 4729 4714 <front> … … 5974 5959 <list style="symbols"> 5975 5960 <t> 5961 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/100"/>: 5962 "DNS Spoofing / DNS Binding advice" 5963 </t> 5964 <t> 5976 5965 <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/270"/>: 5977 5966 "\-escaping in quoted strings"
Note: See TracChangeset
for help on using the changeset viewer.