Changeset 1369 for draft-ietf-httpbis/latest/p1-messaging.xml

Timestamp:

Aug 2, 2011, 5:03:26 AM (8 years ago)

Author:

julian.reschke@…

Message:

rewrite DNS spoofing advice section, taking Henrik's text (see #100)

File:

• draft-ietf-httpbis/latest/p1-messaging.xml (modified) (3 diffs)

draft-ietf-httpbis/latest/p1-messaging.xml

@@ -4011 +4011 @@
 </section>
 
-<section title="DNS Spoofing" anchor="dns.spoofing">
-<t>
-   Clients using HTTP rely heavily on the Domain Name Service, and are
-   thus generally prone to security attacks based on the deliberate
-   mis-association of IP addresses and DNS names. Clients need to be
-   cautious in assuming the continuing validity of an IP number/DNS name
-   association.
-</t>
-<t>
-   In particular, HTTP clients &SHOULD; rely on their name resolver for
-   confirmation of an IP number/DNS name association, rather than
-   caching the result of previous host name lookups. Many platforms
-   already can cache host name lookups locally when appropriate, and
-   they &SHOULD; be configured to do so. It is proper for these lookups to
-   be cached, however, only when the TTL (Time To Live) information
-   reported by the name server makes it likely that the cached
-   information will remain useful.
-</t>
-<t>
-   If HTTP clients cache the results of host name lookups in order to
-   achieve a performance improvement, they &MUST; observe the TTL
-   information reported by DNS.
-</t>
-<t>
-   If HTTP clients do not observe this rule, they could be spoofed when
-   a previously-accessed server's IP address changes. As network
-   renumbering is expected to become increasingly common <xref target="RFC1900"/>, the
-   possibility of this form of attack will grow. Observing this
-   requirement thus reduces this potential security vulnerability.
-</t>
-<t>
-   This requirement also improves the load-balancing behavior of clients
-   for replicated servers using the same DNS name and reduces the
-   likelihood of a user's experiencing failure in accessing sites which
-   use that strategy.
+<section title="DNS-related Attacks" anchor="dns.related.attacks">
+<t>
+   HTTP clients rely heavily on the Domain Name Service (DNS), and are thus
+   generally prone to security attacks based on the deliberate misassociation
+   of IP addresses and DNS names not protected by DNSSec. Clients need to be
+   cautious in assuming the validity of an IP number/DNS name association unless
+   the response is protected by DNSSec (<xref target="RFC4033"/>).
 </t>
 </section>
@@ -4726 +4698 @@
 </reference>
 
+<reference anchor='RFC4033'>
+  <front>
+    <title>DNS Security Introduction and Requirements</title>
+    <author initials='R.' surname='Arends' fullname='R. Arends'/>
+    <author initials='R.' surname='Austein' fullname='R. Austein'/>
+    <author initials='M.' surname='Larson' fullname='M. Larson'/>
+    <author initials='D.' surname='Massey' fullname='D. Massey'/>
+    <author initials='S.' surname='Rose' fullname='S. Rose'/>
+    <date year='2005' month='March' />
+  </front>
+  <seriesInfo name='RFC' value='4033' />
+</reference>
+
 <reference anchor="RFC4288">
   <front>
@@ -5974 +5959 @@
   <list style="symbols">
     <t>
+      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/100"/>:
+      "DNS Spoofing / DNS Binding advice"
+    </t>
+    <t>
       <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/270"/>:
       "\-escaping in quoted strings"