[161129] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Should host/domain names travel over the internet with a trailing

daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Feb 26 13:14:29 2013

To: Jimmy Hess <mysidia@gmail.com>
In-Reply-To: Your message of "Mon, 25 Feb 2013 19:07:20 -0600."
 <CAAAwwbU6+F-9knQ-74yXqW5PpPTfhdwBXwzSpL8i2NCWAxHxsA@mail.gmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 26 Feb 2013 13:12:53 -0500
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org

--==_Exmh_1361902373_1824P
Content-Type: text/plain; charset=us-ascii

On Mon, 25 Feb 2013 19:07:20 -0600, Jimmy Hess said:

> If  the domain in a certificate were not interpreted as a FQDN by the
> client,   this would mean,  that the certificate for
> CN=bigbank.example.com
> might be used to authenticate a connection to  https://bigbank.example.com
> which do the local resolver search order, is in fact a DNS lookup of
> bigbank.example.com.intranet.example.com
>
> Which might be captured by a Wildcard A record for  *.com  found in
> the   intranet.example.com.   zone  and pointed to a server
> containing a phishing attack against bigbank.example.com;   with  a
> DNS cache poisoned by  a false negative cache NXDOMAIN entry   for
> bigbank.example.com.

I am *sooo* tempted to say "I recommend my competitors do DNS lookups this way"

:)

--==_Exmh_1361902373_1824P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iQIVAwUBUSz7JQdmEQWDXROgAQIVZRAAoclcEJFBEn7yGESJAlyNvzvbzfCZXJoD
wNo5G7fiuhM14pEidwoGrGnHXajUc6Eyaq3dIVNsxfY5fp91V8XMOARprbyBMJQ7
gwmLXufVGN6iMd9gymcP0KpmvH+gyaK0849MHeTm2HtWnI5mIsf6il/kRsng2VIg
mpLDLsw3yMHATlIUL2tIcU1palwI7bnRP5ZSjRAh0ba1DeP3tqMtc9Yee3To8DrP
S13/CpNR5sto+uBnrkLDUXDe5zBdaM7qV64IWgGW8SrQR+yOlonVgdSI7MULsHAq
T+WsNkzacydRfVp9wRcEiFY5JlFKrE7m/C54t7HWZprAXhS1xhxc4dMQ8KC3wxaI
HA7yvIVW6gxH6VS+sZKh+MNkSTy0beokobPnU3PdZB1i64GnGLMiXYO8Sh3aXFi6
DZ/ttgtJeI3Fsy+M/JdkRI4F6xQL7oli3J7s9PZ85JZoHiAtHzdpv1udCOjUPf5e
pZWjT6risbxCh6AaX9lk/YM2BnLG0h5yIJbRcgM9fcyNMOHpcSOICy8GOKIrNdyB
F3me+qIWoPm/6ficMgCKNxOGYCx1ruSMYycpk/WIqs5qCUfm1VP0fqWum9X81el2
AuKA3DSRwsnKKWgB5wXFTTSxBVyRsI8MzGx5g4Wvky7OAXfqEEZ3z8wc4KJIkdd7
N18aRiGW17s=
=OVZB
-----END PGP SIGNATURE-----

--==_Exmh_1361902373_1824P--
home help back first fref pref prev next nref lref last post