[At-Large] IDN Variants in the market place

Karl Auerbach karl at cavebear.com
Fri Jul 20 20:30:20 UTC 2018

There is a widespread misconception about DNS that it is somehow an 
authoritative service, by which I mean that if one says "connect to 
X.Y.Z that one is, in fact, going to be connected to X.Y.Z."

That misconception is partially fueled by the "authoritative answer" bit 
in the DNS reply packet.  That bit merely means that the DNS server that 
generated the answer got the information from its own configuration 
files rather than overhearing it via the kind of DNS hearsay activity 
that occurs within DNS order to make DNS more efficient.

What you might notice is that the internet architecture is missing a 
layer.  Way back in the mid 1970's we tried to insert a layer above TCP 
and UDP in which there would be an exchange of mutual identification and 
credentials proving that identification.  Due to security (or rather 
paranoia) concerns of certain US government agencies, that layer never 
made it into the internet architecture. And, because such a layer tends 
to imply a universal authority over the issuance of those credentials, 
there was pushback by those who favored a more diffuse internet with 
less centralization.

Had that layer been present, then when one tries to connect to "X.com" 
after that connection had been established at the TCP level there would 
have been an exchange that would prove whether the connection had 
reached the desired "X.com" or a homographic (typically with intent to 
deceive) different target.

DNS is intended to be a "hinting" system, by which I mean that it gives 
information that it (and you) hope is accurate but about which there are 
really no guarantees, leaving security as a job for the user to perform.

We see that job being added in later years via TLS certificate chains 
(which are often merely tracked back to a known certificate authority, 
which is an inadequate test, but it is the test most often done.)  
DNSSEC also provides tools so that one can know that the DNS data has 
not been modified somewhere, but that does not change the nature of the 
address information in DNS resource records being merely a hint.

DNS, because of caching, can never become give ironclad promises that 
the result you get from your local DNS resolver is utterly accurate.  
And with the rise of geo-IP based DNS mappings, the definition of 
"accurate" becomes somewhat contextual.

The real answer to homographic deceptions is not really within the realm 
of DNS itself, or within ICANN but, rather, would be through the 
adoption (at long last) of a proper layer of mutual identification and 
authentication either within the transport protocols or between them and 
the applications.

None of this is easy - just look at how SSL evolved, and grew, to become 
TLS 1.1, 1.2, 1.3 ...  And nobody has ever said that DNSSEC is simple.


More information about the At-Large mailing list