OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: DNS SRV support in TAXII


All,


I spent some time this morning talking to Dave Cridland about some of the security considerations of offering support for DNS SRV record lookup.  Basically, if I understand the problem correctly, if we offer SRV record lookups then there will be no "channel binding" between the DNS request performed on the client and the follow on HTTP request that the client made.  


I am not sure how this is any different from any other service that is hosted via DNS via a CNAME or MX record.  I know DNSSEC was designed to address a lot of this, but very few people have deployed it. 


So my fundamental question is, how do we proceed? Is this something we need to try and fix / address? 


I see a few possible options for us:

1) Remove support for DNS SRV record lookups for now


2) Write up some security considerations in the Appendix that talk about this problem in more detail and why it is an issue.  Maybe make some recommendations for how to solve it, like with DNSSEC or requiring the TAXII server to have a certificate that supports multiple names in it.  Someone would need to take the lead on this and propose the text.


3) Just be generally silent on it.


Use Cases:

a) A client without a UI needs to auto-discover the location of the TAXII server in the network.  

b) A user outside the organization would like to see if a organization X offers a TAXII server.


Workflow:

i) TAXII Client does a DNS lookup at example.com for the SRV record and get the following response:

    _taxii._tcp.example.com. 86400 IN SRV 0 5 443 taxii-hub-1.example.com


ii) This tells the client that it can find the taxii server at the following address taxii-hub-1.example.com

iii) The client does a request at taxii-hub-1.example.com/taxii to query the Discovery API.  

  a) From what I understand from Dave, this is where things are a problem.  But maybe he can explain it.


Bret







[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]