Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a generic public-service namespace suffix for sandbox testing / lab use #1349

Open
sirdarckcat opened this issue Jun 9, 2021 · 21 comments
Assignees
Labels
waiting-followup Blocked for need of follow-up

Comments

@sirdarckcat
Copy link
Contributor

It happens (apparently often) that people request a public suffix to the PSL (see #1272 and #1241) for a use-case of a one-time "lab" type of usecase (eg, trigger behavior that browsers/clients/libraries/servers use the PSL for). This is particularly important for some security applications because "Site" is a first-level concept of the browser security model (so, subdomains don't work).

The proposal would be to have a domain name (name TBD) added to the PSL of the form: *.psllabs.com where a custom DNS server is running on something.com that returns to SOA requests with the value of the domain being requested. For example 1-2-3-4.psllabs.com could respond with 1.2.3.4 (this is an example).

The cost of running a service like this would be modest, and a large company could sponsor it (I could seek Google to run this), and the advantage would be that people that just need one-off PSL additions can use this service.

I can experiment with something similar to this (there seems to be expired suffixes in the PSL I could use), but it probably makes sense to agree to do this first.

@dnsguru
Copy link
Member

dnsguru commented Jun 9, 2021

Is this kind of like a sandbox type system ?
Wonder if it is worth getting something under .arpa via the IETF formally?

@sirdarckcat
Copy link
Contributor Author

it's kindof like a sandbox, yes for testing, development, demos, etc.. the 2 PRs I showed are for "demo vulnerable apps" and how they would behave with different browsers.

I'm not sure what's the process with .arpa - but yea, I guess something like in-addr.arpa but that resolves to SOA instead of A

@dnsguru
Copy link
Member

dnsguru commented Jun 9, 2021

@sirdarckcat Would you mind typing up something that I could review with the ICANN Office of the CTO so that we can get their recommendation ? I believe you are largely describing that there be the creation of some form of a general purpose namespace solve for the lab user types who want to poke around with example domains to test cookie horizons, DOM, etc.

I like this idea because it allows for the type of CTF or lab scenarious that help make things safer for users, and the proposed concept preserves the ambition of filesize modesty.

@sirdarckcat
Copy link
Contributor Author

Would the idea be that ARPA would run it? Or they would just provide the TLD.

Anyway, I can write something up, although what format and how detailed does it need to be? Is this a one-pager or a RFC type of thing.

@dnsguru
Copy link
Member

dnsguru commented Jun 10, 2021 via email

@dnsguru dnsguru changed the title Add a generic public-service suffix Add a generic public-service namespace suffix for sandbox testing / lab use Jun 10, 2021
@dnsguru dnsguru linked a pull request Jun 14, 2021 that will close this issue
10 tasks
@dnsguru
Copy link
Member

dnsguru commented Jun 16, 2021

I had a chance to confer with some experts in the DNS space on an approach to use with this and in reviewing this:

https://datatracker.ietf.org/doc/draft-ietf-dnsop-private-use-tld/

It seems as though there is a block of space that was set aside for private use.

We could conceivably use two of these for the purpose of a private namespace to let folks sandbox the affectation from PSL presence.

.xp and .qp were suggested (maybe the P is PSL?).

// xp, qp private PSL sandbox or testing
// xp as top level entry, qp as wildcard entry
// https://datatracker.ietf.org/doc/draft-ietf-dnsop-private-use-tld/
*.qp
xp

@dnsguru dnsguru added the waiting-followup Blocked for need of follow-up label Jun 16, 2021
@mozfreddyb
Copy link
Contributor

This internet draft provides a great building block and explicitly carving out those various top level domains sounds very useful for private testing. I'd sure use them.

However, it doesn't quite meet @sirdarckcat's proposed goal, in which he suggested a global name that can be shared and reused for close collaboration and sharing research results. I want to acknowledge that standardizing a global domain name that allows a unique 1-1 mapping for for every IP address has significant ramifications for DNS operations globally, but it's also very, very useful for those who "just want to get a name".

@sirdarckcat
Copy link
Contributor Author

sirdarckcat commented Jun 16, 2021

About the private use TLD

It's a very interesting proposal! However, as Freddy mentioned it doesn't quite does the same thing. In our case we need a public domain too, not just a private one.

That's not to say that the proposals are incompatible. I think we can come up with a solution that resolves both concerns, however they'll need each a different line in the PSL. One for private internet, and one for public internet.

About the public use TLD

I started experimenting with a bad (more on why it's bad below) version of this on http://www.nom.gd/ using an expired domain in the PSL (by the way, an easy way to reduce the size of the PSL is to remove expired domains). It's a bit of work, as I need my Registrar to be onboard forwarding me abuse reports (if they don't, I'll change registrars). Unsurprisingly, most of the work on running this service is likely going to be dealing with abuse :-). If ARPA was willing to manage this (like they manage in-addr.arpa) that would make it a long-term solution that isn't at risk of breaking if I forget to respond to a phishing report and my Registrar undelegates the domain so they don't get slapped in the hand by ICANN for not dealing with abuse promptly.

So, I think, nom.gd is not going to be good enough as a long-term solution. Not just because the name and provenance is sketchy (at the very least), but also because it can break at any moment (not based on the DNS server owner as I assumed but rather based on the Registrar).

Also, nom.gd isn't quite enough. It would be a lot better if one could control the zone of a TLD, so one can experiment with more than A records. Having an entry so that we can delegate zones on the PSL would be more future proof, and allow for a wider use.

@sleevi
Copy link
Contributor

sleevi commented Jun 16, 2021

but it's also very, very useful for those who "just want to get a name".

Can you explain?

I see significant security downsides in this, including those we explicitly call out in the Guidelines, namely:

We do not accept entries for use as DNS wildcards, such that e.g. 1-2-3-4.foo.tld resolves as IP address 1.2.3.4. This basically projects the security properties of the IP address space onto the domain name space, and we don't feel that is safe.

I haven't really seen a compelling discussion about the use cases here, and this makes it difficult, as PSL maintainers and as browser vendors, to evaluate the security implications and tradeoffs of this proposal. It'd be very useful to make sure we have a clear articulation about "Why does this need to be on the PSL" from a problem statement, because it's hopeful that we can find alternatives.

For example, based on the limited information provided, it seems browser vendors' offering a header and/or developer tools flag could fully address the use case here. Of course, that may be a very short-sighted view, but that's the issue with the lack of information.

@sirdarckcat
Copy link
Contributor Author

no, I think a flag for browsers would work fine. as in, it would need to exist on all places that use the PSL, but still it would work.

hadn't seen https://github.com/publicsuffix/list/wiki/Guidelines#validation-and-non-acceptance-factors :)

@dnsguru
Copy link
Member

dnsguru commented Jun 16, 2021 via email

@dnsguru
Copy link
Member

dnsguru commented Jun 16, 2021 via email

@sirdarckcat
Copy link
Contributor Author

For the lab/CTF case, I think the #1272 and #1241 usecases would have been solved also by having flags on browsers that add a fake entry to the PSL.

@dnsguru
Copy link
Member

dnsguru commented Jun 16, 2021 via email

@sirdarckcat
Copy link
Contributor Author

sirdarckcat commented Jun 26, 2021

@sleevi would you mind elaborating a bit more about the risks of the IP space? I'm trying to understand the difference between a self-service 1-2-3-4.tld and a $(curl https://nic.tld/api?ns=1.2.3.4).tld.

If I was to change the nom.gd to do a roundtrip like that, it would behave the same as .tk so I assume it's ok.

@sleevi
Copy link
Contributor

sleevi commented Jun 26, 2021

I’m not sure I understand your question? What are you trying to accomplish with the question? I realize this is a bit direct, but I’m just trying to make sure this isn’t a “We’d like you to justify the policy, so we can relitigate the policy,” because, frankly, we don’t want to waste time with these requests - or explaining them repeatedly 😅

It should be obvious that 1.2.3.4.TLD would be fundamentally insecure for things like document.domain and cookie separation. However, we’ve seen several requests that do exactly this. It’s no different than running an open proxy as www.google.com.myproxy.example, sure - an equally dumb and insecure idea.

1-2-3-4.myservice.example avoids that, but simply introduces a new problem: holder A gets a TLS cert for that, then holder B obtains the IP, but that host can be MITM’d by A for a year (and heaven forbid C gets that IP…). So that’s another bad idea.

We’ve seen a cluster of requests that try to use this approach as a means of bypassing CA’s rate limits. That’s a hard strike against.

You can address this need with myservice.TLD, with the third subordinate label being a unique user identifier (mitigating the cross-user attacks obtaining the same IP), and the fourth subordinate label being the IP. This is, fundamentally, what Plex does, and the eTLD+1 is always {user}.myservice.example

Anyways, like I said: part of the policy exists so we don’t have to continually spend time explaining or justifying, especially given that every request we’ve seen would introduce security risks to browser users (which is what motivated the original policy).

@sirdarckcat
Copy link
Contributor Author

sirdarckcat commented Jun 26, 2021

The reason I ask is because I would like to find a solution for #1241. I understood it's a bad idea to add every lab/test environment to the PSL, so I assumed #1272 would be generic enough (it's not just 1 time but rather a more generic service). It seemed like #1272 wasn't generic enough so that's why I proposed #1349 (this issue) which was even more generic, hopefully reducing the issues introduced by the filesize modesty concern.

However in addition if the file modesty concern, you pointed out that the proposal being discussed here is very similar to that explained in the guidelines as an anti-usecase for the PSL.

We do not accept entries for use as DNS wildcards, such that e.g. 1-2-3-4.foo.tld resolves as IP address 1.2.3.4. This basically projects the security properties of the IP address space onto the domain name space, and we don't feel that is safe.

The example works differently from what I would like to have (I'm thinking of NS/SOA rather than A records) but it's close enough that it seems it's also an anti-usecase of the PSL. However I would still like to find a solution that doesn't suffer from the downsides explained in the guidelines (in specific the concern about projecting the security properties of the IP space to the domain name space), so I was wondering what that meant to see if there was a solution to be found that didn't suffer from the same issues.

I think your latest response mostly answered that question. In that when someone is given an IP address it might come with its own set of potential issues (you don't know who owned that IP before you, and they might have backdoored your domain), which could be an issue also for the proposal here.

I don't think this issue is a proposal to change the policy though. It's been since the beginning (including the previous issues) as a discussion about how to find a solution for these constant requests that fit within the policy. In other words, I am trying to find a solution that helps the PSL maintainers stop having these constant discussions by rather than rejecting people that ask, instead offer them a solution that fulfills their goals and don't have the security or abuse issues that these services would otherwise introduce. That said, in order to accomplish that I would need to at least understand what those issues are.

I'm trying to help you all by exploring solutions to these problem, that I just happened to stumble on while working on a 20% project (https://github.com/google/kctf). I think the use case that triggered my original request could be resolved with a flag on browsers (as suggested above), but since I had some time this weekend I thought maybe I could first explore if there was a way to solve the issues presented by this path before exploring the browser flag option.

I understand that it's difficult to maintain critical parts of the web infrastructure like the PSL, and that having the same conversation every day is tiring, so I can understand why you wanted to ask the question on whether I was just here to make you change the policy, but in this case I was trying to understand it so I could propose something that fits the policy goals in practice (and in spirit) so you don't have to have the same discussion every day.

@sleevi
Copy link
Contributor

sleevi commented Jun 27, 2021

I mean, the flag is eminently preferable, especially because the use cases here remain unarticulated.

You seemed OK with the flag, and that’s why I was trying to understand why the new, non-flag exploration, since we’re still missing base use cases. I appreciate you trying to help, but I think for that to be useful, a more compelling explanation of why is needed.

@dnsguru
Copy link
Member

dnsguru commented Nov 15, 2022

There is an addendum / modification to RFC 6761 being discussed at the IETF which could define a bit more structure within special use domains which might lead to what was saught here.

@wdhdev
Copy link
Contributor

wdhdev commented Nov 29, 2024

@dnsguru Any updates on this issue? It seems the draft you sent has now expired. Would it be worth closing this issue as not planned?

@dnsguru
Copy link
Member

dnsguru commented Nov 29, 2024

Agree with closing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
waiting-followup Blocked for need of follow-up
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants