IETF Logo Mail Archive

Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

Ted Lemon <ted.lemon@nominum.com> Tue, 14 July 2015 22:48 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B01091B2EF8 for <ietf@ietfa.amsl.com>; Tue, 14 Jul 2015 15:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v_Nr5eoCyzzB for <ietf@ietfa.amsl.com>; Tue, 14 Jul 2015 15:48:56 -0700 (PDT)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC73D1B2EFA for <ietf@ietf.org>; Tue, 14 Jul 2015 15:48:56 -0700 (PDT)
Received: from webmail.nominum.com (cas-03.win.nominum.com [64.89.235.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id 803F7DA006F for <ietf@ietf.org>; Tue, 14 Jul 2015 22:48:56 +0000 (UTC)
Received: from [10.19.125.164] (50.242.119.237) by CAS-03.WIN.NOMINUM.COM (192.168.1.100) with Microsoft SMTP Server (TLS) id 14.3.224.2; Tue, 14 Jul 2015 15:48:56 -0700
Message-ID: <55A591D7.3040309@nominum.com>
Date: Tue, 14 Jul 2015 15:48:55 -0700
From: Ted Lemon <ted.lemon@nominum.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: ietf@ietf.org
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
References: <20150714192438.1138.96059.idtracker@ietfa.amsl.com>
In-Reply-To: <20150714192438.1138.96059.idtracker@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------060109040006040500020605"
X-Originating-IP: [50.242.119.237]
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/qmR4eRTwaXoeYTbnWZRE-Ixj_-w>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 22:48:58 -0000

So having just said that we should avoid re-visiting the long layer 9 
discussion that occurred on dnsop, I do actually have a technical 
concern about the document that was just pointed out to me by a 
co-worker, and that was not actually discussed by the working group 
(although David Conrad did make a related suggestion).   There is text 
in the document that says this:

    4.  Caching DNS Servers: Caching servers SHOULD NOT attempt to look
        up records for .onion names.  They MUST generate NXDOMAIN for all
        such queries.

    5.  Authoritative DNS Servers: Authoritative servers MUST respond to
        queries for .onion with NXDOMAIN.

    6.  DNS Server Operators: Operators MUST NOT configure an
        authoritative DNS server to answer queries for .onion.  If they
        do so, client software is likely to ignore any results (see
        above).

    7.  DNS Registries/Registrars: Registrars MUST NOT register .onion
        names; all such requests MUST be denied.

The problem with this text is that it doesn't quite do what I think we 
want. What we want is for a device that (incorrectly!) does a query on a 
.onion name to get an NXDOMAIN.   If it does a DNSSEC query, we want it 
to be able to validate the NXDOMAIN.   I think that this is what we 
intended, but this text doesn't actually accomplish that.   What this 
text _does_ accomplish, which is also really important, is that it 
prevents queries from being sent, complete, all the way up to the root.

I think that we want to ask for the following:

1. The root is set up to return NXDOMAIN with authenticated denial of 
existence.
2. Authoritative DNS servers should refuse to respond to these queries 
if they aren't authoritative.  I don't think this needs to be said; if 
the server is authoritative for the root, it will respond with NXDOMAIN 
because the domain doesn't exist; if it's not authoritative for root, on 
what basis could it answer?
3. DNS caching servers should pre-load their cache with the NSEC records 
required to securely deny existence of .onion.
4. Operators should make sure their caching servers are set up this way.

I think all the SHOULDs and MUSTs are inappropriate.   We don't have the 
authority to tell the root operator what to put in the root zone, so 
this should say what we want, not say what the operator should do.   And 
these are things that DNS servers ought to do, but I don't think there 
is a protocol issue here, and I don't think we can do more than 
encourage people to do the right thing here.   In practice, what most 
protects end users is correct implementation on the host; once the query 
leaves the host the user's privacy has been violated; all that is left 
is to try to mitigate the thoroughness with which it has been violated.

v2.46.0 | Report a Bug | By Email | System Status