Re: [dbound] The proposals before us

Casey Deccio <casey@deccio.net> Mon, 12 September 2016 11:40 UTC

Return-Path: <casey@deccio.net>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF48112B24E for <dbound@ietfa.amsl.com>; Mon, 12 Sep 2016 04:40:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=deccio.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c0DGCpRmh_zD for <dbound@ietfa.amsl.com>; Mon, 12 Sep 2016 04:40:17 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A1E012B212 for <dbound@ietf.org>; Mon, 12 Sep 2016 04:40:16 -0700 (PDT)
Received: by mail-qk0-x230.google.com with SMTP id h8so50087608qka.1 for <dbound@ietf.org>; Mon, 12 Sep 2016 04:40:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=deccio.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=C8Y24HTbpew/PhBYdRqFZQfpcRCTeuvKGHkKlfn5jao=; b=R1d50eoKRERC4P+R5ko+HkcP4Hb2vYTxf8hjolDAz+Q2Rfldxf0vmaMwrC9UQby/9D Y/ApU1gMDtGSBPFYEYrK2DEDUv4RHWkFnRkOrZ/9JfA5FVwcSfzLVQJ42KuBppk7G1cN l0IK1PWAXWtCGyIxcRgDtvmuq+tr2ZMtvQUT4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=C8Y24HTbpew/PhBYdRqFZQfpcRCTeuvKGHkKlfn5jao=; b=SZHuERr94VVJ0AnzrxPwdLGDyGhUFwplQBrCoPcZPIQefw5Rc+lV2DiqYnGm4TtvGR lT66E0yUgbqbew8w9MNTfqxu9N6FIC8UdyIPXQ7+5dKDTWMr+F2t3d+lAkmAo+wwYRPH moGBwxV8Ugs5QnOiVadso3qFy2krTx3d+k9yybcfZyVKg7890q92VUBRALw3LgqJ9FVe Ve8BfJU07cqSWsalBISZZpbBB7hav5oj3ZWA8/kFVkicDDT0pYRhqGg3cwB7bP7inyU4 1M6rIyseL6YeBLNBUxJvBRjpy5LkWoYNu1ALnyQCyNyLvsoOP/0OWLrVnJvI459d7/GJ us5A==
X-Gm-Message-State: AE9vXwNNuma6KaojCs0mF4MAzirfYYgb/KFTGNhOt6KWmq/5HMh8ywS2mNCMGOEfudfrVg==
X-Received: by 10.55.140.131 with SMTP id o125mr19018627qkd.17.1473680415567; Mon, 12 Sep 2016 04:40:15 -0700 (PDT)
Received: from restricted.vcorp.ad.vrsn.com ([216.168.230.9]) by smtp.gmail.com with ESMTPSA id z34sm4819820qta.29.2016.09.12.04.40.14 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 12 Sep 2016 04:40:14 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Casey Deccio <casey@deccio.net>
In-Reply-To: <alpine.OSX.2.11.1609102313420.53927@ary.lan>
Date: Mon, 12 Sep 2016 07:40:15 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <DBEFC5F6-E81A-46D9-AFF2-7FB970EB69DB@deccio.net>
References: <20160910211314.47140.qmail@ary.lan> <8C13CBDD-A213-47F0-8755-C1A5F0190EE9@deccio.net> <alpine.OSX.2.11.1609102313420.53927@ary.lan>
To: John R Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dbound/QCv5XgNyhxjpuRteEWX8P2ANjlk>
Cc: dbound@ietf.org
Subject: Re: [dbound] The proposals before us
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2016 11:40:19 -0000

> On Sep 10, 2016, at 11:44 PM, John R Levine <johnl@taugh.com> wrote:
> 
>> The pertinent information was included in the text that immediately followed the snippet that you included above.  Since it was omitted, I'll include it again here (some emphasis added):
> 
> I have a problem, in that I have read this document multiple times and have no clue what the actual series of queries and responses would be, given the complexity of the lookup algorithm and the situation where some subtrees can be cached via a fetch result. It'd be a big help if you could give some examples.

Sure.  Please see Section 6, "Examples":

https://tools.ietf.org/html/draft-deccio-dbound-organizational-domain-policy-03#section-6

Table 1 has all the ODUP-related DNS entries.  Figure 1 shows a representation of the affected namespace tree in question.  Figure 2 shows all the queries and responses to ODUP-resolve each and every name in the tree, as the rule in the algorithm corresponding to each response.  Table 3 shows the resolution result.

If you have some local data via fetch, then it's simply as if you didn't have to perform those DNS lookups.  For example, if I have fetched "_odup.uk", then anything under "_odup.uk" doesn't need to be looked up in the DNS.  That includes: a._odup.uk, g.co._odup.uk, and _odup.uk, for example.

> 
> Could you tell us what the queries would be for abc.def.com if the org
> domain is def.com

See example for: b.a.uk

> , or for ghi.blogspot.com, where the org domain is
> ghi.blogspot.com

See example for: c.b.a.uk
(not an exact match, but it's close enough)

> jkl.mno.uk and jkl.mno.co.uk, where the org domains
> are mno.uk and mno.co.uk?

See the examples for b.a.uk and g.co.uk.

>  That would certainly clarify things for me.

Hope that helps.

>>> The current behavior is typically to look in the PSL and if the domain
>>> isn't there, the code does whatever it does. ...
> 
>> The algorithms on the Public Suffix List page [2] and in section 3.2 of RFC 7489 [3] seem pretty clear.  The algorithm is longest match--there really isn't a notion of "if the domain isn't there".
> 
> Let's say you're looking up the domain bulgaria.xn--90ae.  That's a
> name in a real TLD, and the TLD doesn't appear in the PSL.  What does
> the code do now?  Looking at some of the PSL libraries, the results
> look pretty random.  Some raise exceptions, some fall off the ends of
> routines and return null or a random result.

Fair enough.  Admittedly, the principles behind the current PSL are actually more robust than the current algorithm, data, and implementations.  In theory, given a perfectly complete and accurate PSL, if there's no match, the "public suffix" is the root, which makes the organizational domain the TLD.  In the past this doesn't necessarily make sense, particularly for the cases for which the PSL was originally designed.  However, TLDs aren't what they used to be.  It is clear that many are not intended for general registration, and the TLD itself very well could be the organizational domain.

Casey