IETF Logo Mail Archive

Re: [dbound] DBOUND - updated use cases?

Andrew Sullivan <ajs@anvilwalrusden.com> Thu, 29 September 2022 14:56 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 119CDC1522C9 for <dbound@ietfa.amsl.com>; Thu, 29 Sep 2022 07:56:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=QkouEOCB; dkim=pass (1024-bit key) header.d=yitter.info header.b=CcBo9Wl6
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VHUwEyKzMadx for <dbound@ietfa.amsl.com>; Thu, 29 Sep 2022 07:56:42 -0700 (PDT)
Received: from mx5.yitter.info (mx5.yitter.info [159.203.31.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8F7AC1522DB for <dbound@ietf.org>; Thu, 29 Sep 2022 07:56:41 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx5.yitter.info (Postfix) with ESMTP id 977ACBD5C6 for <dbound@ietf.org>; Thu, 29 Sep 2022 14:56:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1664463398; bh=yzr+u43HnbsLHHutsP8So1GWqsBHUQC9DkI3/fIlaRM=; h=Date:From:To:Subject:References:In-Reply-To:From; b=QkouEOCBAT4ww+wnf2S2fthk+wssLg262zTMnKLV5W01wl9fuCSv1FKsCiS0zbgts 7djWTMwl1m+f0omr/4gAXPjDMFzK14GREIwDGphxU/OeZM4z83O/RAnzfjQMg0VkBa jB5hBVNzV3PbMs5rNS/J2nBnyB9PB9ax69RYROvQ=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx5.yitter.info ([127.0.0.1]) by localhost (mx5.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h57ADzEYBEyK for <dbound@ietf.org>; Thu, 29 Sep 2022 14:56:37 +0000 (UTC)
Date: Thu, 29 Sep 2022 10:56:35 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1664463397; bh=yzr+u43HnbsLHHutsP8So1GWqsBHUQC9DkI3/fIlaRM=; h=Date:From:To:Subject:References:In-Reply-To:From; b=CcBo9Wl6kxxH6DRYq3gu8Mi3UW/lWRbBiLlIW9TmuU3Oi4Lzb3QPOvudOyfZpZ38C HHwrOy7B1rZqgclIq+nxTPgJ2RpbCYatMV8LO7ahv2tW/rbmodVh8xkLvA3HvXmJNu YqWkdn3Qv3Apnbuy3XC63D4K7T0G8HODVQojfHXo=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dbound@ietf.org
Message-ID: <20220929145635.ojb4gplm4bqbqdcu@crankycanuck.ca>
Mail-Followup-To: dbound@ietf.org
References: <bd3a32cb-dd41-b195-e46d-419611000ceb@amazon.com> <99bc93ec-9be6-7abb-90c0-01f0d59c4aeb@amazon.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <99bc93ec-9be6-7abb-90c0-01f0d59c4aeb@amazon.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dbound/eLhUClmLAeTe0n0V5S5V1ZjdcUw>
Subject: Re: [dbound] DBOUND - updated use cases?
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2022 14:56:50 -0000

Hi,

Usual disclaimer: I work for the Internet Society, but I am not speaking for them.

On Wed, Sep 28, 2022 at 12:36:12PM -0700, Ian Williams wrote:

>1) We have a large number of boundaries we'd need to publish. Taking an
>example resource within an example service, that resource might have a
>domain name that follows the below pattern (2LD may vary)
[…]
>This puts an immense strain on
>the PSL - both on the size of the list itself, and the humans that help
>maintain the list for the internet community

This was one of the central problems I was trying to solve in several different proposals I made related to this topic prior even to DBOUND being formed.  My view at the end of DBOUND was that the things that had interested me in the first place had been completely swamped by a mail antiabuse issue that arose from the peculiar ways that mail antiabuse had itself mischaracterized the functioning if the domain name system.  (To be clear, that isn't to cast aspersions.  There might have been no other answer.  Regardless, the ones deployed are the ones we have.)  

>2) We have suffixes that are public, but not routable or resolvable
>outside of our network (public-like-PSL, not public-like-pool).
[…]

>For customers that have chosen to peer their VPC with another customer,
>this VPC-internal zone would now have multiple different customers
>operating within it. We'd like to prevent any inferred-level of trust
>(when it comes to things like cookies/CORS policies) between DNS names
>in this zone.

This was _also_ a problem I was aiming to address with the various proposals.  There were really two different issues for me.  One was this sort of "trust from domain boundary" problem that tended to arise for my then-employer (Dyn) in the various public zones it operated.  But the other was the imposition of various "trust policies" by parent zones due to policies that might come from registry operators.  I first started thinking about this in the context of the root expansion, and it was obvious that some registries were going to have expensive white elephants with a trapped community of registrant customers.  I was afraid of the potential for people who didn't understand the DNS announcing policy "in their domain" that didn't actually work as described, and I wanted it to be possible for someone to do a lookup to understand whether the child side was in fact also implementing some policy the parent asserted.

Note that this desire is in direct conflict with most of the antispam needs, where the parent needs to be able to _assert_ that child domains comply or else are not registered.

>3) We operate a DNS management service used by our customers (Amazon
>Route 53). In the auspices of the PSL, this would be considered as
>just-another-DNS-service - there are plenty of other DNS management
>services in existence, and we're likely all in the same pool here.

Yeah, these get listed (it seems on an _ad hoc_ basis) in the existing PSLs, but there's not even a way to do the discovery.  Again, a use case I had while working for Dyn.

>4) Registry operators and/or DNS application developers may have a
>desire to handle eTLDs/suffixes differently at runtime. This may be to
>prevent human error in their service, and/or mitigate abuse or misuse
>of their service. AWS is one such entity; we have applications which
>currently check the PSL at runtime to prevent inappropriate ownership
>claims about high value public suffixes or eTLDs.

I always thought that this use was a case of the tool you have, rather than the tool you need.  What I thought necessary in the proposals I made was to be able to model the boundary of administrative policy, which is why I called the record I proposed SOPA (Start Of Policy Authority, riffing off Start Of Authority).  The reason I wanted it to be possible on both sides of the "policy cut" was because I was trying to address what I regard as a lacuna in the way zone cuts worked in the DNS traditionally: it would be nice to be able to find it no matter which way you encounter it.

I hope these observations are useful.

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email