Re: [dbound] [art] [DNSOP] not DNAME, was Related Domains By DNS (RDBD) Draft

Samuel Weiler <> Fri, 08 March 2019 20:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EF74F1312F5 for <>; Fri, 8 Mar 2019 12:30:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aJl66iRlfFQF for <>; Fri, 8 Mar 2019 12:30:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D820C1279A3 for <>; Fri, 8 Mar 2019 12:30:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPSA id 07941CE820; Fri, 8 Mar 2019 20:30:04 +0000 (UTC)
Date: Fri, 8 Mar 2019 15:30:03 -0500 (EST)
From: Samuel Weiler <>
cc: Stephen Farrell <>
In-Reply-To: <>
Message-ID: <alpine.OSX.2.20.1903081516350.70761@macbook-air-8.local>
References: <20190227172143.10303200F57CE0@ary.local> <1FFA1977E97DE99C390869DA@PSB> <alpine.OSX.2.21.1902272038320.3336@ary.local> <49A2FC767B5A7146F39456B9@PSB> <>
User-Agent: Alpine 2.20 (OSX 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="0-2033760801-1552076279=:70761"
Content-ID: <alpine.OSX.2.20.1903081529540.70761@macbook-air-8.local>
Archived-At: <>
Subject: Re: [dbound] [art] [DNSOP] not DNAME, was Related Domains By DNS (RDBD) Draft
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Mar 2019 20:30:12 -0000

On Fri, 1 Mar 2019, Suzanne Woolf wrote:

> My memories of DBOUND are not reliable but I do recall a distinct 
> sense that people thought they were talking about "the same thing" 
> and repeatedly discovering that maybe they weren’t.
> Accordingly, I’d like to see an example or two of how you’d expect 
> an application to use the kind of connection between domains 
> established by the RDBD mechanism.


Reading back through the end-of-DBOUND discussions from 2016, I'm 
having these same thoughts.

Digging into two details:

I don't understand the value added by publishing new keys - and 
signing with a new signature format - when there's no evident way to 
bootstrap trust in those keys.  Could you explain (again) the value 
being added?  (I see value from using DNSSEC, but if we insist on 
DNSSEC, we don't need these other pieces.)

The DBOUND problem statement draft covered a number of "use cases that 
seem intuitively similar [but] actually aren't" (quoting Suzanne). 
Even so, it made a general recommendation in the security 
considerations section: "In general, positive assertions about another 
name should never be accepted without querying the other name for 
agreement."  I'm surprised to not see that reflected in this draft. 
Indeed, the discussion here suggests that this is an explicit 
non-requirement.  So I want to know more about the use case(s) you're 
tackling and why checking the symmetry of assertions is not necessary.

-- Sam