IETF Logo Mail Archive

[DNSOP] Re: Call for Adoption: draft-davies-internal-tld

John R Levine <johnl@taugh.com> Fri, 18 April 2025 21:44 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id ABDC01E50798 for <dnsop@mail2.ietf.org>; Fri, 18 Apr 2025 14:44:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.401
X-Spam-Level:
X-Spam-Status: No, score=-4.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="pPoAv6EO"; dkim=pass (2048-bit key) header.d=taugh.com header.b="zZbYYvuW"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZaiP8isZILaK for <dnsop@mail2.ietf.org>; Fri, 18 Apr 2025 14:44:01 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 06B971E50793 for <dnsop@ietf.org>; Fri, 18 Apr 2025 14:44:00 -0700 (PDT)
Received: (qmail 2881 invoked from network); 18 Apr 2025 21:44:00 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=b3f6802c7a0.k2504; t=1745012630; x=1745358230; bh=GfloN9yKKadliwKuBy/6u9RKX483WY0xxR0bli/JL+c=; b=pPoAv6EOJdnUZZMMmdsjMTlFaVcxXkbbGMT21iWcvAnSgHbb0+AeZsYOjRTir3d4wqPYcJ/fADk+GwEZpciPhnELPxhxUR/2YEJqKliXABDKcmSOpGzOSlOJ+NUbSaaxPrzW47yfTtVVZtRpz7eP+JE8SflhM3PT4kJic9OVq6m8T21rGKfZnhVfqrh7e0OMP0bZpoxqbGI9Lla95QUBXqSIuhS67ZTofGuIeTzJrTCA1jRYbv1WOxzob7/eeWwBrvDcmYyBXR00Q8h4dVhNPuo4LAN1fPQSbwFkk48hkohK1Wu22mGxl+iVotrJtwXLOcwZoOiT9/VI1cZ+j3Smjw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type; s=b3f6802c7a0.k2504; bh=GfloN9yKKadliwKuBy/6u9RKX483WY0xxR0bli/JL+c=; b=zZbYYvuWdWebAdlMfl1+xuOm3UrWbuufEQB/VJFf5hBzCPsbJhJ2Fnwd4fvQVS3RPV0xa6fXe3MJ8ha4xj8PlkYZyZuqGQuUyQzWk6FDdz+EE3Ix1X20Epib6SEMh2qa+HXepGBgHcPf+hjoV31HMmG+EAbBDkX5v1hLPekvm+hj9nmQENsQZXZC/KhFhGQePr8NMeUlxeTYfy7Pg5HfWzdfhuatMEr2nE3LTNn3sQ1Lscl1xW45+TE5iJe314lvBJaDAouj4rDEpF/1N5MoqmcsIBaAQ3n6mPn0lmvKrx6ho+BLsc2gg7GOPVepI60ny8osX1yC1PsBKBTBS05Czg==
Received: from ary.qy ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 18 Apr 2025 21:44:00 -0000
Received: by ary.qy (Postfix, from userid 501) id 98DF9C5413A9; Fri, 18 Apr 2025 17:43:59 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 63310C541389; Fri, 18 Apr 2025 17:43:59 -0400 (EDT)
Date: Fri, 18 Apr 2025 17:43:59 -0400
Message-ID: <38fda3ef-2135-8e37-8e54-f04d5987fbfa@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>, dnsop@ietf.org
X-X-Sender: johnl@ary.qy
In-Reply-To: <m1u5sY5-0000MSC@stereo.hq.phicoh.net>
References: <m1u5h1G-0000LcC@stereo.hq.phicoh.net> <83666fd3-a51f-46e1-a5ac-0b9a46361480@desec.io> <20250418201613.D9204C53F937@ary.qy> <m1u5sY5-0000MSC@stereo.hq.phicoh.net>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="us-ascii"
Message-ID-Hash: SGR7TSX4A3APOI4OQTUKERPYBP24MMKG
X-Message-ID-Hash: SGR7TSX4A3APOI4OQTUKERPYBP24MMKG
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-_L1mT2dCbqKHkARO-QfeBuqhMM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Fri, 18 Apr 2025, Philip Homburg wrote:
>> If I were using .internal names, I would configure them in unbound
>> exactly the same way that I configure the rDNS for 192.168/16 and
>>> onion and the other zones it's preconfigured to serve. If you ask
>> for DNSSEC, it says it's unsigned.
>>
>> If someone is about to say but then if I do my own DNSSEC checks
>> in my end device it won't work.
>
> That's too simple. If you do your own DNSSEC checks and forward to a local
> recursor then home.arpa. will work because it is an insecure delegation.
>
> As it stands today, internal is not delegated so it only works on the
> recursor where internal is configured but not on any other DNSSEC validator.
>
> In my opinion, that's quite a big difference.

I use unbound, which by default serves empty stubs for all these zones,
along with the RFC1918 rDNS.  In practice it works fine.

 	# By default, for a number of zones a small default 'nothing here'
 	# reply is built-in.  Query traffic is thus blocked.  If you
 	# wish to serve such zone you can unblock them by uncommenting one
 	# of the nodefault statements below.
 	# You may also have to use domain-insecure: zone to make DNSSEC work,
 	# unless you have your own trust anchors for this zone.
 	# local-zone: "localhost." nodefault
 	# local-zone: "127.in-addr.arpa." nodefault
 	# local-zone: "onion." nodefault
 	# local-zone: "test." nodefault
 	# local-zone: "invalid." nodefault

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.31.3 | Report a Bug | By Email | System Status