Re: [DNSOP] DNSSEC, additional special names & draft-chapin-additional-reserved-tlds-00.txt

Mark Andrews <marka@isc.org> Thu, 27 February 2014 11:55 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A8071A018F for <dnsop@ietfa.amsl.com>; Thu, 27 Feb 2014 03:55:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wriQMFG_tZkP for <dnsop@ietfa.amsl.com>; Thu, 27 Feb 2014 03:55:39 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 6F3BC1A018D for <dnsop@ietf.org>; Thu, 27 Feb 2014 03:55:39 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 657F02383F7; Thu, 27 Feb 2014 11:55:22 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C0F2916005C; Thu, 27 Feb 2014 11:56:14 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 91592160056; Thu, 27 Feb 2014 11:56:14 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id D4628107FA73; Thu, 27 Feb 2014 22:55:18 +1100 (EST)
To: Jim Reid <jim@rfc1035.com>
From: Mark Andrews <marka@isc.org>
References: <20140129055438.2402.qmail@joyce.lan> <97E20887-2B9C-4EAD-826B-043306605F88@fl1ger.de> <54BE75D7-E70B-46AB-93C1-042E655BB5E7@apple.com> <D0AC0015-63C3-4C03-A8D0-888C435D2775@virtualized.org> <20140226100311.E73CA1069B39@rock.dv.isc.org> <8FEAF0FC-2AC3-4F39-9825-7068AAA6E40D@hopcount.ca> <6F605B46-51AD-4A21-BA3E-5723AA843EC6@virtualized.org> <20140227021436.E957210702F7@rock.dv.isc.org> <7E284F2F-1A99-4E57-B7BD-46129AEDDD04@virtualized.org> <20140227074249.2972F107D273@rock.dv.isc.org> <B67B8708-66D9-4372-B3E4-58FBC3297E9D@rfc1035.com>
In-reply-to: Your message of "Thu, 27 Feb 2014 11:45:52 -0000." <B67B8708-66D9-4372-B3E4-58FBC3297E9D@rfc1035.com>
Date: Thu, 27 Feb 2014 22:55:18 +1100
Message-Id: <20140227115518.D4628107FA73@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/-e-3rURXnbFOF91CeGW53TTF7Ck
Cc: DNSOP WG <dnsop@ietf.org>, David Conrad <drc@virtualized.org>
Subject: Re: [DNSOP] DNSSEC, additional special names & draft-chapin-additional-reserved-tlds-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2014 11:55:41 -0000

In message <B67B8708-66D9-4372-B3E4-58FBC3297E9D@rfc1035.com>;, Jim Reid writes:
> On 27 Feb 2014, at 07:42, Mark Andrews <marka@isc.org>; wrote:
>
> > DNSSEC will eventually be on by default and squatting like this will
> have negative consequences.
>
> Er, no. Vendors who pluck domain names out of the ether and use them in
> their products will by definition not have the DNS clue required for
> deploying a viable DNSSEC. Besides, in the case of CPE, they won't even
> *need* DNSSEC because the offending domain names (router.home or
> whatever) get looked up on the internal net. Most likely those names will
> be used by web browsers that do not have a validating resolver and are
> already relying on the CPE for DNS. Those lookups will almost never go to
> the outside, far less validate a signed referral for .whatever from the
> root.

And the moment you have a validating brower / app they *will* break.

> > There may be a need for a reserved suffix.  It doesn't have to be
> > .HOME.  Rewarding bad behaviour leads to more bad behaviour.
>
> IMO, the draft aims to document existing bad behaviour and explains why
> people should stop doing those bad/stupid/wrong things. Or at least
> appreciate the consequences. This is a Good Thing. It might even mean
> fewer instances of bad behaviour in future. Whether of course the writers
> of CPE crapware will ever read this RFC, let alone act on it, is another
> matter. At least the IETF will have produced a useful document on the
> topic. Which is all it could do.
>
> BTW, the latest thinking (ie as of yesterday) from ICANN is .home will be
> reserved indefinitely:
> http://www.icann.org/en/news/public-comment/name-collision-26feb14-en.htm.
>  It doesn't matter now whether someone wants to call that "rewarding bad
> behaviour" or not. That train left the station a long, long time ago.
> [And I'm long past caring either way.] So it seems to me ICANN is
> acknowledging reality and taking prudent measures for overall security
> and stability of the DNS. Too much stuff is already (ab)using .home so
> this TLD can't go into the public root for the obvious reasons.

reserved indefinitely != insecurely delegated

10.in-addr.arpa is insecurely delegated deliberately to prevent DNSSEC
breakages.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org