Re: [DNSOP] I-D Action: draft-ietf-dnsop-alt-tld-12.txt

[Christian Huitema <huitema@huitema.net>]

On 8/25/2019 9:21 AM, Paul Wouters wrote:
>
>
> On Fri, 23 Aug 2019 at 14:18, <internet-drafts@ietf.org> wrote:
>
>>       A New Internet-Draft is available from the on-line
>> Internet-Drafts directories.
>>       This draft is a work item of the Domain Name System Operations
>> WG of the IETF.
>>
>>               Title           : The ALT Special Use Top Level Domain
>>               Authors         : Warren Kumari
>>                                 Andrew Sullivan
>>               Filename        : draft-ietf-dnsop-alt-tld-12.txt
>>               Pages           : 11
>>               Date            : 2019-08-23
>
> I am not a big fan, and I don't think many alternative projects will
> pick .alt even if just for cosmetic reasons, but I don't have any
> reason to object either. It's cheap and if it remains unused, that
> is okay.
>
> And one advantage is that if people want to claim a TLD, we can point
> them to .alt, so it should decrease the pressure on using RFC 6761 which
> will prevent more bureaucratic time used up in dnsop meetings.

The expected advantage is that any resolver could respond to a DNS query
for names under .alt with an NX domain error code, unless they have
specific code to handle the 2LD under .alt. This provides a semantic of
"won't leak by default", which is nice. This is reasonably well
explained in section 3.1, and is indeed a significant difference from
constructs like ".home.arpa", in which the name leaks by default unless
the resolver has special knowledge of the 2LD.

On the other hand, resolvers should by now have implemented a filter for
".local" similar from the one planned for ".alt". Yet leaked requests
for names in ".local" represent over 3% of requests sent to the root, so
there are clearly a bunch of resolvers out there that did not bother
with RFC 6761. I would not bet that these same resolvers would program
anything special for .alt.

>
> Has Issues:
>
> I think the document is contradicting and not clear at all on what to do
> with queries. It mixes up "should not be resolved" with "should not be
> handled specially" based on some assumed difference of stub resolver and
> resolver and Caching Server. On top of that, a stub resolver and caching
> server are likely to use the same underlying library calls, so asking
> for different behaviour is unrealistic for implementors.
>
> It would also be good to stick to the DNS Terminology, which I think it
> does not do with the list of different players in the resolving chain.
>
>
>
>     Writers of name resolution APIs and libraries which operate in
>     the DNS context should not attempt to look these names up in the
>     DNS.
>
> vs:
>
>     Caching DNS servers SHOULD NOT recognize these names as special
>
> These two cannot both be true. The latter is also really false since the
> ..alt is marked as Special Domain, so caching resolvers _should_
> handle it
> specially.

+1

I find it rather confusing that the advice to implementers is in the
IANA section.

I understand that RFC 6761 prescribes a checklist, but I would rather
see a "deployment considerations" section of its own, and then quote
that section from the RFC 6761 checklist.

The deployment section should basically say something like "DNS Servers
MUST recognize the .alt names as special and reply to any request with a
No Such Domain error." This has two rationales:

- It ensures that requests that are meant to be private to a specific
domain cannot be observed on the global Internet, which is good for privacy.

- It ensures that requests that are meant for a different resolution
method do not create extra load for DNS servers after the first
resolver, which reduces operation overhead.

It is pretty clear that not all servers will be updated overnight. By
default, the requests will progress all the way to the root, which will
issue an NX Domain response, just like it does for requests to .local or
.home today. If recursive resolvers cache the negative responses, they
will end up with an "almost correct" behavior.

The main point of contention is probably DNSSEC. Recursive resolvers
that recognize ".alt" as special can issue an NX Domain response, but
secure denial requires caching a negative response signed by the root.
What if the client requires DNSSEC? Should there be some guidance in the
deployment considerations?

>
> Likely the best advise to implementors is to use a Query Minimization
> based answer of the non-existence of .alt that prevents further leakage
> of the specific name within .alt that was used. I would like to see this
> very prominently stated instead of the scattered bullet list on what to
> do.
>
>     Authoritative DNS servers SHOULD NOT recognize these names as
>     special
>
> Why not? I think they should refuse to load any .alt zones. It is
> supposed to be Special Use for non-DNS protocols. Why let it be abused
> as "real" DNS zones? Do we want to support "almost DNS like" protocols
> that would re-use authoritative DNS server code? That seems very
> dangerous.

Yes. Authoritative servers should never load anything in the .alt zone,
period. Specifically, root servers should not have any entry for .alt,
ensuring that any request generates an error response. That should be
explained in a well formed deployment consideration section.

-- Christian Huitema