IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Mark Andrews <marka@isc.org> Fri, 03 February 2017 22:19 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89FCD129A1C for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 14:19:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.099
X-Spam-Level:
X-Spam-Status: No, score=-10.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J1MX4IrpE9Ph for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 14:19:35 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66E511299E5 for <dnsop@ietf.org>; Fri, 3 Feb 2017 14:19:35 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 0C9633493CD; Fri, 3 Feb 2017 22:19:33 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id E8285160075; Fri, 3 Feb 2017 22:19:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D6844160074; Fri, 3 Feb 2017 22:19:32 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id S9ekaInKYsNb; Fri, 3 Feb 2017 22:19:32 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 58DB9160046; Fri, 3 Feb 2017 22:19:32 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 5CC986188E8D; Sat, 4 Feb 2017 09:19:28 +1100 (EST)
To: Ted Lemon <mellon@fugue.com>
From: Mark Andrews <marka@isc.org>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <9B6211A9-20B5-4B15-A8FD-A1390DAD76AE@fugue.com>
In-reply-to: Your message of "Fri, 03 Feb 2017 16:34:21 -0500." <9B6211A9-20B5-4B15-A8FD-A1390DAD76AE@fugue.com>
Date: Sat, 04 Feb 2017 09:19:28 +1100
Message-Id: <20170203221928.5CC986188E8D@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0Bw-ThUjy7hUdPmD5XeKXdwpHg8>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2017 22:19:36 -0000

In message <9B6211A9-20B5-4B15-A8FD-A1390DAD76AE@fugue.com>, Ted Lemon writes:
>
> On Feb 3, 2017, at 4:09 PM, Mark Andrews <marka@isc.org> wrote:
> > You need a insecure delegation for ALT for the purposes we want to
> > use ALT for.
>
> I don't think there's consensus on what we want to use ALT for.   I see
> Ralph arguing that ALT is never used to resolve things using the DNS
> protocol, and I see you saying that that's one of the uses we have in
> mind.   We need to figure out which of these we are actually trying to do.

I think there is a consensus for a play space.  I think there is
consenus on there not being any delegations under this play space
with iterating down from the root.  I think there is consenus that
leaked queries of the form foo.alt should be getting NXDOMAIN
responses from a recursive server which would otherwise be iterating
down from the root for this namespace.

> If you are right, we need an insecure delegation in the root, and ALT
> queries will by default be answered using DNS (in the sense that existing
> resolvers have no special-case handling for ALT).   If Ralph is right,
> you can still use the DNS protocol to resolve names in .ALT, but you have
> to use a specially modified resolver to do it: one that ignores the
> secure denial of existence from the root.

So you want to ban BYOD from the solution space?  Remember adding
a alt zone to a recursive server is modifying the resolver.  It is
changing its observed behaviour.  It isn't code but it is a
modification.

Why does this working group feel the need to add extra proscriptions
on how this play space is to be used?

I've been arguing for the broadest solution space.  Its also the
simplest.  A insecure delegation for ALT.  It is also the easist
one for recursive servers which are iterating from the root that
are not participating in the experiment to filter leaked queries
with.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email