IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld

Mark Andrews <marka@isc.org> Tue, 17 June 2025 23:04 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CDEF836363A7 for <dnsop@mail2.ietf.org>; Tue, 17 Jun 2025 16:04:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="hmwrBosi"; dkim=pass (1024-bit key) header.d=isc.org header.b="XLTjgrbK"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yvdGLshIW6UU for <dnsop@mail2.ietf.org>; Tue, 17 Jun 2025 16:04:09 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A62C036363A0 for <dnsop@ietf.org>; Tue, 17 Jun 2025 16:04:09 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 8F5473AB39D; Tue, 17 Jun 2025 23:04:08 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 8F5473AB39D
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1750201448; cv=none; b=fGQ2kmKa0ZUF6CXR7/4WOxknE+bhsVdK7d4IBgZkO/A2bghdPpV+DCX/fuJDtoDq1RoXDU7oxeCKhOBku52nzVxoNrb3t9/SQlXKmlUrKgEOLc9hr//Cg57nmKNVqJ0t1P8tqGASLf/hJbbbz2pW16cM9I/p+Mo4aWbVjDpwN5Q=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1750201448; c=relaxed/relaxed; bh=gPQJKdUuca26t2rYP3R3qoAKwO9nWK9WNu0IkvovYXs=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=rcha/mmilRmyNfo5Lm4EsUMIlHFCENA6IE4zEo3fXGpciDfxUvXR1YsBUq/x1Y9fNPMH7dCdxQ8oRPoD0ML/mfp/daETGM7rXtqORaGB4Bq1RQnReTAGAI0EVP3dK8kxxU1ON98mb+KyUatv22NHdJpCE5H6m9/NttQumZNgWrU=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 8F5473AB39D
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1750201448; bh=vrn6f9c9Fi0umEjHWU4yVv1Z0W6hI1I9FP2OGMQKCgM=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=hmwrBosi3xsqAFWBH1OVMcKs8oP7jZtfnD9MZjO39xqHt7Gd2t8kTpa37QcAIOIxh g9uyRiC0rcH8XDc/ElQYdW7SYezfVVxs/ynB+0pHrlRuS7oRPZMF2qI/22ohS0zvWI Srgvg5fLBQEbl7NVR/r9f86j0SGcrs3q3k1AXlS8=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id BBA32A6A613; Tue, 17 Jun 2025 23:04:10 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 94016A6A790; Tue, 17 Jun 2025 23:04:10 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 94016A6A790
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1750201450; bh=gPQJKdUuca26t2rYP3R3qoAKwO9nWK9WNu0IkvovYXs=; h=Mime-Version:From:Date:Message-Id:To; b=XLTjgrbKSh1WoQm5GdrDd05Uax46trOA6mvx+6GdiU9J065OnHnhYItCmxdy/Xvxz 583sdpHeb6Ze4axvURjJRoI4gQakkBjm1dapKIjZrcocoQotJyefQs7Kyz0cTookbT EQ9Xk5pFMFiJhmcOvkX17rN9aueFJ+3l21k5tEuk=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id Jly8uYVPQ85d; Tue, 17 Jun 2025 23:04:10 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id B86B3A6A613; Tue, 17 Jun 2025 23:04:09 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.11\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <0d090f95-cf5f-3552-84f6-c475d039c229@taugh.com>
Date: Wed, 18 Jun 2025 09:03:53 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <A2BDFB87-0C2A-4096-9D1C-9436490C4ADF@isc.org>
References: <20250617171743.87B03CE96906@ary.qy> <DF7161E9-F4CE-42AE-A449-A65A8819B410@isc.org> <0d090f95-cf5f-3552-84f6-c475d039c229@taugh.com>
To: "John R. Levine" <johnl@taugh.com>
X-Mailer: Apple Mail (2.3731.700.6.1.11)
Message-ID-Hash: QIP2JFMCOKRD565HPVMSWZAGFMOZ4NAD
X-Message-ID-Hash: QIP2JFMCOKRD565HPVMSWZAGFMOZ4NAD
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1_w5U2TF887mDPhKomJEOammGS4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


> On 18 Jun 2025, at 07:08, John R Levine <johnl@taugh.com> wrote:
> 
> On Wed, 18 Jun 2025, Mark Andrews wrote:
>> And if the stubs are validating then the answer for 10.in-addr.arpa DS is a provable NOERROR NODATA response that says there is a delegation at that point in the tree.  That validator does NOT need to be configured to say ‘DO NOT VALIDATE THIS NAMESPACE’.
> 
> We're going in circles here.

I'll answer your straw man John

> IF you have a validating stub resolver

They exist in many OS’s. systemd for Linux is one you may have heard of?

> AND it gets all of its data from the local cache

thats the definition of stub resolver behaviour

> AND even so it doesn't believe the cache's AD flag

nothing should believe the AD flag which is why there are validating stub resolvers

> AND you have some locally served zones

there are lots of these in the reverse name space which are insecure delegated from the public namespace.  For the forward namespace we really only have HOME.ARPA as a shared namespace and that is insecurely delegated.

> AND none of those zones are a TLD you picked yourself before .INTERNAL was reserved AND even though you're sophisticated enough to do stub resolution you don't configure local trust anchors THEN yes, the opt-outs are helpful.

We stub validation isn’t very sophisticated they are millions of machines doing it without their operators even knowing they are doing it as it is on by default.

As for trust anchors if you have a SHARED namespace you can’t preconfigure trust anchors for it because IT IS SHARED so the trust anchors DIFFER between sites for the same names.  We are talking about MOBILE devices. Additionally so called “negative trust anchors” don’t formally exist and if they existed there is no possible secure protocol to distribute them at attachment time.

What we have here is ICANN saying we have this SHARED namespace for you to use and every other share namespace in the DNS is supposed to have insecure delegations and a few people saying the root zone is "SO SPECIAL" that it can’t be done there.

> On the other hand, if you think that's a rather narrow scenario and most systems aren't quite like that, not so much.
> 
> Like I said, I don't see us coming to agreement any time soon.
> 
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.31.3 | Report a Bug | By Email | System Status