[DNSOP] ALT-TLD and (insecure) delgations.
Warren Kumari <warren@kumari.net> Wed, 01 February 2017 20:29 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EF58129575 for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 12:29:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zmd3Sv5Sphci for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 12:29:01 -0800 (PST)
Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88FFC12956E for <dnsop@ietf.org>; Wed, 1 Feb 2017 12:29:01 -0800 (PST)
Received: by mail-qt0-x236.google.com with SMTP id x49so282720988qtc.2 for <dnsop@ietf.org>; Wed, 01 Feb 2017 12:29:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=cLesYfGObPRL4Bx30tas2+w8DjqwRTt82FtE0YJ0H7w=; b=U1jKxxNZPWO4aSulA74XNSnz+cN/DKPqvM78l/TAaYen6y6W4FUmVDXGBueEbIeiVE PU1tzDI6XNiAX7SQcdxry/lcgyk4i8bEufeQFe1GaqEuCyM9zi5oXgOlxFpVo5krz5FU faMFSHNvo2tFOwc5EvCYKN2iNPKHHH4NyuNDbbeAt0OeROnzXez6VQmh1wIArvGvIrFq xjcDVU46VQWM9dq7inqTFclBSyaoySXJoM3VDbGKp8PRKpoPgrA2cs2IkzrEmhtRgZjM GoocuLKJTSSQkZhHDZ4yezVNQkL0JW4BK6RWG9FFoyl6HlttdJ7BDQYtMRp7Ym9z4Npc Oikg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=cLesYfGObPRL4Bx30tas2+w8DjqwRTt82FtE0YJ0H7w=; b=BkQngGouYCcmSEunueHCdt/AAqbysuZi7ZpSLql0SIkoBjusXMIjJubBM205JlP1/x A/Z0655cGPXcLjMTN7PYnOsrso6w3zZwDqRwBsGT4ZMviWlTbC56hEYxztGAK/EEkIf2 xGwFrqaIUrg8yGQQGxcBeeEO4q5EJ+UJpixLUQuwiUr9KIuHBY1CnQEIaFFawFIxjkyV Z0ge23gRravUgoQ0XaxUBI5efQrU2SGO/ZdQZGtuNrTUzvldvbR1J+bgIla6thFt0dBR wLnD7dPIdrJzon1g6PmCzo2kO7YOJPMjtUDCBPZKUiGnv1O+9+vvGy4I7mD3uPiMKoFB ipXA==
X-Gm-Message-State: AIkVDXLTrOcOeSXFbFAdEZ0mmZ7on45uUpC5tkrkb4bB6DTV5WCp6y4g0GL+dPwKWU7eDaM7p75E4+wLd4grlH/k
X-Received: by 10.55.189.130 with SMTP id n124mr4869488qkf.235.1485980940262; Wed, 01 Feb 2017 12:29:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.179.19 with HTTP; Wed, 1 Feb 2017 12:28:29 -0800 (PST)
From: Warren Kumari <warren@kumari.net>
Date: Wed, 01 Feb 2017 15:28:29 -0500
Message-ID: <CAHw9_i+8PA3FQx8FqW-xQ_96it7k-g5UrMB7fxARUi1gwQ++hw@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1farvzCj5SQMtiIDZj1MimHHC-4>
Subject: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2017 20:29:03 -0000
Hi there all, I have just posted a new version of alt-tld, which folds in a number of suggestions and comments from various people -- thank you for those. As the document was parked I held off making some of the larger edits; if you sent comments and I missed them, I apologize - please send them again (or point at them) and I'll try address them. The largest outstanding issue is what to do about DNSSEC -- this is (potentially) a problem for any / all 6761 type names. The root is signed, so if a query leaks into the DNS (as they will), an (unaware) validating resolver will try resolve it, and will expect either a signed answer, or proof of an insecure delegation; without this things will look bogus, and so resolvers will SERVFAIL. Clearly, a signed answer isn't feasible, so that leaves 2 options - 1: simply note that validation will fail, and that SERVFAIL will be returned in many case (to me this seems "correct"), or 2: request that the IANA insert an insecure delegation in the root, pointing to a: AS112 or b: an empty zone on the root or c" something similar. This is a fine thing to request in an IANA consideratons, but isn't necessarily *useful* -- the IANA has the technical ability to add stuff to the root zone, but not the mandate (this is like walking into a bank and requesting the teller gives you a bunch of money - they may be able to do so, but aren't actually allowed to.. :-)). Some people have suggested "Well, we (or the IAB) can just ask ICANN politely to do add this, they are in charge of the DNS root, they'll help out, no worries...." Unfortunately, this is only partly accurate -- adding an (insecure) delegation to the root would make .alt be a "real" TLD. ICANN is just an organization, they are driven by a multistakeholder[0] process, and there is a huge amount of process and similar around creating a new TLD -- go read the 300+ page gTLD Applicant Guidebook (Version 2012-06-04 ) for a fun taste of this. This would likely require convincing "the naming community" that, for some reason the IETF is special and should get a "free"[1] TLD, and that it is exempt from, well, basically all of the existing requirements..... I'd started putting some strawman text into the draft[2], so that we could have something concrete to discuss and poke holes in, but ripped it out because it was clearly not going to fly / pure fiction... So, what do we want to do here? This is a WG document, the authors will (of course) do whatever the WG wants, but my personal view is that asking for an insecure delegation, while technically superior, is simply not realistic. This discussion is somewhat about .alt, but other special use names will likely have the same issues and concerns, and so we should consider this in the larger context. For example, homenet already has had some of this discussion -- see: https://mailarchive.ietf.org/arch/search/?email_list=homenet&q=+On+the+TLD+question+and+validatably-insecure+delegation W [0]: By law, all mentions of ICANN require the use of the word "mutistakeholder"....Hey, this is no more crazy than some of the other new rules.... [1]: Yeah, 'tis not a useable TLD in that you cannot sell names and have them work in the DNS, but this is fairly subtle... [2]: ------------------ [ Editor note: This section is a strawman (and so is more conversational than expected for the final version) -- it is likely to change significantly, or more likely, be removed entirely. ] The point of adding this entry to the "Special-Use Domain Name" registry is to create a namespace which can be used for alternate resolution contexts, and which will not collide with entries in the IANA DNS root. Unfortunately, queries will still leak into the DNS, and, as the DNS root zone is signed, validating resolvers which are unaware of .alt will attempt to DNSSEC validate responses. If there is not an insecure delgation for .alt, DNSSEC validation will fail, and validating resolvers will return SERVFAIL, causing additional lookups or other unexpected behavior. In order to avoid this, the IANA is requested to add an insecure delegation to the root-zone, delegating .alt to AS112 nameservers (or to an empty zone on hosted by the root). ------------------ -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Robert Edmonds
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. George Michaelson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Olafur Gudmundsson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John R Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ólafur Gudmundsson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Jim Reid
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ólafur Gudmundsson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Tony Finch
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Woodworth, John R
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer