Re: [DNSOP] ALT-TLD and (insecure) delgations.
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 07 February 2017 07:08 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC9EF129A9A for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2017 23:08:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aJcX4TdlUVY0 for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2017 23:08:23 -0800 (PST)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A2FF12009C for <dnsop@ietf.org>; Mon, 6 Feb 2017 23:08:23 -0800 (PST)
Received: by mail-pg0-x22d.google.com with SMTP id v184so36167319pgv.3 for <dnsop@ietf.org>; Mon, 06 Feb 2017 23:08:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FwP9pv9PZbmBUGvXgCCsAzbT4PtGnozBtnm2ljZSq0s=; b=jgs3I4TrKh7yFBG+v3VaoqA6LxIoQkJ6CM/aVXyyKA1MA1KAcwKoGhGLvy9Z5EknPp dK22u2tzlAAU2u4/F8cSTd6w30fiXTiNOrB6gDihiXlJghP7mtYEzG2LLjY6Q+Ajg1rj F6u6DMUN/SuR17YFTTReGZz2ibLzartw8hyuQP+uC7WxTx5M//q4C6bjd9ng+Eq21Bjs iO/9HjJgQr7HoWf7TYAMD7OFipKzbECFGXDK8LNgd47SPYNjmtGlpzuxQfcYxqxSX+n9 KcxSvWyvFmb9iQXshEucej52S+Z0QIc5GkOjHcesnIjum2JMbuZmfIhVZCyq7/d9kvNo eJFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FwP9pv9PZbmBUGvXgCCsAzbT4PtGnozBtnm2ljZSq0s=; b=U0jA921D+LU/dVLbj8uenzw26wg5XCDyuVvl4ES7lqdYxlThGvAukmveEgQkwKsVnW /qDFN1AC9qHgIBPYwPX7lGg/dC0dn1xDhxAzNdLH7oA99Qo6w8LYo3vdIB7ENI/MU24V Wbca37iEa3BjNkVUQi0dnQcWSbR9IBBW/nq/7nAb+6szHup7HOdYwXKE3PFC5KMGhT67 fVogKTyjXrovImFAZhzlGUpTR1af2qIwwFXn+8fT+wlOeRm76BxL+dQ0b461RONHmD3Y Pjcv/u6cXxDkVy3yGeLct16m6oED5r2UrrKrvdwGippc/XWxzGGf+1rr8t/WfPdnUDx2 Lpvg==
X-Gm-Message-State: AIkVDXIH1rnJP2dlwNsDpbn7zNXvD10iXScjUMU7uleJFaBv5HCmvr2Hnc8l+iAZe286kA==
X-Received: by 10.84.178.7 with SMTP id y7mr23336871plb.60.1486451302850; Mon, 06 Feb 2017 23:08:22 -0800 (PST)
Received: from [192.168.5.105] (c-73-92-109-167.hsd1.ca.comcast.net. [73.92.109.167]) by smtp.gmail.com with ESMTPSA id g64sm7902493pfc.57.2017.02.06.23.08.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Feb 2017 23:08:21 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Brian Dickson <brian.peter.dickson@gmail.com>
X-Mailer: iPhone Mail (14D27)
In-Reply-To: <20170207063146.BC04763357A9@rock.dv.isc.org>
Date: Mon, 06 Feb 2017 23:08:21 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <99431A77-7B62-4655-89EF-FAA32F2A82F6@gmail.com>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <CAH1iCipKwcOsMQY3kjvSZ42LMK37GLD6GP2AVtnWK0c83k-RiA@mail.gmail.com> <20170207040552.8BDCC632F192@rock.dv.isc.org> <3581BE55-B178-4298-8EE8-73FD16B4216D@gmail.com> <20170207063146.BC04763357A9@rock.dv.isc.org>
To: Mark Andrews <marka@isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1hbLY_oNCNl79zNtvsrIS373ua8>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 07:08:25 -0000
The suggestion of DNAME to empty.as112.arpa involves some subtle details, which IMHO may in combination be the right mix here. The DNAME target is an insecure empty zone. This avoids the validation issue, and facilitates use of local "alt" namespaces. The default response to queries under alt would be unsigned NXDOMAINs. I am not seeing a problem with this. Am I missing anything? Brian Sent from my iPhone > On Feb 6, 2017, at 10:31 PM, Mark Andrews <marka@isc.org> wrote: > > > > > In message <3581BE55-B178-4298-8EE8-73FD16B4216D@gmail.com>, Brian Dickson writes: >> Mark, >> >> I don't think the use cases for most of the sandbox involving alt, and/or >> the homenet use case, requires support for validating stubs. If stubs >> aren't already validating, the incremental addition of a local alt, only >> requires distribution of the trust anchor to the resolvers. That is a >> solvable problem for most values of "local". > > It's not just stubs. > >> If use cases for non-local or validating stubs exits, IMHO that rises to >> the level of requiring something real, not an alt name. >> >> If you think that is something that there is a demand for, I don't know >> if it might belong in a separate domain. >> >> An insecure delegation from the root may be seen as an invitation for >> exploitation by squatters. > > And if they could find a way to squat here (which requires intercepting > queries) what would be the problem? We are expecting the namespace > to be squatted. Thats the whole point of the namespace. In fact > we are going to tell nameserver vendors to squat on .alt by default* > to generate the NXDOMAIN responses. > > There is absolutely no need for a secure NXDOMAIN here. Just as > there is zero need for secure NXDOMAINs in COM, ORG, NET or any > other gTLD. The gTLDs prevent secure delegations being spoofed > away. The don't prevent names being spoofed into existence between > the secure delegations. > > There is absolutely no need for a secure delegation here. > > I have not seen anyone demonstrate a technical need for a secure > delegation for alt. There are no formal delegation in alt so there > can be no secure delegations from alt. > > Mark > >> Sent from my iPhone > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Steve Crocker
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Steve Crocker
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Steve Crocker
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Patrik Fältström
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. william manning
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mukund Sivaraman
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Tony Finch
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Tony Finch
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Woodworth, John R
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] solving a problem by creating a worse… Suzanne Woolf
- Re: [DNSOP] solving a problem by creating a worse… John Levine