IETF Logo Mail Archive

[DNSOP] Re: Is .INTERNAL a special use domain name?

Mark Andrews <marka@isc.org> Thu, 13 February 2025 22:38 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E1E3C1D6203 for <dnsop@ietfa.amsl.com>; Thu, 13 Feb 2025 14:38:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="g7PoVA/U"; dkim=pass (1024-bit key) header.d=isc.org header.b="hKvWyJp9"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1dRWjcP3YGw for <dnsop@ietfa.amsl.com>; Thu, 13 Feb 2025 14:38:27 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BECFC1F588E for <dnsop@ietf.org>; Thu, 13 Feb 2025 14:38:26 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 348D13AB2E5; Thu, 13 Feb 2025 22:38:25 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 348D13AB2E5
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1739486305; cv=none; b=FjCz+wjXugwsx3puTBE7S3R3piixk6Mf4WKlT+iMYmegCi2LfDAtDFxLLACd2BJKrHf2/Y35co7S6gIlcavoFFtleg/x8CxWdBSTRB4b9JdF6t3FDjWjLdBz5uCOBy0QFY/NAAedObxHYtBG5DDbLUnnB1+XA4GusY2ocMf7rPM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1739486305; c=relaxed/relaxed; bh=OFwDxY3i4FZAzdPH9R6+Ln/7zUM3LH/HithoSNZm9DI=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=Bg0ewA1mh3gEYfs4sE8GPN8EFP0TJrVA32Jg3A2vrNVqxjkWtvuAwuM/LTLmKjCYOkqDDw/HqDmc995ARWC6x0Kn9HlszIaWvfv2SVXDeajnQgGtXDx6pvBIyjevy5saTSzAc9nZdJp151lhbb3DMidVqngJpjE6OnRLORybkLY=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 348D13AB2E5
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1739486305; bh=kkffnFJmk5Mn/WS6hg4vfdl8B36TPwC23bvYKtr5++s=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=g7PoVA/UjTeQqBEdVwQgapbkEv/MoY+3GXrhPiuS4x0MO7boJKt9+jJv/0fec0y4h uyNEPwbDOWM8UY50s7D5VhqFUJFPDJmPULWs9KJGFSR4lBqADN/zZYKOjaT5p15xnI 74DK1smbcdW2y3NpA4X8eBiZKRFeTtY5ZtROEGVk=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 31084EB0C54; Thu, 13 Feb 2025 22:38:25 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 0EEAFEB0C5B; Thu, 13 Feb 2025 22:38:25 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 0EEAFEB0C5B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1739486305; bh=OFwDxY3i4FZAzdPH9R6+Ln/7zUM3LH/HithoSNZm9DI=; h=Mime-Version:From:Date:Message-Id:To; b=hKvWyJp9P+/Tk8566uZOTx8koDUb5tBwpTBH8pp87pR2EvrvJ98JYSwD/A1Am+Nwb +YB2s5Ka+PzGkGyP8pTwBep+QUR/X1KzASGW8ftHPslVr9O9PexsUPEPjO8+A/Np9k sjZtGcPqqmF2sF1WMR23pd9p6peFtpYeVLM092cM=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id i0QS_LFuc3hw; Thu, 13 Feb 2025 22:38:25 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id 6F88DEB0C54; Thu, 13 Feb 2025 22:38:24 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.9\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <m1tifRx-0000NOC@stereo.hq.phicoh.net>
Date: Fri, 14 Feb 2025 09:38:08 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <B4A31C97-C30C-45C4-B5B0-3E337A5F1491@isc.org>
References: <3AB732CF-F095-4110-AD1A-077D77AAA05D@iana.org> <3d8096c8-bec1-4dfb-8e02-fa47278f9ede@isc.org> <m1tifRx-0000NOC@stereo.hq.phicoh.net>
To: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>
X-Mailer: Apple Mail (2.3731.700.6.1.9)
Message-ID-Hash: XKIMSXSPWBDEL2LC7DWU2N5O35JJO4EJ
X-Message-ID-Hash: XKIMSXSPWBDEL2LC7DWU2N5O35JJO4EJ
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Is .INTERNAL a special use domain name?
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1sj6naSv-ecPHujLQiGmB9WTNC8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

> On 14 Feb 2025, at 07:04, Philip Homburg <pch-dnsop-6@u-1.phicoh.com> wrote:
> 
>> Logic behind this proposal follows:
>> 
>> #1 I can't see any difference between the intended use of: 
>> - 10.in-addr.arpa.
>> - internal.
>> 
>> #2 RFC 6761 section 6.1 already established special rules for
>> 10.in-addr.arpa.
> 
> The draft has the following:
> The "internal" top-level domain provides this purpose in the DNS. Such
> domains will not resolve in the global DNS, but can be configured within
> closed networks as the network operator sees fit.
> 
> I think that is the difference between .internal and 10.in-addr.arpa. I
> expect 10.in-addr.arpa. to resolve in the global DNS. RFC-1918 address do
> leak and there is no reason to expect every piece of software to have
> filter in place to catch reverse DNS lookups for those addresses.
> 
> There seems to be an argument that for the convenience of DNSSEC, private
> domains have to resolve in the global DNS. Maybe we need to actually
> say that in some RFC. Or solve this issue in a different way.

We do for Locally Served DNS Zones (RFC 6303) even if IANA hasn’t yet
organised all of the stub delegations yet.

6. IANA Considerations

IANA has established a registry of zones that require this default
behaviour. The initial contents of this registry are defined in
Section 4. Implementors are encouraged to periodically check this
registry and adjust their implementations to reflect changes therein.

This registry can be amended through "IETF Review" as per [RFC5226].
As part of this review process, it should be noted that once a zone
is added it is effectively added permanently; once an address range
starts being configured as a local zone in systems on the Internet,
it will be impossible to reverse those changes.

IANA should coordinate with the RIRs to ensure that, as DNS Security
(DNSSEC) is deployed in the reverse tree, delegations for these zones
are made in the manner described in Section 7.

7. Security Considerations

During the initial deployment phase, particularly where [RFC1918]
addresses are in use, there may be some clients that unexpectedly
receive a name error rather than a PTR record. This may cause some
service disruption until their recursive nameserver(s) have been
re-configured.

As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
namespaces, the zones listed above will need to be delegated as
insecure delegations, or be within insecure zones. This will allow
DNSSEC validation to succeed for queries in these spaces despite not
being answered from the delegated servers.

It is recommended that sites actively using these namespaces secure
them using DNSSEC [RFC4035] by publishing and using DNSSEC trust
anchors. This will protect the clients from accidental import of
unsigned responses from the Internet.


Special-Use Domain 'home.arpa.’ RFC 8375 has 

7. Delegation of 'home.arpa.'

In order to be fully functional, there must be a delegation of
'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation MUST
NOT include a DS record and MUST point to one or more black hole
servers, for example, 'blackhole-1.iana.org.' and 'blackhole-
2.iana.org.'. The reason that this delegation must not be signed is
that not signing the delegation breaks the DNSSEC chain of trust,
which prevents a validating stub resolver from rejecting names
published under 'home.arpa.' on a homenet name server.


Discovery of Designated Resolvers RFC 9462 has by reference that
an insecure delegation is required.  Note there is an errata for
this section.

6.4. Handling Non-DDR Queries for resolver.arpa

DNS resolvers that support DDR by responding to queries for
_dns.resolver.arpa. MUST treat resolver.arpa as a locally served zone
per [RFC6303]. In practice, this means that resolvers SHOULD respond
to queries of any type other than SVCB for _dns.resolver.arpa. with
NODATA and queries of any type for any domain name under
resolver.arpa with NODATA.


People are too scared of

internal. NS a.root-servers.net.
...
internal. NS m.root-servers.net.

being added to the root zone.  Where the contents of the zone served is just the
SOA and NS records and is NOT signed.

@   86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 1 1800 900 604800 86400
@   86400 IN NS  a.a.root-servers.net.
...
@   86400 IN NS  m.a.root-servers.net.

The same machines are returning NXDOMAIN for everything under internal. They return a
NODATA response for all types other that SOA and NS for “internal”.

Root zone politics has got in the way of good management of the DNS in the root zone.
If people are expected to use a name locally then there needs to be a clean break in
the DNSSEC chain of trust.

Mark

> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.37.1 | Report a Bug | By Email | System Status