Re: [DNSOP] ALT-TLD and (insecure) delgations.

Ted Lemon <mellon@fugue.com> Wed, 08 February 2017 04:51 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 815341298BA for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2017 20:51:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HUVjtBC1Ne7d for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2017 20:51:08 -0800 (PST)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 009011298A5 for <dnsop@ietf.org>; Tue, 7 Feb 2017 20:51:07 -0800 (PST)
Received: by mail-qk0-x229.google.com with SMTP id s186so111126059qkb.1 for <dnsop@ietf.org>; Tue, 07 Feb 2017 20:51:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=wqSXtdshvhlJWeKhyIDr130Qa2fsMfTLQbOtQQ0+NKA=; b=crGUFSawFVGP5q2eKCQuAfFIvBVbRsCMwQNcL5DgrZowZDfsoHEjJPTNWlLS2/23OT CIKxxPTlpsPXjxD4UKmYRzAh4EEJYMN+yoMwCo0YoC4o94nZl6fKlvOk+LdUuFKn8O/l Rg07tyDp+rTHab6fnnk14t5Qmdr9fSrQfBZlV/oUcOpnYWoko93dRJTU1JO7pj1bzauV gCAwhWhkyNVJkfnq2M/C4YY3XEJZjfVlcfZW6tiQroB/Z/2iqHkxKboH78FA/Yy3hyA7 hqrCeXp79viQ9W5VWftKC1aJ+cR02fv9WKziOevZq6gEzY9StFlKYIe2dpPsU6S/1fbT PGkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=wqSXtdshvhlJWeKhyIDr130Qa2fsMfTLQbOtQQ0+NKA=; b=o/WzAhfn18E8XzbeprqagC3tZ+THKM0gMYJ9VZPWdxzioK4sJL8oAX1wQu74FQMHRZ 4Us/0A+2qillWTUhoXNuMPtmfLRSjIoYlhvdcSVP1lNtbE3Q0AARucx7Vp6E01weRySM hoolrzvKjmWAX5322OIHdmC6yRxw/RQhkwnOCr+gpxdTbcBGwyK1EauEmWe0IeHhPnGg +wFLzM2ea5v5mXX9kkCS9EKHKYLeDpvzbKn5xQztzjdeiJ2FmUZBhwpxEUzzkvRot88C r6j3EVWA/B+jQE2CSWxaaVugpbe2dvalT2xlw3CT0pR25oHGatgslqnO/gG3DInPGu6n njcw==
X-Gm-Message-State: AMke39lB25YGXguYdymPOPtNGtQ/dekM9aPueP3GuIvVXZwIcE8BjuVehZB/St4Y4uyCNg==
X-Received: by 10.55.16.67 with SMTP id a64mr18054746qkh.226.1486529467023; Tue, 07 Feb 2017 20:51:07 -0800 (PST)
Received: from [192.168.1.228] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id 7sm5282963qkx.49.2017.02.07.20.51.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 Feb 2017 20:51:05 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <FB835756-2C46-40A9-88ED-2F8ADF812BA6@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F2B545AB-BF45-4AAE-8E5C-CBE4A688F3C0"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Tue, 7 Feb 2017 23:51:03 -0500
In-Reply-To: <20170207214846.B66EF633C6C5@rock.dv.isc.org>
To: Mark Andrews <marka@isc.org>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <CAH1iCipKwcOsMQY3kjvSZ42LMK37GLD6GP2AVtnWK0c83k-RiA@mail.gmail.com> <20170207040552.8BDCC632F192@rock.dv.isc.org> <3581BE55-B178-4298-8EE8-73FD16B4216D@gmail.com> <D4C0D518-A3ED-4555-93DA-2EA12D82A662@fugue.com> <CAHw9_iK7Vt+ZNw8=E-b+w9gGhwB9fZNqHYp2pqKqT__RgcDttQ@mail.gmail.com> <5CA637EE-C0B6-4E5C-A446-A84431176D0C@fugue.com> <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2LuieVHIsh8OckU4QINtIhdIc30>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 04:51:09 -0000

On Feb 7, 2017, at 4:48 PM, Mark Andrews <marka@isc.org> wrote:
> Go add a empty zone (SOA and NS records only) for alt to your
> recursive server.  This is what needs to be done to prevent
> privacy leaks.

No, the recursive server can just cache the proof of nonexistence.   I didn't query the root when I did my test—I ran the query through comcast's servers.   Worked just fine.   Yes, if you configure your local server to lie, that won't work.   That's by design.