[DNSOP] Fwd: WG review of draft-ietf-homenet-dot-03

Russ Housley <housley@vigilsec.com> Mon, 20 March 2017 19:38 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3E7C8129353 for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 12:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id HhI5vXeO5yu4 for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 12:38:56 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE1B0128D3E for <dnsop@ietf.org>; Mon, 20 Mar 2017 12:38:55 -0700 (PDT)
Received: from localhost (localhost []) by mail.smeinc.net (Postfix) with ESMTP id 615B4300481 for <dnsop@ietf.org>; Mon, 20 Mar 2017 15:38:55 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([]) by localhost (mail.smeinc.net []) (amavisd-new, port 10026) with ESMTP id gXEbZXW9hgK3 for <dnsop@ietf.org>; Mon, 20 Mar 2017 15:38:53 -0400 (EDT)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net []) by mail.smeinc.net (Postfix) with ESMTPSA id 718B0300254; Mon, 20 Mar 2017 15:38:53 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_36CC26D9-C7F8-4082-AB45-480874AA1E87"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 20 Mar 2017 15:38:52 -0400
References: <E07AFAEB-2B84-4610-87E7-94CF32CF3761@fugue.com>
Cc: dnsop <dnsop@ietf.org>, Terry Manderson <terry.manderson@icann.org>
To: Ted Lemon <mellon@fugue.com>
Message-Id: <7652B138-FEAB-4138-91FB-D71AFE6BEF2C@vigilsec.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2aCb3iEpg3CQP0cVpE5Dh7dE7W8>
Subject: [DNSOP] Fwd: WG review of draft-ietf-homenet-dot-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 19:38:58 -0000


> There are other processes for adding names to the root zone.  In my opinion, using the special-use TLD registry as a means of putting a name, even one that has a different scope and use case, is an end run around that process.
> So it seems to me that your position is not that it's inappropriate for a name to both be registered in the root zone and in the special-use names registry, but rather that two processes would have to be followed in order for this to happen.   Is that a reasonable interpretation of what you have said?

No.  In my opinion, the special-use TLD registry is not appropriate for the assignment of any name that will appear in the root zone.  As I said in my first note, my view is that TLDs assigned through the special-use registry MUST NOT be published in the root zone.

If you have a domain names that is to appear in the root zone, then the existing process ought to be used for that to happen.

Further, the intent is that .homenet will be used with the DNS protocol.  Section 3 of the document makes it very clear that users, applications, resolution APIs, and most resolvers will not to treat that domain name in a special in any way.  For this reason, I do not think it meets the definition of a special-use domain name in RFC 6761, which says:

   ... if a domain name has special properties that affect the
   way hardware and software implementations handle the name, that apply
   universally regardless of what network the implementation may be
   connected to, then that domain name may be a candidate for having the
   IETF declare it to be a Special-Use Domain Name and specify what
   special treatment implementations should give to that name.

So, I think that the desired outcome requires the use of the existing process to get it registered in the root zone and some standards-track RFC to describe the environment where:

       … Only a DNS server that is authoritative for the root ('.') or is
       configured to be authoritative for '.homenet' or a subdomain of
       '.homenet' will ever answer a query about '.homenet.’

Steve Crocker has already stated that he does not believe that entries that cannot be DNSSEC signed belong in the DNS root zone.  I know that others share this view.  For this reason, I do not think that the IETF should approve a document that specifies this processing until the root zone publication process is successful.