IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld

Ted Lemon <mellon@fugue.com> Thu, 01 May 2025 17:33 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A510A23B2C02 for <dnsop@mail2.ietf.org>; Thu, 1 May 2025 10:33:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="EgOhJAgr"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="P9czY36y"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dBvF-aspg429 for <dnsop@mail2.ietf.org>; Thu, 1 May 2025 10:33:02 -0700 (PDT)
Received: from flow-b5-smtp.messagingengine.com (flow-b5-smtp.messagingengine.com [202.12.124.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9BA0E23B2BFB for <dnsop@ietf.org>; Thu, 1 May 2025 10:33:02 -0700 (PDT)
Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailflow.stl.internal (Postfix) with ESMTP id 2BA831D4268E; Thu, 1 May 2025 13:33:02 -0400 (EDT)
Received: from phl-imap-10 ([10.202.2.85]) by phl-compute-12.internal (MEProxy); Thu, 01 May 2025 13:33:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1746120782; x=1746127982; bh=Gz2QNdT+Vo 422FCdf1lrBlhxYpRUuMQtzPteevHyCMA=; b=EgOhJAgrWw/CyT65Q4p8THM6j2 7thDw3sFpSnWu4POpbJRuvOILAy4M1HyevrgjWPZkZI9olTVxd/csVMG2nnNe5j6 f/MSLGHJmreteSd3Lqjw9DuqG1oBkdEyFdkDXNQ9H/9HQsOOuxFthKwNJcW67N0H IlQkm77RlOwh34IPNQEBNJB2hchrXjQO78jiBVd2R+49xzFYtv5cpmrv6N/ocsRE R++AiwbpPaHv01GKgqg84lDeYXASpwIsnVlMeGjd9YGmVeo1YS8sDyf7w63TCTxb OtbwE7vZJ8+CwbAk4OIEUi0nRYFLBLWqNEV3dbovsEweAy5aBBkNp4ynabUA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1746120782; x=1746127982; bh=Gz2QNdT+Vo422FCdf1lrBlhxYpRUuMQtzPt eevHyCMA=; b=P9czY36yO62qSpPHjwo5xW9g7Tje7TPCbH0dlZ7WnbMRpmfIoG0 mQRrjFkXgrufcHPYmmHglh01jZi7WcQN8VJ9YKWkcR61fe8No5c0oWAxa1yDkFZ1 hHUlbJ4zdLjPShm9ey4qvpYABxPccv4nHDwx2boCq4RuqADZWCiFD2mpd5uQIbzs jetVBlcLPDb1UVtx57clz5P1z7JwwHiqLq2AuNj/ES6CDgvWFXhlHEHLJg+F7tX5 +1bdEKQmKoT7/w0wDteJsLHdE/kW6DHOjlaFYF90csWGysbBVNmMwf/KUuOouQSQ 4TikqpPBy0CN/OQY6yrPbQGIYyOYmEdUvdA==
X-ME-Sender: <xms:TbATaDNS4iLBsPfUf64ATiwD1rMjjY0EJNOknkoqFYIV8wKG0G3U2g> <xme:TbATaN_tMHl4s69IXIkRaCU1JQR0fpZQV7fiqyIdGVwLMfWYLktQWok6y9lPSDg4B HoGGvQ7sjn-gwZR-rc>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvjedtudelucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhepofggfffhvfevkfgjfhfutgesrgdtreerredt jeenucfhrhhomhepfdfvvgguucfnvghmohhnfdcuoehmvghllhhonhesfhhughhuvgdrtg homheqnecuggftrfgrthhtvghrnhepfeeugfdttdffkeefieejueduieevuefgvddvleel jedvjeejhedvtdfgleevudetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomhepmhgvlhhlohhnsehfuhhguhgvrdgtohhmpdhnsggprhgtphhtthho pedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehprghulhdrhhhofhhfmhgrnh esihgtrghnnhdrohhrghdprhgtphhtthhopegunhhsohhpsehivghtfhdrohhrgh
X-ME-Proxy: <xmx:TbATaCT6fzIw5brOv3QWYhbhIYsMJd5conSwJHOd9aWEBE0ILZ2t9w> <xmx:TbATaHtFTZFHYguhUQzj_rNEHYjRqrxo8okOvJRD476R8A56dQj2sg> <xmx:TbATaLfb-j3QDjbh8NFMcdC3tvXY6jPNgHdr2JCkP2Ye72ip4VzAJg> <xmx:TbATaD2T0ISgTL_ZwyJZ_X07aPk6wMRculbNokJz3nzq9qQ4XQgdjg> <xmx:TrATaCqlY-wAJ0qv_2pP51QWF8R9U6bUApS--RftTRGi7WxcPKjBSJNT>
Feedback-ID: i1136489e:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id B54083C0068; Thu, 1 May 2025 13:33:01 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: Teb8ce65f3fed0dd8
Date: Thu, 01 May 2025 13:32:41 -0400
From: Ted Lemon <mellon@fugue.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Message-Id: <4642026e-81d6-4620-b4c5-6af67d59e6d5@app.fastmail.com>
In-Reply-To: <31972B9D-D604-43BF-9638-5DC7F36C0FCE@icann.org>
References: <m1u5h1G-0000LcC@stereo.hq.phicoh.net> <83666fd3-a51f-46e1-a5ac-0b9a46361480@desec.io> <49E3B1B6-E960-4A46-9C5D-2721FD57132D@depht.com> <3b5fb9e7-8a2b-420f-a2fb-dd6f6a0b88ae@isc.org> <89047B78-A2B1-43F2-A996-94DF1E90538A@depht.com> <cc84f69c-c349-4d91-b942-80221b564a9b@isc.org> <ac48e27d-479f-42f3-b87f-891220ef2fe8@app.fastmail.com> <BE721880-6254-48F4-9F91-567A99E0511B@icann.org> <m1u7asT-0000MtC@stereo.hq.phicoh.net> <01E23110-9A50-4187-8A54-34D514504F9B@strandkip.nl> <3A48CBC3-B55B-4FCF-B713-A7CA4C7BB7CC@strandkip.nl> <8E36C1B8-C67B-4704-9E3B-7143863E2262@icann.org> <87f219df-34f0-48fa-89cf-8cb8300c86c2@app.fastmail.com> <1359A8E4-E436-4EC5-B5C7-E0713A3E8182@icann.org> <b5e95596-ffa7-491f-86c5-27a9c98b4336@app.fastmail.com> <31972B9D-D604-43BF-9638-5DC7F36C0FCE@icann.org>
Content-Type: multipart/alternative; boundary="1451292b308d47828dd1a26bb78e501a"
Message-ID-Hash: B5U2SIU6VV5NPQSAYYFUFQIKGPFDIJKL
X-Message-ID-Hash: B5U2SIU6VV5NPQSAYYFUFQIKGPFDIJKL
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org WG" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2nMVjJ8KsJzbhhl9Hu6SoaRn54s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Thu, May 1, 2025, at 12:07 PM, Paul Hoffman wrote:
> On Apr 30, 2025, at 18:25, Ted Lemon <mellon@fugue.com> wrote:
> > 
> > The local resolver can safely lie about the delegation, so unless the stub resolver queries the root directly this isn’t an issue.
> 
> A validating stub resolver would indeed query the root to create the chain of trust. That's the whole point of *validating* stub resolvers.

The stub resolver queries the chain of trust, but why would it send a packet to a root server? Is that what we want it to do?

Normally I would expect it to query the local network resolver and then validate. I think that’s what our implementation does unless DoH is configured. Is yours different?

> 
> > Even if it does, unless it uses DoH, the edge router can intercept the query.
> 
> The IETF does not promote "edge router can intercept the query". :-) Further, even in that scenario, then there is no reason for an insecure delegation: no delegation works fine.

Of course not. The IETF also doesn’t promote .internal. 

I’m under the impression that no delegation at the root means the delegation can be proven not to exist. Am I mistaken?

> > But this isn’t generally necessary. If you’re doing DNSSEC the only reason not to trust the local resolver is if it doesn’t give enough answers to construct the proofs. 
> 
> You may feel that way, but that's not the model adopted by the DNSSEC standards.

Again not my understanding of how existing validating stub resolvers work, but I’m curious to know what your experience with this is. My sample is one at the moment—the one in Apple’s operating systems.

v2.31.3 | Report a Bug | By Email | System Status