[DNSOP] Remarks about draft-wkumari-dnsop-internal-00

Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 07 September 2017 14:32 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id BF5C3132F1B for <dnsop@ietfa.amsl.com>; Thu, 7 Sep 2017 07:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id u_4dGSEAiZqf for <dnsop@ietfa.amsl.com>; Thu, 7 Sep 2017 07:32:41 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B41BA124B18 for <dnsop@ietf.org>; Thu, 7 Sep 2017 07:32:41 -0700 (PDT)
Received: from mx4.nic.fr (localhost []) by mx4.nic.fr (Postfix) with SMTP id 9062A2806B8 for <dnsop@ietf.org>; Thu, 7 Sep 2017 16:32:39 +0200 (CEST)
Received: by mx4.nic.fr (Postfix, from userid 500) id 8B5AF2806BE; Thu, 7 Sep 2017 16:32:39 +0200 (CEST)
Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id 84ABD2806B8 for <dnsop@ietf.org>; Thu, 7 Sep 2017 16:32:39 +0200 (CEST)
Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 82289606D942 for <dnsop@ietf.org>; Thu, 7 Sep 2017 16:32:39 +0200 (CEST)
Received: by b12.nic.fr (Postfix, from userid 1000) id 7A7B641E1F; Thu, 7 Sep 2017 16:32:39 +0200 (CEST)
Date: Thu, 07 Sep 2017 16:32:39 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: dnsop@ietf.org
Message-ID: <20170907143239.x4out34m7weaah2u@nic.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Operating-System: Debian GNU/Linux 9.1
X-Kernel: Linux 4.9.0-3-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: NeoMutt/20170113 (1.7.2)
X-Bogosity: No, tests=bogofilter, spamicity=0.004096, version=1.2.2
X-PMX-Version:, Antispam-Engine:, Antispam-Data: 2017.9.7.142116
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3ITGN6-u75gGCPhvlkCZxcw4-L0>
Subject: [DNSOP] Remarks about draft-wkumari-dnsop-internal-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2017 14:32:45 -0000

draft-wkumari-dnsop-internal-00 proposes to reserve .internal for
RFC1918-like domain names. There is clearly a strong demand for that.
(There is also a strong demand for happy sex, great food, excellent
wines and diamong rings, but let's ignore it for the moment).

The document clearly documents that it will not happen, since it
requires an entire new process at ICANN.

The draft requires a delegation to AS112. Since one of the goals is to
limit leaks, I'm not sure it is a good idea. During the development
of draft-bortzmeyer-dname-root, several people noticed that, unlike
the root, the AS 112 is managed by an unbounded set of unknown
operators. Not great for privacy.

Regarding section 4 (DNSSEC), I wonder if it would be a better idea to
have a name like that in the root:

shouldnotarriveattheroot.internal. IN TXT "Check your resolvers"

This way, requests for anything.internal which leaked at the root
would receive an insecure denial of existence (since there is no DS
for .internal). Problem solved, no?

% dig @localhost -p 9053 NS printer.internal                  
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53323
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
intel.			86400 IN NSEC shouldnotarriveattheroot.internal. NS DS RRSIG NSEC
intel.			86400 IN RRSIG NSEC 13 1 86400 (
				20171005142909 20170907142909 6172 .
				WDz0HuSHUeC5YJTxPc2qwGN8xa6dmeGGLX6rTkpWaQ== )
.			86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. (
				2017090702 ; serial
				1800       ; refresh (30 minutes)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)

[Note it would not solve the ICANN problem.]

Also, it may be a good idea to add an "Internationalization
considerations" section. If people want a memorable domain name (and
not, say, the TLD .693268ed5948276cb48c3f3339ac465d, which would work
as well), it's because it is typable and rememberable), they may want
it in other languages.