IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Mark Andrews <marka@isc.org> Fri, 10 February 2017 01:57 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 549DD12965D for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 17:57:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cd7YovQSZK_C for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 17:57:34 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EFC112965B for <dnsop@ietf.org>; Thu, 9 Feb 2017 17:57:34 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 1A7E91FCAB3; Fri, 10 Feb 2017 01:57:31 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id AFE7016006C; Fri, 10 Feb 2017 01:57:29 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 95C21160055; Fri, 10 Feb 2017 01:57:29 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ksaHGJhqASwX; Fri, 10 Feb 2017 01:57:29 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id F334C160042; Fri, 10 Feb 2017 01:57:28 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id BF777636C97F; Fri, 10 Feb 2017 12:57:25 +1100 (EST)
To: Ted Lemon <mellon@fugue.com>
From: Mark Andrews <marka@isc.org>
References: <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <FB835756-2C46-40A9-88ED-2F8ADF812BA6@fugue.com> <20170208052544.862956356F33@rock.dv.isc.org> <FFAFD844-824C-44EA-A4B1-1AD28B4FE95C@fugue.com> <20170208060208.8C8E1635864D@rock.dv.isc.org> <E0A42577-0984-4ADD-8658-91413CBE783D@fugue.com> <20170208194208.DB02C635DD72@rock.dv.isc.org> <CAH1iCipA5nvWJqjdGUwJeeT_eU8EH8VYJU2hX1hJoiTb617K8Q@mail.gmail.com> <20170209163123.56hdbzaluekmvbh7@nic.fr> <20170209195722.DC1AB636586C@rock.dv.isc.org> <0394528C-99CD-41D4-9AB6-844D1318264C@gmail.com> <20170209204506.BC40D6365CBE@rock.dv.isc.org> <12D7473B-3A22-4A8D-9C13-2AEEDEABB879@fugue.com> <20170209224851.2FB1B63666E6@rock.dv.isc.org> <CAPt1N1nLmdoZ_3Kb8Kfp9sTsN-GYqo1A9CF3j4zb7QCvO3SLew@mail.gmail.com> <20170209232830.0DE1B63669D6@rock.dv.isc.org> <CFB6BEB2-4110-406A-A917-FC6361061B1C@fugue.com> <20170210004801.EEFE9636B89C@rock.dv.isc.org> <653 A3403-DFC8-491A-B083-7873D1886A12@fugue.com>
In-reply-to: Your message of "Thu, 09 Feb 2017 20:15:32 -0500." <653A3403-DFC8-491A-B083-7873D1886A12@fugue.com>
Date: Fri, 10 Feb 2017 12:57:25 +1100
Message-Id: <20170210015725.BF777636C97F@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4Ipz3fQocu8hygl0tWDVjaZE1fU>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 01:57:35 -0000

In message <653A3403-DFC8-491A-B083-7873D1886A12@fugue.com>, Ted Lemon writes:
>
> On Feb 9, 2017, at 7:48 PM, Mark Andrews <marka@isc.org> wrote:
> > 1) there is too much brokeness out there that returns NXDOMAIN instead
> > of  a NODATA for a ENT.
>
> So you're saying that a root nameserver is going to return an incorrect
> result?  And what does this have to do with intelligent trees?

I'm developing software that will be run on private internets with
various degrees of compentence from the adminitrators as well as
the public Internet.  That private internet may have a ENT for ALT
that returns NXDOMAIN.  The server has to work in that environment.

So NXDOMAIN doesn't stop the query.

Even with everything working properly QNAME minimisation DOES NOT
STOP THE QUERIES.

RFC 4035 + RFC 7816 -> leaks (synthesis of negative answers is banned by RFC 4035)
RFC 4035 + RFC 7816 + ANC supported by the code w/o validation -> leaks
RFC 4035 + RFC 7816 + ANC supported by the code + validation -> no leaks

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email