IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld

Tony Finch <dot@dotat.at> Tue, 16 June 2020 01:30 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 001053A0F61 for <dnsop@ietfa.amsl.com>; Mon, 15 Jun 2020 18:30:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKMiWBh4wZYE for <dnsop@ietfa.amsl.com>; Mon, 15 Jun 2020 18:30:00 -0700 (PDT)
Received: from ppsw-43.csi.cam.ac.uk (ppsw-43.csi.cam.ac.uk [131.111.8.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22A4E3A0F60 for <dnsop@ietf.org>; Mon, 15 Jun 2020 18:30:00 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:43138) by ppsw-43.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1jl0QA-000g1O-oD (Exim 4.92.3) (return-path <dot@dotat.at>); Tue, 16 Jun 2020 02:29:50 +0100
Date: Tue, 16 Jun 2020 02:29:50 +0100
From: Tony Finch <dot@dotat.at>
To: Brian Dickson <brian.peter.dickson@gmail.com>
cc: Paul Vixie <paul@redbarn.org>, John Levine <johnl@taugh.com>, dnsop <dnsop@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>
In-Reply-To: <CAH1iCiq9sj-27_=M8Uquby0NAkg4HK+vipcjnzBtQktwgRXdyA@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.2006160222430.28941@grey.csi.cam.ac.uk>
References: <CAH1iCiouFfMRYoREwhhTbQfnNserw3RVUPs8Pzc8CvNEhysYCw@mail.gmail.com> <20200615174753.225EC1ABFFA1@ary.qy> <CADyWQ+Em0Qh+TeGudz2Zgx4cEd4AUqKf9CcivotKYUZWyKPCPA@mail.gmail.com> <2629924.6WoLTOkaPB@linux-9daj> <alpine.DEB.2.20.2006152244380.28941@grey.csi.cam.ac.uk> <CAH1iCioLL1dZtMzsXEVPE9SaHR9Hza8MLRRSnKH1eJ8+EW+KEA@mail.gmail.com> <alpine.DEB.2.20.2006160156000.28941@grey.csi.cam.ac.uk> <CAH1iCiq9sj-27_=M8Uquby0NAkg4HK+vipcjnzBtQktwgRXdyA@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4sKZevEBmFKGYcoRfW2YilO1OnU>
Subject: Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 01:30:02 -0000

Brian Dickson <brian.peter.dickson@gmail.com> wrote:
>
> Precisely because you want a non-TLD (we should remember this is NOT an
> actual TLD), for a number of reasons:
>
>    - You want to be able to limit the places any leaked traffic goes
>       - Currently this would be the Root Servers

And any resolvers in between there and roaming users.

>       - The typical content of enterprisey internal-only names (the DNS
>    queries themselves) are sensitive in nature
>       - I have had the opportunity to view DITL data from ISP resolvers,
>       and the nature of these kinds of queries was unsettling
>       - In addition to leaking information, these names generally should
>       not have any presence in DNS caches, which makes them excellent
> candidates
>       for easy poisoning

These issues happen in exactly the same way whether you squat on a tld or
use a private subdomain.

The draft doesn't talk about random subdomains; instead it says that part
of the point is to make names as short as possible. And our experience
with telling people to use random parts of private address space (as in
RFC 1918, and IPv6 GUA) is that they don't.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
North Foreland to Selsey Bill: Southerly or southwesterly, becoming variable
at times, 2 or 3, occasionally 4 until later. Smooth, occasionally slight. Fog
patches for a time near shore. Moderate or good, occasionally very poor for a
time near shore.

v2.23.0 | Report a Bug | By Email