IETF Logo Mail Archive

[DNSOP] Re: [EXTERNAL] Re: Call for Adoption: draft-davies-internal-tld

Joe Abley <jabley@strandkip.nl> Thu, 17 April 2025 07:39 UTC

Return-Path: <jabley@strandkip.nl>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9FB081D7FD86 for <dnsop@mail2.ietf.org>; Thu, 17 Apr 2025 00:39:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=strandkip.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PmwI48ORbm3m for <dnsop@mail2.ietf.org>; Thu, 17 Apr 2025 00:39:35 -0700 (PDT)
Received: from outbound.qs.icloud.com (p-east3-cluster2-host6-snip4-10.eps.apple.com [57.103.87.191]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4B8541D7FD74 for <dnsop@ietf.org>; Thu, 17 Apr 2025 00:39:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=strandkip.nl; s=sig1; bh=NJi9hV2OCl2iFvzyCTYI0hW5vBIBUKaHWI08XWgkKAY=; h=Content-Type:From:Mime-Version:Subject:Date:Message-Id:To:x-icloud-hme; b=EBYehMj1P4aSRIJEJ3JstJPosl2CxcvUT/MVuApdvYWTguWhSbIeCoJKA3BTDMyqf sc0dSNXpY/8NoMBYvs76972XmbWyGOgj9uwbG6A91JoXkTGt1hLUl6Wr8FPHIReXIn gO7Nh4ZaAq3LOYt2lY47WFi4QmIr2LwnwwTNjT2Ozf00dE7dk5JVuVvKKp4E9TPqjh artV9qa7MTfRSrVMjBYXVHat0ip+/0MQeE37SQA1nEzRwAEI7a0SdN2AhqclcEh6Nl gP2v/fuuq0ZV/Wj65IMsgRsG1d7EnpJY1f/AQ2TgKgCnTT7fh3+tq90HTEYU7cOvVY +s+bLCX7YcyKw==
Received: from smtpclient.apple (qs-asmtp-me-k8s.p00.prod.me.com [17.57.155.37]) by outbound.qs.icloud.com (Postfix) with ESMTPSA id 6C705180012D; Thu, 17 Apr 2025 07:39:32 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
From: Joe Abley <jabley@strandkip.nl>
Mime-Version: 1.0 (1.0)
Date: Thu, 17 Apr 2025 09:39:19 +0200
Message-Id: <B3F33508-46B5-4B19-A265-C4EAFE9D4000@strandkip.nl>
References: <016201dbaee8$d1106580$73313080$@gmail.com>
In-Reply-To: <016201dbaee8$d1106580$73313080$@gmail.com>
To: tojens.ietf@gmail.com
X-Mailer: iPad Mail (22E252)
X-Proofpoint-ORIG-GUID: 1c5kXai9WA6u-A82GLYVD_0OC6QKFECe
X-Proofpoint-GUID: 1c5kXai9WA6u-A82GLYVD_0OC6QKFECe
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-17_01,2025-04-15_01,2024-11-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 mlxlogscore=999 adultscore=0 mlxscore=0 clxscore=1030 phishscore=0 bulkscore=0 malwarescore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.22.0-2503100000 definitions=main-2504170059
Message-ID-Hash: 242WIIJMUEAD3IJWVEBK2YW7O52Q3HNV
X-Message-ID-Hash: 242WIIJMUEAD3IJWVEBK2YW7O52Q3HNV
X-MailFrom: jabley@strandkip.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Benno Overeinder <benno@nlnetlabs.nl>, Geoff Huston <gih902@gmail.com>, Working Group DNSOP <dnsop@ietf.org>, Chairs DNSOP <dnsop-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6skQ2_hbzOOg2G4Pioq_uIUJHfg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Tommy,

(Since you brought it up!)

On 16 Apr 2025, at 18:02, tojens.ietf@gmail.com wrote:

>> Personally I don't think that special actions in resolvers for INVALID and TEST are a good
>> idea either; I would prefer consistent behaviour and no special cases, especially as I
>> suspect that resolver operators that pay attention to this kind of thing and keep their
>> software up-to-date probably already do aggressive NSEC caching and hence the risk to
>> the root server system is lower than the risks related to increased complexity and
>> camel exhaustion. But both risks seem small.
> 
> Camel exhaustion, sure, but I'm not convinced that the complexity added by saying queries for every name under a given TLD should always be given negative responses. That's about as simple as a TLD-specific handling can be.

We should not need TLD-specific handling. TLDs in general are and should not be special.

Designing and deploying a general mechanism like aggressive negative caching and then simultaneously deciding to ignore it and recommend that specific non-existant domains be hard-coded as such seems like lunacy to me.

Baking specific magic code points into the DNS and singling them out for special handling has overhead and there surely needs to be a good reason to endure the consequences. There is no good reason here.

> If we expect network operators to move to use of .internal, they ought to have some confidence that the ecosystem isn't going to be forwarding these to the global DNS. Maybe that's just my eternal hatred for split DNS speaking, hoping to confine all such uses to the one box we can then hide away forever.

(a) They will leak, anyway. Requiring special handling of INTERNAL puts additional burden on resolver operators who are interested in being (in some sense) "compliant" but will not provide meaningful defence against leaks.

To put it another way, the suggestion that some people may have decided to handle the INTERNAL domain in a special way coupled with the knowledge that some people will almost certainly not do that means that nobody can rely on INTERNAL queries not leaking, with or without the extra requirements imposed on resolver operators.

(b) Whether or not people use INTERNAL is an entirely untested question. Perhaps if we had statistically-significant data that showed leaked INTERNAL queries actually existed and represented some kind of real problem, we could imagine thinking about a solution. We do not have such data. We are speculating that one day there might be a problem, and we are trying to anticipate a solution to that imagined problem with the benefit of zero knowledge. This is madness.

> I am more sensitive to risks to the root server system than any other component, so I'm not comfortable saying aggressive negative caching is good enough.

For context, I have been a root server operator in past lives and I have spent time building out the infrastructure of particular corners of the root server system. That was 15 years ago and there is a lot more diversity and capacity along every axis now than there was then. I am less sensitive to risks of this kind to the root servers than any other DNS servers. I would be surprised if today's root server operators lost sleep over QNAMEs in the INTERNAL domain.

The root server system is not the part of the DNS infrastructure we need to worry about. In addition to the extreme diversity and capacity of the system, it's the most straightforward for any resolver operator to de-risk because in practice no resolver operator needs to rely upon it (and even those that do only need to obtain responses very infrequently).

> Even in the happy case where every implementation that would honor .internal would also use aggressive negative caching, there is still some emission of traffic that we know, by design, in every case, is a complete waste of time. In that we would want the DNS ecosystem to become more diverse, then we scale that traffic.

That traffic will exist regardless of whether INTERNAL is added to the registry. This proposal imposes work on resolver operators and offers no meaningful protection to infrastructure or end users.

I realise that the work we are talking about is small. I know there is no protocol police, Warren's sheriff badge notwithstanding. All the tiny exceptions and niggly extra considerations add up on top of a protocol that is already unwieldy and undocumented. Every little extra nibble from the duck moves us closer to mortal injury. This is Bert's camel; the additional burden is tiny and insignificant until the camel dies.

> So: weighing the benefit of reducing traffic to the root by even a very small percentage (and if there is adoption of .internal, how small will it be after enterprises create as many names as they want?) against managing another TLD special case, in a world where several such already exist and there are no resolvers that can exist without conditional logic... I say we go for it.

Following the same line of thinking, it seems clear to me that there is almost zero benefit to go along with the work involved in this.


Joe

v2.31.3 | Report a Bug | By Email | System Status