IETF Logo Mail Archive

[DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS

Ted Lemon <mellon@fugue.com> Tue, 22 July 2025 16:34 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 0818D48A7123 for <dnsop@mail2.ietf.org>; Tue, 22 Jul 2025 09:34:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="bpDrWVXi"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="BF8DF1RN"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LtwxHbegBRPL for <dnsop@mail2.ietf.org>; Tue, 22 Jul 2025 09:34:29 -0700 (PDT)
Received: from flow-a8-smtp.messagingengine.com (flow-a8-smtp.messagingengine.com [103.168.172.143]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3002648A711C for <dnsop@ietf.org>; Tue, 22 Jul 2025 09:34:29 -0700 (PDT)
Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailflow.phl.internal (Postfix) with ESMTP id 0E788138034D; Tue, 22 Jul 2025 12:34:29 -0400 (EDT)
Received: from phl-imap-06 ([10.202.2.83]) by phl-compute-12.internal (MEProxy); Tue, 22 Jul 2025 12:34:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1753202069; x=1753209269; bh=UGPz/migO6 DTrrSMMDM2BjRuyboRo30lLvF+px0pd1E=; b=bpDrWVXitptrQCqgkivtPx3Yx9 DKYGUto2UOjtxivQ3UHP/crxsqTDMGn/pEJMWYvQ916sgVdVllK87MAIlL7EpF8D JPcsO7h1z6op7sUSg6zuE9dUH++OghapmGELaOFQFH3VOMCndGAiB1EOx1J32pu7 fXz1Nd5Ld0sAO3XfdcNfuKqerAOw4YeTS3AAP4b13eZuddgghTDyRLtRFlDNBLgV zeVwCKFWrBhWQLfrnCVF2JXrb4dCanIhq+XAy2rgbuvgzZHJWr5KHgPdIdjfrDve Kja5zUibip7IqnMApQZSZubYJaJMf/B5jW3Vd6jMxMd9Ot6/RYJikqYdKz5g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t= 1753202069; x=1753209269; bh=UGPz/migO6DTrrSMMDM2BjRuyboRo30lLvF +px0pd1E=; b=BF8DF1RN0FNMaAMBURTQczTyvxc/m1c00/tC5A928ZJKfKN+AcI wNUnCBpqlcqfU9KcHST/RBheldoRGmqt85v6fg1lKEMb0dOfb/1OxP0Pvg1FsrJk LKz4LeZb8+ISW0ysTJa2u5R0jviJUZPim5j5RW6DJtBsQUNfNDeUoD8cqTg1oPm0 /wDwvJGWv55/bKVGqun70JNCDumuf/ExCk6NVSxwQF4Xslwnmg6/GOduVAfwDeF+ lWd3iAp/oCboJ/5mLcKTI44HUOscWNtRKeI2GOio/qpu8ReCDEfs7uTjKY3714cc 6SpYcFxddj2iaPvqPM008UrG+O0XVPy0Zdg==
X-ME-Sender: <xms:lL1_aMoXkQ-SsG8x4GgcSItjjTQ3At21Th4OViSEoaqwJOEMQH8x-A> <xme:lL1_aCq5VF7NOK4tkoCUHIZDSnlsxJQrFFHC_LyYlAyhFqRDENbUP6IO9pI4dcV0W cqwz4BqITGOP1MCURQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgdejheeflecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjug hrpefoggffhffvkfgjfhfutgesrgdtreerredtjeenucfhrhhomhepfdfvvgguucfnvghm ohhnfdcuoehmvghllhhonhesfhhughhuvgdrtghomheqnecuggftrfgrthhtvghrnheple elueeuteejkefhteelleffgeelveelheeiiefgveeuvddutddvkeethedugeefnecuvehl uhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhgvlhhlohhnse hfuhhguhgvrdgtohhmpdhnsggprhgtphhtthhopeefpdhmohguvgepshhmthhpohhuthdp rhgtphhtthhopegunhhsohhpsehivghtfhdrohhrghdprhgtphhtthhopehpshhprggtvg hksehishgtrdhorhhgpdhrtghpthhtohepjhgrsghlvgihsehsthhrrghnughkihhprdhn lh
X-ME-Proxy: <xmx:lL1_aIwBpCtQPDTCaHuZAtT1s7HxFjBh2RSJ8AcRQnVE0UEtdKgD_A> <xmx:lL1_aPh4xvcuh0ETb4a80mCHkNZMP8GiqhElGDlX7RV0JqFHEr-pEQ> <xmx:lL1_aDzVmk1ZQgWMSf2VB6iWgMemo2Ib8nv0wCMJeafi8d186ioI8w> <xmx:lL1_aCIuMixzahi74_glO_IJCKEyAaeRrteponq9nBhT_xMFiHMwVQ> <xmx:lb1_aDVgcFqoa55XJ5UfZfgnsbgiJm4cQVoWCWKj-ZJDDbQk_2nWX6Yw>
Feedback-ID: i1136489e:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id B44442400094; Tue, 22 Jul 2025 12:34:28 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: T483b9ec1df0aeb22
Date: Tue, 22 Jul 2025 18:34:08 +0200
From: Ted Lemon <mellon@fugue.com>
To: Petr Špaček <pspacek@isc.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Joe Abley <jabley@strandkip.nl>
Message-Id: <6b559aa4-8647-42cf-b75b-9b70ff1f78c3@app.fastmail.com>
In-Reply-To: <4f9e293e-0663-4bc7-b8ea-5497c43e38b5@isc.org>
References: <33857674-E1AC-48E7-A4E5-B6953535A86F@depht.com> <D60A06A4-DC62-49A6-9351-BB7EE6323D05@strandkip.nl> <35BF9B4D-175B-4442-B379-3B4D9D6FDA2F@depht.com> <C48B1F8A-808C-4EFA-A126-793DCFAD9241@strandkip.nl> <4f9e293e-0663-4bc7-b8ea-5497c43e38b5@isc.org>
Content-Type: multipart/alternative; boundary="1812c224aeba439b88c7ad475a62ed2b"
Message-ID-Hash: JJAVPRMWUMPF3HDHQ7JXGZXULMEYVKVJ
X-Message-ID-Hash: JJAVPRMWUMPF3HDHQ7JXGZXULMEYVKVJ
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7A1RsQmLdTHf5JEgr5riKLowaDM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

If there is, perhaps this will serve as a lesson to them never to tempt the IETF in this way again…

On Tue, Jul 22, 2025, at 5:39 PM, Petr Špaček wrote:
> On 24. 06. 25 13:39, Joe Abley wrote:
> > On 24 Jun 2025, at 12:20, Andrew McConachie <andrew@depht.com> wrote:
> > 
> >> But a device can also not cache an answer if the name is not present in the parent zone.
> > 
> > Ah, so this is not actually true. A device can cache a negative response from the parent zone, see RFC 2308.
> > 
> >> Adding a zone cut to nowhere doesn’t stop a device from caching some RRSet.
> > 
> > It stops a device from caching the non-existence of a name, because a referral response is a signal that the name exists (unlike a NODATA response or an NXDOMAIN response, with or without DNSSEC).
> > 
> >> Regarding the DNSSEC trust chain, it’s broken with both a zone cut to nowhere and a non-existent name.
> > 
> > In some cases, the point is to break the chain of trust. An insecure delegation to nowhere is thought by some to be useful in the case of .INTERNAL, for example, so that there is no signed proof of non-existence of the INTERNAL domain possible from a root server that might contradict the existence of the INTERNAL domain in a private namespace.
> > 
> > In other cases, the opportunity is to preserve a chain of trust. A secure delegation to nowhere for INTERNAL.COMPANY.EXAMPLE zone might be installed in the global-scope COMPANY.EXAMPLE zone; the DS RRSet installed in public might match the KSKs used to sign the DNSKEY RRSet at the INTERNAL.COMPANY.EXAMPLE zone which is visible in a private network. This might allow devices to be able to get secure responses from internal-network nameservers without needing keys to be distributed through mobile device management systems.
> > 
> >> I guess the point this draft makes is that a signed lame delegation is better than a signed proof of non-existence. Either way the private resolver or private authoritative will have to ‘fake’ some DNSSEC data, because there can never be a ‘real’ signed DS RR in the parent zone.
> > 
> > See above for a real-world example of when such a secure delegation to nowhere might be useful.
> > 
> >> I’m still left with the question of: Why is a (signed/unsigned) lame-delegation better than (signed/unsigned) non-existence?
> 
> 
> Disclaimer:
> I very much support this draft. It makes sense to me conceptually and it 
> also solves several operational issues related to delegation vs. DS 
> RRset non-existence & private namespaces.
> 
> 
> Having said that, I violently disagree with this:
> 
> > Because non-existence is a cacheable signal and unreachable is not.
> Sorry but this statement is as incorrect as it gets.
> 
> The draft section '4. Interpreting a Referral to Nowhere' explicitly 
> specifies this is NOT the case and that all normal caching rules apply. 
> Here's walk through an example to explain.
> 
> 
> Assume these RRsets are in the root zone:
> internal. 172800 NS .
> . 86400 SOA ... 86400
> 
> Let's explore RD=1 query for 'example.internal. A':
> - The resolver will get the referral 'internal. NS .'
> - Address records will be missing in the referral so it will try to 
> fetch '. A' + '. AAAA'
> - '. A/AAAA' do not exist and this information will get cached for 
> duration specified by '. SOA', see RFC 2308 section 3 and 4.
> - This will ultimately cause resolution failure and SERVFAIL will be 
> sent back to the client.
> - This SERVFAIL will most likely be further cached by RFC 2308 section 
> 7, at least for 'example.internal. A' tuple. (BAD cache, implementation 
> dependent.)
> 
> Now imagine a client re-queries again for 'example.internal. A':
> - Resolver will check the BAD cache. If it still has previous failure 
> cached immediate SERVFAIL ensues.
> - If BAD cache expired, resolver will try to resolve the stuff again and 
> number of queries sent out to root will depend on state of 'internal. 
> NS' and '. A/AAAA' in cache.
> 
> 
> For the fun of it, imagine client asked for 'somethingelse.internal. A':
> Number of queries going out will depend on state of cache again, except 
> that BAD cache might not be applicable if it is keyed on exact 
> (QNAME,QTYPE) - depends on implementation.
> 
> 
> So all in all, the primary difference will be RCODE SERVFAIL vs. 
> NXDOMAIN in response from resolver. Consequently RFC 8198 will not be 
> effective for SERVFAILs and a validating resolver has to do marginally 
> more work to arrive at the SERVFAIL (consulting cache several times to 
> find out there's nobody to contact), but other than that, the end effect 
> _of caching_ is effectively the same, including TTLs involved.
> 
> 
> 
> This draft potentially could specifying special handling for 'NS .' so a 
> nowhere-aware resolver could do less work for these cases and perhaps 
> modify it's caching strategy somehow (like, skip BAD cache, shorter TTLs 
> and what not). But hey, perhaps there's some insane private instance of 
> DNS where '. AAAA' exists!
> 
> -- 
> Petr Špaček
> Internet Systems Consortium
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.35.0 | Report a Bug | By Email | System Status