IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld

Mark Andrews <marka@isc.org> Tue, 17 June 2025 20:10 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D1EA73626F3C for <dnsop@mail2.ietf.org>; Tue, 17 Jun 2025 13:10:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="jMDA7Vx1"; dkim=pass (1024-bit key) header.d=isc.org header.b="oP3Yw7rV"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQbTpOAcrzNY for <dnsop@mail2.ietf.org>; Tue, 17 Jun 2025 13:10:27 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 44F323626F37 for <dnsop@ietf.org>; Tue, 17 Jun 2025 13:10:27 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 50DE63AB3A4; Tue, 17 Jun 2025 20:10:26 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 50DE63AB3A4
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1750191026; cv=none; b=ZdA2/omc8bDHi/8V7HvcTRgPpp5IramjzA+ewglEkFgr1Dgmg/Gicc0x54CTw+uEt7JYP4ay0wjx6mWNYdUpdCNuH+ZpDgKB2yIFVHH6yQ6NiIh03wwJ5xxzTmtqexU34MyJ6ieKJktIhCAiB5ni0pTbWAzwsCPZvOPf4PIVVBk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1750191026; c=relaxed/relaxed; bh=L1rKL3G/aPrylhKXDcjyrcfW05vB0KQiD5JR0xQp0ms=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=C2Rhnzvd0HbVO54zPWB80fEaXPH5REak0U3Jt9BGXykV07Z7f/WVj+4Xz4B+bF7aMivMOm4/KjtwsxQIR9iziFFgC8+yg5BDOsXCSMBYuWNYbKJqPftgitMXa+npl0KH1bpA6awkFIh2hOZ5TwR6NBVBLG6DGL0Im6zi6s3HZB8=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 50DE63AB3A4
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1750191026; bh=gywV163HnEQOVedvFq+DIb1EuUUhwlZjzSF7g1vUMKg=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=jMDA7Vx1Lm0iQxlGXwNDEowe3lqIcT1dp8b7gl2GyWyvqADV838Caf6t8AFeGfga3 jwsTkiGm0rIAOhitaEHHarsH7xZ+stG4izMy+SzPynRmuZtp0yRKKyTRvqN2zszWyk O6kiLsG7YbFnh8QbotoXNmnrtI76my48QFUPr2Og=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 7DFACA6A50A; Tue, 17 Jun 2025 20:10:28 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 5B24BA6A5E8; Tue, 17 Jun 2025 20:10:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 5B24BA6A5E8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1750191028; bh=L1rKL3G/aPrylhKXDcjyrcfW05vB0KQiD5JR0xQp0ms=; h=From:Mime-Version:Date:Message-Id:To; b=oP3Yw7rVrlZGwwULn67tnHiQj/YXNl2LGwur/7ivplrj50ZCTjU+h3hHPDnvmhJ1l UPEiQ0yS9lhtz4aKoT44ZyYsHhbIubC0xAPSfXyVUBMF28n8wHI+zM/AbXyZGEOARo aD6hDBpxD1jBVHPmi/UZDMF+3iL9BacG11UK58eQ=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id oRlyCnKZoEHK; Tue, 17 Jun 2025 20:10:28 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id A8C26A6A50A; Tue, 17 Jun 2025 20:10:27 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Wed, 18 Jun 2025 06:10:11 +1000
Message-Id: <DF7161E9-F4CE-42AE-A449-A65A8819B410@isc.org>
References: <20250617171743.87B03CE96906@ary.qy>
In-Reply-To: <20250617171743.87B03CE96906@ary.qy>
To: John Levine <johnl@taugh.com>
X-Mailer: iPhone Mail (22F76)
Message-ID-Hash: TJNPZUDNKMJXMJYFOY4BCLDTE33IHKFZ
X-Message-ID-Hash: TJNPZUDNKMJXMJYFOY4BCLDTE33IHKFZ
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7O-yv8SsiZxq3-kS3J7aTSX5Sgg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

And if the stubs are validating then the answer for 10.in-addr.arpa DS is a provable NOERROR NODATA response that says there is a delegation at that point in the tree.  That validator does NOT need to be configured to say ‘DO NOT VALIDATE THIS NAMESPACE’. 

With internal DS the validator gets back a provable NXDOMAIN so it won’t accept any answer a local recursive server gives for names ending in .internal it but a provable NXDOMAIN. 

You can see this behaviour using a validating recursive server configured to forward all queries to a local recursive server with a .internal zone. Or one can use the delv tool from BIND pointing it at a recursive server with a .internal zone. 

Mark 
-- 
Mark Andrews

> On 18 Jun 2025, at 03:19, John Levine <johnl@taugh.com> wrote:
> 
> It appears that Petr Å paÄ ek <pspacek@isc.org> said:
> w>> I dunno about you, but on all the systems I use the local cache substitutes
>>> a stub for 10.in-addr.arpa so it doesn't matter what the global DNS says.
>> Have you used a Linux system recently? glibc does not do that and few
>> distros some with full-fledged DNS recursor on host by default.
> 
> I point all my stubs at unbound which by default has a special case for 10.in-addr.arpa.
> You can override if it you want.
> 
> R's,
> John
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

v2.31.3 | Report a Bug | By Email | System Status