IETF Logo Mail Archive

[DNSOP] Re: Call for Adoption: draft-davies-internal-tld

Peter Thomassen <peter@desec.io> Fri, 18 April 2025 16:18 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E30CC1E2CD44 for <dnsop@mail2.ietf.org>; Fri, 18 Apr 2025 09:18:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GVcN8gTZW5hS for <dnsop@mail2.ietf.org>; Fri, 18 Apr 2025 09:18:53 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C98781E2CD3F for <dnsop@ietf.org>; Fri, 18 Apr 2025 09:18:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From:Cc: References:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=fLisZ3Qntok8Uogr/q0qupbtKMldGIJnrHbdqkYdwbY=; b=V5dwz8GS+RTSdkDe9vVDffRWJ7 DaIXvETgbzOnzkFWGUEvCRwAjNfEmmBhyMzWAy4e+prr57nxsyC+WME0533VAhgi3H5qEilPS1wIu czUcO4+KGS7KohZTzJNC386/k3WLyYV8nzEN6L+SouSoc+/wsHrR0suGE4j8SyOMg/8O4oVOPMA+4 tkDhRSOK2YSg/Ks68H92Nqjau+vXn8Hn/99JY9JpbOUOx5nsbQhjoInReAY/P92wwehB9GC/09Ouw viU4Hu4aQF+4uWTGb1YHdbEQGf+3RsANwpT3t5lQ4rEvZFwBfrxOTM00zWYEJj3Zx+3lUMaK/YyTK HcM22p0g==;
Received: from [2a02:8109:9283:8800:1cab:cef6:d751:e26a] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97) (envelope-from <peter@desec.io>) id 1u5oQU-00000007ll1-1XCI; Fri, 18 Apr 2025 18:18:50 +0200
Message-ID: <83666fd3-a51f-46e1-a5ac-0b9a46361480@desec.io>
Date: Fri, 18 Apr 2025 18:18:49 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>, dnsop@ietf.org
References: <m1u5h1G-0000LcC@stereo.hq.phicoh.net>
Content-Language: en-US, de-DE
From: Peter Thomassen <peter@desec.io>
Autocrypt: addr=peter@desec.io; keydata= xsFNBFRjVn0BEADXqtra70yxQrT4MQ9DEhN0mxG6XRAOHE6nP18mqxwSlcET7D6w+z3h4ole v0tyvUU02c2wg04X8WVfjoHnAvIa1dfUcNpB1+QmfFsw0xIJlbT1ogHkMiPQqR4ChDvE3ND/ 6YCS5+HT6hY+tfU+hpLsKw4l+u1Pg2NPVLYosET1jU84b7xhFnoicnCV3kUNltLtxLKSBAfk AXtp1AWWKJbfCr3y0qKElMriicoe5DUZfLrZK2iPcWBxh+n7KMO2g7aqx3aQqwW1+S7Sq7Is l6iSurYfIcHb4AfUy4o5nPB8kKACR6BuJmkEQ5WLuTGruWA2fcxaNpICmolMinTzW1CrIjgN PoskMYCNIZ2uWxS6LN8hBiGCRL4h9aL4wuT09SvR13oAPI1HD5ph+mH6wD37/ONBXrdjcFNb 1l/uVkHU/SwwcKDJOsX18T60Ao00fciTbFHgmKtFube0xGK/vjh461TyU+xKD8Orvyeovvxy MzCwM3UVq/dkdG2Ys/7Qy/4bUC1nJEwKlLv7ZTdtSckdoU2M6JpPX6i4KDB2YCMbwtqJ842z 8A/UuE2bL9aDimh/sF8WgPIhlxqF1STNqW1JTIbDPv8HeZnM4nyJOUWStj4uRiETQhBClPLz YWtnR+EUsfbSLy81vfupbMqRasDlt6aASobgn+K7Rb1Xs/mDnwARAQABzSBQZXRlciBUaG9t YXNzZW4gPHBldGVyQGRlc2VjLmlvPsLBeAQTAQIAIgUCVGNWfQIbIwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQ79YUOj7yLS88Dg//SbHnFGrtaImEiM69wyj4GzWnuGk9/upCym/R RzdBALCYHU9FUFFHwusiO9A0pnO8qv/GEtqqTHrcL205a6FTivkdZmOsWuN4oo7r4HBc/taI FLLUDg2wd8q4m4387sYEqrc3olGfyRB6hrMtEWVJLXHJmpcrxAaI1F2QO4Bu7kcdTnyGFz/p ZD8XAof2TWHqJb2ux69DFhiAJeAZlV+h9QrxTedL84l4hq3x1VWsnOEFaCJiThDX920kTnhJ ijrDocgAbmQBCniPACpPHYhBhmCJxfVqgfMuLMNsukOmKxsGcGV6rO1zB5ZUhm3O/Ixk6ow3 6FDKALWihg6Z4P/cJYySMn0iqvHkO8ryT9oJKX//mKaYoF6henXDRLCcRjKwGxFQTEgX+6yc pjgvX3rlypjkPT5ho4yEc5ePkQ2gIIHhvZburm1Zr4nDPx6v8+3XUjpXBRTWQ8/0/h0rtLJe yOPwGJxcfKf/GutTCqiio0mS01mIY9c2i7JWcljlIuSEUit6CHotc5lBOm2GJwguRJG6cXPY SQecwBdcjH3RTzBOv/DN6xWAIV7BmbX/e7DSGAc60mBO1/M0ut+a6CkxRQK8TaE3B3zh1/QO nG0XvtZfIY8ZYdTrdEDSV1Pj5pof/fqhhegHRxN2qi4qIuVcrW0jsUsx10IgAynHR7qQKsvO wU0EVGNWfQEQAPBA8iPCS4ZRX8stW0WuW7579axSq/Luyik4MWDFalt68lzvUbV0f6faN15+ aV7VwMTw3rSa2tP0U8crYAAAZ5NrRHXlYms5BK9vsi1322dAvhyNRawdprP627SO+Ez/84tY xz1X3M9esbN7gpJtHP6mHW76zYpT447v6c2qlbldjobZTDb6kKSGFCIrPJz9M4jVfya+ovxe 2Ab7hn2R0CcyMHATV5g1Ry0XXaj5y3bWypActbG9nflRn3NjhHZynu+WEPDUJCO8kNVNYKOw HObNTeaLvgvU0ONB8pYJv35kDXMhZLwo5MJuJd5i54CXwpo9mECwLJT1RpJi7u98nBrWyyaH s2brG9LPCRKBKOhiHFu57H+cElh+kOvehuS7DFTzjqDwJlkQzP5Hq0G++hZxfdYocKdcdFoh RP3dtDAe+Lfiy9qzJicZ6ACbzoQIN58xj0VWAn1W7SuMErOjv84D/FiXHD2Kxtx09wQl8vH0 Nbh9UgyDBNupToM0ixT+8Ko8eBuYHR53RPxshQhFw4EMIhXiOaxNe1W2Z95QPnYhUGOMoy3I v4fxMQUHa4kZSF2qxsFB1Cxol/aBPGwkwoqUvzp23pLQtJ6youYXtLgvx3pR4L52Q5CUzHMa HvM67XWgW1KqtnvNBXN9PwtDz/a9fQX1YO4CegrXv8C9Ro+LABEBAAHCwV8EGAECAAkFAlRj Vn0CGwwACgkQ79YUOj7yLS8rXA/9EGX2QRfJS94JTdtseu7saTK9a3IKwk6E33GpfXyUVpMt sOqV756XQwULZSWoxInRQtWojA8pQxDUYrbA4MpX0Efr2Dx1xIsJ5F3JajOqViB1SbOD2m0f bxXbcoWKitsKoag2SlvNOd8rD9FcgDvrkacnaQZcZE8DyyGx0JU451tfoD/igu85NZpTDaWG 6fth7QRlxmdGWrGXRdXAP29jq1n0I1wIyF/bXlZ7MXjOSsfyPddzsnHFTvNMZKps0QXNF+hi ESg9chIeo/IFDDVu6pCtm6mftojx84rczTZiNk8r2T3TU4N8uwWtXn/nj9xd61pnxD0xkTPH zxJrCs59WSfYqj3aFNkWO3Lg0/HGnO9wHQKMXcGPsnKITHVzxCNBQtVHomNA7ds6Kt3/WJgS pU2ciICvrpvKgPNWQ0d/SeY3vYIRvDLZ12Svx6M3eXDrsgZOT5be7kGVr3t7dBOYKcRHkZUq kU1kCcgp0vetISVDOc5fkpdUkAtd5/13pIpz4ikVR3OM4Br4XMVShm6RvoP4pyA+ftCi1+bw 0UbRCrnHgnG+wtCf5nMDGVLc04vITnII+ESZqlF02a1IFj0Z2MuQK2Oszl2Nsx/LG60G1e/R pzKEXIIJgHfbwUCWtV1zQu6v9Ng5H8EqVeWcdaPUwSQMGcDg/sPa4s/OxhgrYBg=
In-Reply-To: <m1u5h1G-0000LcC@stereo.hq.phicoh.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: TPL6F26DHCTRJ6VJDMTHIPFSHDV6SBFT
X-Message-ID-Hash: TPL6F26DHCTRJ6VJDMTHIPFSHDV6SBFT
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/816TYJ2BVofnTyc0PYV-Q033Ns0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


On 4/18/25 10:24, Philip Homburg wrote:
> The current draft contains the following text:
> DNSSEC validating resolvers will fail to resolve names ending in "internal".
> 
> In my opinion we should not have a specification that leads to DNSSEC
> validation errors.

I agree this is a problem, and therefore I'm against adopting this draft unless this problem is resolved.

Once it is resolved, I have no position on adopting it: I'm not sure the draft's net benefit is positive (transparency) or negative (burden). I expect it to be minimal either way.


How to solve it? An insecure delegation would help.

Although the idea was previously discarded, it's worth reconsidering its implications. Please see below for an analysis.


When Mark suggested an insecure delegation at IETF 122, Warren objected [1] that it can't be done because the label won't be delegated, citing the SSAC recommendation:

> 5: Mark Andrews: The Locally Served Zones registry requires that there is an insecure delegation in the root zone. This is also needed to make the zone actually work with DNSSEC…
> W: I'm not at all sure that the first sentence is true - or, at least I don't really see why it follows.
> I *do* however fully agree that there really should be an insecure delegation in order to make DNSSEC work, but unfortunately the SSAC document[3] which asked for this says: "Recommendation 1: The SSAC recommends that the ICANN Board ensure a string is identified using the criteria specified in Section 4.1 and reserved at the top level for private use. This particular string must never be delegated." 

The SSAC recommendation is just a recommendation; when following it (which the ICANN Board is not obliged to), reasonable action would be to not execute it by the letter, but by its intention.

However, the constraining document, is not the SSAC report, but really the ICANN Board's resolution [2]:

> Resolved (2024.07.29.06), the Board reserves .INTERNAL from delegation in the DNS root zone permanently to provide for its use in private-use applications. The Board recommends that efforts be undertaken to raise awareness of its reservation for this purpose through the organization's technical outreach.

Note that the action ("reserves .INTERNAL from delegation") is relative to a purpose, "to provide for its use in private-use applications".

I would therefore argue that "delegation" here implicitly means a "normal delegation" because it would hand over control to some other operator, defeating the purpose.

Excluding a special pseudo-delegation that actually *helps* the purpose is not a helpful interpretation.

If .INTERNAL was delegated to a special name (like the DNS root), that purpose could be conserved, and the label would continue to be reserved from (normal) delegation -- BUT the zone would be unlinked from DNSSEC, removing related failure modes:

internal.  IN NS    .
internal.  IN NSEC  international. NS RRSIG NSEC  # no DS
internal.  IN RRSIG NSEC ...

Adding these three lines in the root zone still qualifies as "not a normal TLD delegation", but achieves the purpose while making in work with the DNSSEC protocol.

Those lines explicitly declare that the root's signing keys have no authority under .INTERNAL, which, in fact, they don't, because .INTERNAL is private use. It almost seems illogical to not have this carve-out.

In fact, *absolutely* not delegating INTERNAL. does NOT achieve the purpose "to provide for its use in private-use applications", because "it's broken by default".

Making this change is more (not less) in the spirit of the SSAC's proposal, and presumably of what the ICANN Board resolved.

Not making this change is constraining things artificially to a degree that in fact thwarts the actual purpose of the label reservation in the first place!


My suggestion is therefore that we should talk to ICANN if the above procedure would be in line with the meaning of the resolution; if not, perhaps it could be clarified. -- I'm aware this is not an IETF topic, but it is a dependency for the proposed draft to make sense.

As for why this happened, I suspect that "will not be delegated" was written to indicate that "authority" will not be transferred to any registry, but unfortunately it was forgotten that one also has to un-declare the authority of the parent's signing keys in this case. -- This seems like a simple omission, and with proper explanation I'd hope it would be possible to get it fixed.

Thanks,
Peter

[1]: https://mailarchive.ietf.org/arch/msg/dnsop/IWH_Dm3aM3HNAmBrv9PVByj8g3I/
[2]: https://www.icann.org/en/board-activities-and-meetings/materials/approved-resolutions-special-meeting-of-the-icann-board-29-07-2024-en#section2.a

-- 
https://desec.io/

v2.31.3 | Report a Bug | By Email | System Status