IETF Logo Mail Archive

[DNSOP] Re: [EXTERNAL] Re: Call for Adoption: draft-davies-internal-tld

Ben Schwartz <bemasc@meta.com> Fri, 02 May 2025 14:12 UTC

Return-Path: <prvs=121779e1c0=bemasc@meta.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E7A1F24121A5 for <dnsop@mail2.ietf.org>; Fri, 2 May 2025 07:12:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kDA5uO0UXXsQ for <dnsop@mail2.ietf.org>; Fri, 2 May 2025 07:12:30 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) by mail2.ietf.org (Postfix) with ESMTP id 65A98241219E for <dnsop@ietf.org>; Fri, 2 May 2025 07:12:30 -0700 (PDT)
Received: from pps.filterd (m0109332.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5424k9rN013480; Fri, 2 May 2025 07:12:29 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2021-q4; bh=+AyGpROWQ2EKnVC3VYad 3829MCgA33UzsNTFn90NC18=; b=LqolFy8kwuZlDoJp3akOwZsgS9eyfAcMYgJ+ k0m1UfGvrAPJvtoQkHWx411+qYkk5zXEhZtVXGhE2UeRYCRvBcgxLPD4qYvrLGM6 Nh8jLCokC6rwbnN+X9ZxJzF5wI9ATjgEbydnOuH1ab5DXy/9YirzZD2ZpEaCzevR a4CdGflKs5Ybj5hUJK8eHZcPPe2CDkoS01Dpn+NcSUJ4cxhuFT5NSLTHQSnSTNBR uAfrOzTYbnqgHV1YnH2xIHKE6Maw+7QoeYlzhnW181eTPiKFaTkZj32WbmN0YfaB fup02k+p6Q/e2WkexU8MLuY4xf8uQhkETojQ8xBG9ac5B7UMOg==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2042.outbound.protection.outlook.com [104.47.66.42]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 46cqajk2ta-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 02 May 2025 07:12:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=SUDTUjTOJ0f51p0XUe5srwsXWWXdl6oz30T3M0RElND9TRInOBxJ2fyeoyJfxemnr/NcGoxNlUwRPewl2T2DLixRTwTv1iC7+RTqF2osTgDe6C53otYYhNlRgegpX6Q2OUD38uaA0J8VlmJ4GtX5EN03V7zFSlijwETpiKwaUy9oeDt2WGRduKOB/nxCWBeB/jTBs9PN72Ek+OU5oY5Ed6YbiW+LgJbfcSH55S6rUSO8PuSXrNfi47LO1tdW22jX4RCV1pJPx2hteTYi8qTOZjrH8nGzCIEFXkDhsEAEEkpoLw9v0+PjFcUj+LX+o6BAXzBMPb9fbDJBStajwfnDqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4iYPtFuiKv4ufrPcOubqWeHugwwW6MzzaLyS19xwtw8=; b=YVPLwThwsjdaQiLPOKqPPTuHJN+0vpO2VOLMdOUAyEsVIQVwgw8GX+sUAWBKLyjyfUlcYAksEDLcuGSweyICjBkgk9awigRSkxZW0HQ4m+xp/lYdQOy85cEUV2xDR56/zAsvbkMItbW+XNuTXtqESNlkhytrUDScwSwC5AL9RCTW4BwG7/p20qlVe411oJQznIKvJc20qeVdcgqEH9LXsd6hGoSazMCKrEQNtIBDcomY+PcVSW7Zh9nU2eGKi2PfgSM5Dm9VBJcoUgw/xBr9pYvwKvPSD2MDS9txFkxIrEHCa1pprqy8+gZ5ARNPPmHSNLFshmTv29Cko9JuXBJeVw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by DS4PPF414FC04CB.namprd15.prod.outlook.com (2603:10b6:f:fc00::995) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8699.19; Fri, 2 May 2025 14:12:26 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%7]) with mapi id 15.20.8699.022; Fri, 2 May 2025 14:12:26 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Roy Arends <roy@dnss.ec>, Working Group DNSOP <dnsop@ietf.org>
Thread-Topic: [DNSOP] Re: [EXTERNAL] Re: Call for Adoption: draft-davies-internal-tld
Thread-Index: AQHbrukP8gjQU3o/iUal1EGDWjN5grOnedWAgAB+hACAAALPgIAAAbc9gBc84YCAADYKIA==
Date: Fri, 02 May 2025 14:12:26 +0000
Message-ID: <SA1PR15MB4370BAE2BD669193DDB9AE44B38D2@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <1C9E8ABA-4399-491B-A9F4-D9ACCB1BA72C@virtualized.org> <C497EC3A-A06B-4DCC-B0C8-382A3424D7D5@strandkip.nl> <SA1PR15MB43700B9B2C9151FB31381082B3BC2@SA1PR15MB4370.namprd15.prod.outlook.com> <866409E5-0D9A-4669-8C6E-C9D1C7BDAA21@dnss.ec>
In-Reply-To: <866409E5-0D9A-4669-8C6E-C9D1C7BDAA21@dnss.ec>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|DS4PPF414FC04CB:EE_
x-ms-office365-filtering-correlation-id: 97d0b6e4-66b8-4358-acf7-08dd89835dda
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|10070799003|1800799024|376014|366016|8096899003|7053199007|38070700018;
x-microsoft-antispam-message-info: jMnfdGBLN/5CzvW4RBlBIWmyDpCD65JBec09pXs9ebsoFPDl06xTUup+bzQIEJQpGIDw2y14YOgA9X052TPMsCxFjDzZGZgT4N3YUhwmw38u1j6gP1nahvxpGWyasoc/BY3iOBppFfSbi+cDYYYvPFv34QUe7eQmlT/bTV6lraIr8LAK661UFWwF504lAd/km5NaAlR5Rwyenz+VXeHe9koOwsZHyOAduCeqX1i225gDke3swY7xa4mQ2/oOdvlks/57LE9HmN8UtOgwExmVVhcQ8iqbXTJZMD27X74HR0JNkwSBv2+eRwJUrSLfkw2Uyplu9TLmsEwkdiDIyA3k3LzYF6sU67B9fHmq8tuVw3Kt07Yr1xlpYtnfmvXJKBqORButDEAOcrqVfKcpWThw1Su3HQExFTg2gEMSwyeAHvRWbBqiNSIJvctTrrS53u5oc9YWfvO/rbSPI7z/S44cywOcwTS2Vily4WPQ/R22mq9zRtLecZg3IdKFFch5t03bq5oHiCR9wzdNNih/TLfbpX4dVrO1XMAUFDjlthOPOrhFQHXIb9pX7sEvGNHkoAtmrc1YJreZISSRWlWC5fxzzJshm5oUIZcB0iSrqq7pn1B/tswhnvoHW9n5x15v4zYADORDxVG2luU765wrSQ+JKgBE6WaYjFVwf73E2wczpwYqoGi/s7EF1Z+iwJs97nXzE09yoFbBEfiC9t/nnzrbh+TkpfATsC+exaQJrGmR+gq+b3qRQkXS4j9k8ODZzFBPhOo838hcOYQnyDzo5mkeynU9CGclGVcEGD89JBUMCdZUbvZ3VEmob3BLP/CI1LLLeO0txuV47fNlPjOMMcJtnXGIXsb3Dm7ppd2ZtpZjjIOUUdhMNNfpoYiFBxQGuaxQWJukB57rM7luFYbZKU5PChw60Lw7sh1l5uO27/4vDP9lKrnsEndMjOPcqnOosJUDpcScguYr3L1KEwTAL8DYp0rZq1QRR6hLwnboVBA2fNFCBe/AbQZsa7l9KEC+Uaa437jlkORufw/XEZ61JQYJZ8Pzc7xt0N0hb+8ZQZDS77dNh0dhF7oLCo503RYdmQq2sOxnj8qP9X6N8XRK43V4vK3aXw3MRgf29TsycMN8Auf06d0Atb91kLzbxs00v3+dIISKFKZRM59jQfQGt2rSTeJeTICBUjdJhXHXV9gCgLVUejNcQFuy192BZA8RLgsvX821b8xicn5tsXh8SmKcXjb0niqHSGx1zOunDOAH4B91ge8y+psdszFITKL2ALrqBcwrK3LkblYXw1075tX6gzzGYd+aOHIH0x73aswCmLtyZOh7MYUb4qEFhbRrDyzhLr8HoZ9fVpOTmzRbbhZ3+iqItnBeNIhdIAY2zDDxnNVybpaDqifpLsuoikCpVKoIVovBt3VLwCaQX0iqv7Yn3XeNcKhzkBOd4NQvI51u3IfvNyxWTbMdxu16wxTZPz1whctdcUthi4PAtFQ9B5TgGeltFo9kcaXyoWIcMQrAl4o=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(10070799003)(1800799024)(376014)(366016)(8096899003)(7053199007)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 9MzL2kXp+sbdYOQnRmHjrWTfD0Nnsent83F5cREA1s0fS4QEF2fUE6n7tQ8arGVu6GrJdQqe6QA6CtGZEK36+bKu4BvB1/I98YC7lEtqWNROCf4o8hcum4HSeke6RniaHY24ACmvz4ECDNP5/iaxqvnM5+n+p0BoMsTk51QVBG9CRLidh+nuOZtZIKeBITX0TBvjvt4Xn7Sxqlv81FPZ6W6Ge6+WOgHMuISSjGZvWxG/P4OEGMVZIgu0WLaBEizU9urfGOVqlMCFq5WqimrjOI0VohFAJdEgQpV4asiVw+zCou49zpa80VvNy43IQ++G2FC4T39zhZCuIyqy3WhI8mq/Ulx2oKnqVNiA1mg0g2y6hWguO3yRJM9WfTSCaUjD6cW1sXNYBYIdvOEDPreNHDT5ZlC6homFwTU6W+Jv/ec2TkcsLzr5phWUNnxDQPsJ+ni5dllACdzfsvGQ3r3dr2sIvYC5/b6E4wmnsPwwFeNDBUF31Q54eUPMtRbimFPFAqNa2Y0/UZC58b+sS1mAqFVS9s/9sFss3g12HqVTkkG/DMZufT25qB380+tfo7bKj8Up7QK4nwwRpwFEUWGrOGKKvqudV00AkZC68kvU1XOVpQ9bdECVlmy4PkcmSGS7qzy0BhDctAQ+tDryCdunZx0c2j8Jlksdg0KKhglqHg+PMrB0cL+ZMVrJhL25QEvrSV8TOA9b8On6arUVGZmYM8FRtgTa1C3WmLWsgVBAuyRovgIRip30GAvU7u0fx1PBy0iTnn4+VQG+snssRu5ZNm1qhgRH5BREwkSXajiq80i9SQEeTTJ5WpDcn62fIWikxMF9kX9DO4D205T8jCruRmcyRgBZDv3NGG4LkNOk8PWvvTdqoHQs/LSs6qY8XxCMQllJ9GDx10iYFF48dzm6EomDIO4MHajC841s/keRlLebIEQzau0UuUBgssdsQKaONWmjTr05UofSOiS0Kt5h5Z/Yoc/MsGw4ailK2joL5cwQ0kFZCOh7KZv5P0sYT4RP1mi4C9bWPnY9yhsQxKJ0beUMyR/f5RUBUB2thMsGO657b1Ppw6zx+GKDlYnL5TDxuePtVZ3w5G0pPzNWJ1KPUR38zoCBs6gtyK4eE5Z0cfmq1vz+dSBO8Dmio6IbvIgcBx995w4LLEQIeZOsBSJfEyOtA0h8viqReOTwSuvZAStm5gUKi7IZvS/kxB1/Y6WdX5KlRllAG+8JPP299kFw0DUYznDvR5ouoKQFSv7kkjYUl8Uw1fTyiO4N+PiFk/rCVXHzj6X/uNfUgal8QUyqYFS7GmbFPJ+bwIBsLL7MfGRITfC2+MMWmjCjaDYZlsBlsmFfkuBlbJV+775FxIqjfmZYxtIADAG5GuBmtP7yQxX7IRx4RzMGU7z/2PS41wHlKbDFK2qkOUSXOokJBXfusNx9XrZgLiqck/mRGIZcPMFVDd5TlHgeNn8noECwoKYh+V7f2W0ebLXw7U9B5t098ndx8M4NvyPeyMyJCOfvBl4UdeyMFYua2yjkwTq4di1u5LYjD7BhZ6bgulpqebBEnGT0hV3t01hqWzys9NkWUXmYDtQ+UGWdh7IYarpkj7RFv/vzmpPSKrUeMYkOcisFVm1ed/gHHcoV0hEWDyMMoZo=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370BAE2BD669193DDB9AE44B38D2SA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 97d0b6e4-66b8-4358-acf7-08dd89835dda
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 May 2025 14:12:26.4532 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5/f1y6RWFqkbL2648F2+X2R2BrnMVANIJgBerDmFFmbSt1UoXsya2GyJK42Dr9od
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS4PPF414FC04CB
X-Proofpoint-ORIG-GUID: S4FOyaVz_EWsUM9ZxDTHxY0ahP73rqib
X-Authority-Analysis: v=2.4 cv=aomyCTZV c=1 sm=1 tr=0 ts=6814d2cd cx=c_pps a=ZuQraZtzrhlqXEa35WAx3g==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=dt9VzEwgFbYA:10 a=48vgC7mUAAAA:8 a=0plmG88ootFprxQwngIA:9 a=CjuIK1q_8ugA:10 a=QzKap5j1F8Ya8a5r:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10
X-Proofpoint-GUID: S4FOyaVz_EWsUM9ZxDTHxY0ahP73rqib
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTAyMDExMiBTYWx0ZWRfX+Wkj8+nUaQeB M6XHL/IOFpl/xK5ClDJxmkSs13N7x6Yi670nchx8Q9xz3YxfUViXPvDP930JKJyp9ULMdUlBT30 WOFPF3Jn7mYJiXmxr6gYfa3Clbywr8JWGEqOSxN9R6cfGw1rz2QMq98uc7uHFL37mEEH6PT7bbK oVY02qc+M85II9V5rdpJyGnQyENckuZnNn0EGLP7ODvSBSiLblbAE+duESflyGrfgLRtKBSZ4Sy 4a3hvSkRhS2v6IojqoE3p4RfJiE2T4uZIfCPz9HO/geyGlVKukZKvMIe9U4WMitROr39sOcg7OE zsyiIZW1JDQOaBuwJsIF1xObGckD/rCvJU6t7c3YCOVjlw97aUqlL98Vycb+Cb2K7sxOV1xOtjs xPMYahIdlrPz6j73ywm/P3wF2b47WeirnsINZS4x/4UVfRKByHshCuwRM8X+aJgtb4aX9bv5
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-02_02,2025-04-30_01,2025-02-21_01
Message-ID-Hash: XPCILGWZ3OG6VINUGFEF4KUCK26VH4EU
X-Message-ID-Hash: XPCILGWZ3OG6VINUGFEF4KUCK26VH4EU
X-MailFrom: prvs=121779e1c0=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8T6FEhikl6ukSvFs_tlRzKwcylc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

We are comparing two options, and two types of deployments:

Option A: .internal is provably nonexistent at the root
Option B: .internal is an unsigned delegation at the root

Type 1: A deployment that controls the stub's DNSSEC configuration
Type 2: A deployment that cannot customize the client's DNSSEC configuration

For Type 1, options A and B achieve the same security and functionality.  Either way, the deployment can make use of .internal as a signed or unsigned zone, by configuring stubs with a local positive or negative trust anchor.

For Type 2, "A" makes .internal empty for validating stubs, whereas "B" entrusts its contents to the recursive resolver.

The ICANN SSAC report suggests that one goal of .internal is to support devices that can function "without a priori knowledge of the network environment in which those devices are deployed".  This suggests that the SSAC intends for .internal to be usable in Type 2 deployments.

I think the working group could reasonably publish a recommendation that "root zone owners" (i.e. ICANN) who are reserving "private-use TLDs" (i.e. .internal) SHOULD use an unsigned self-delegation unless "Type 2" deployments are clearly out of scope, for the sake of compatibility with non-customized validating stub resolvers.

--Ben
________________________________
From: Roy Arends <roy@dnss.ec>
Sent: Friday, May 2, 2025 6:20 AM
To: Working Group DNSOP <dnsop@ietf.org>
Subject: [DNSOP] Re: [EXTERNAL] Re: Call for Adoption: draft-davies-internal-tld


> On 17 Apr 2025, at 19:49, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> wrote:
>
> I wonder if we could use this draft, if adopted, to recommend an insecure delegation for .internal (and any future domains of this kind?) back to the root.

I assume that the intent is that an unsigned delegation for .internal in the public DNS root zone would allow local overrides for .internal domains.

This introduces a significant security issue: Attackers can more easily spoof local .internal queries, as no cryptographic proof of authenticity exists. Deploying an unsigned delegation for .internal allows a unilateral downgrade attack on all internal namespaces.

An alternative is a Negative Trust Anchor (NTA) (RFC7646). NTAs explicitly instruct validating stub resolvers to treat a namespace (in this case, .internal) as unsigned locally.
They are explicitly configured locally, so validation is intentionally bypassed by trusted local administrators rather than globally disabled for everyone. It clearly signals administrative intent and control.

Roy
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-leave@ietf.org

v2.31.3 | Report a Bug | By Email | System Status