IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld

John Levine <johnl@taugh.com> Thu, 01 May 2025 01:55 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 118AA2371E7A for <dnsop@mail2.ietf.org>; Wed, 30 Apr 2025 18:55:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.4
X-Spam-Level:
X-Spam-Status: No, score=-4.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="QHXtu3h8"; dkim=pass (2048-bit key) header.d=taugh.com header.b="Pj2McGR7"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJAoqDkX7qRU for <dnsop@mail2.ietf.org>; Wed, 30 Apr 2025 18:55:46 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id EB6882371E75 for <dnsop@ietf.org>; Wed, 30 Apr 2025 18:55:45 -0700 (PDT)
Received: (qmail 39260 invoked from network); 1 May 2025 01:55:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding:cleverness; s=995a6812d4a1.k2504; t=1746064535; x=1746410135; bh=V5A947pmuJzLIH4VQ0BXUnaTtW1tcKIQQVKQ2L1GMlI=; b=QHXtu3h8K9yls9jc5ieXZXWm00FEJamganu2VqfRnJbylPugxj4csFz4gCp6V3lMgXYC5HJMjD1fO2ok3iHtehLDa9c5HqSv6CTqHajh8Kj/E/z3MIRSLnKWNKQzsWvx1aMHQVNoVuOPJSFfCBVuXskRL7AYAANJnFRRe+/Um8+03grhcCuvIDNCa24HxBnici6mXpHSN2fyUSXbxjlseutT6E5P+RdZgxQtDZPy6EKoqD261Aq1ObEF8OdJvkCko6je2smb1EzcFbyfe1HTpEV8/sWUTSpfnKrK0Jd1fbOnJz+l6IoTm30b8aLguw01ye6bxEEZHYof3nyQwbFh1w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:content-transfer-encoding:cleverness; s=995a6812d4a1.k2504; bh=V5A947pmuJzLIH4VQ0BXUnaTtW1tcKIQQVKQ2L1GMlI=; b=Pj2McGR7r/mavw+f4tJ/A7q1JZiW7jla6FHF1WVi7bYMcSuA69gaOSsuEmBRG8R6DqHWVYlq2bgY2WyUsD/ergnHj7BWFf0uhncGFnOyYI2vH1jJGi7NC0WAba0V8FblZEJ6i6gcGm6r88SIOaVciOlCOC3D8NvtLPV1F33suFwdwMs6OQmfirIbHganFdIvO28twkyIsrW8BmpJQEhIJF16Z9TV+ndC4WUfXjDfoIRKqP4nn9LadwLKpXBI4ACIMSsbsZl7FMvTuZryarN5N2c9A9vQI8MaicewKwxEr0DwIVDUsP6sQkGQ5D7LBiAqZ8PKsX0mhcLYcDgST8RizQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126:0:78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 01 May 2025 01:55:44 -0000
Received: by ary.qy (Postfix, from userid 501) id 6E9E9C7136B6; Wed, 30 Apr 2025 21:55:43 -0400 (EDT)
Date: Wed, 30 Apr 2025 21:55:43 -0400
Message-Id: <20250501015544.6E9E9C7136B6@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <6ad73a8b-aab7-4765-9f85-49d7483ca917@app.fastmail.com>
Organization: Taughannock Networks
References: <m1u5h1G-0000LcC@stereo.hq.phicoh.net> <83666fd3-a51f-46e1-a5ac-0b9a46361480@desec.io> <49E3B1B6-E960-4A46-9C5D-2721FD57132D@depht.com> <3b5fb9e7-8a2b-420f-a2fb-dd6f6a0b88ae@isc.org> <89047B78-A2B1-43F2-A996-94DF1E90538A@depht.com> <cc84f69c-c349-4d91-b942-80221b564a9b@isc.org> <ac48e27d-479f-42f3-b87f-891220ef2fe8@app.fastmail.com> <BE721880-6254-48F4-9F91-567A99E0511B@icann.org> <m1u7asT-0000MtC@stereo.hq.phicoh.net> <01E23110-9A50-4187-8A54-34D514504F9B@strandkip.nl> <3A48CBC3-B55B-4FCF-B713-A7CA4C7BB7CC@strandkip.nl> <8E36C1B8-C67B-4704-9E3B-7143863E2262@icann.org> <87f219df-34f0-48fa-89cf-8cb8300c86c2@app.fastmail.com> <1359A8E4-E436-4EC5-B5C7-E0713A3E8182@icann.org> <b5e95596-ffa7-491f-86c5-27a9c98b4336@app.fastmail.com> <6ad73a8b-aab7-4765-9f85-49d7483ca917@app.fastmail.com>
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Message-ID-Hash: LRYAIVDUPQLAEZE6JVLMPI3YSJK2ND4N
X-Message-ID-Hash: LRYAIVDUPQLAEZE6JVLMPI3YSJK2ND4N
X-MailFrom: johnl@iecc.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9e8eopajZtxSN9yY82L-qV87Gzw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

It appears that Ted Lemon  <mellon@fugue.com> said:
>-=-=-=-=-=-
>
>Er, I should add that since using DoH is pretty common, if .internal isn’t listed in the locally-served domains registry its subdomains probably will indeed show up as nxdomain. 

If you're using DoH to bypass the local resolver, you're not going to see .internal at all.  If you're using it to talk to the local resolver
you will presumably get the same asnswers as Do53 or DoT.  I still see an awful lot of assumptions about what resolvers might or might not
do.

R's,
John


>
>On Wed, Apr 30, 2025, at 9:25 PM, Ted Lemon wrote:
>> The local resolver can safely lie about the delegation, so unless the stub resolver queries the root directly this isn’t an issue. Even if it does, unless it uses DoH, the
>edge router can intercept the query. But this isn’t generally necessary. If you’re doing DNSSEC the only reason not to trust the local resolver is if it doesn’t give
>enough answers to construct the proofs. 
>> 
>> On Wed, Apr 30, 2025, at 1:34 PM, Paul Hoffman wrote:
>>> On Apr 30, 2025, at 10:21, Ted Lemon <mellon@fugue.com> wrote:
>>> > 
>>> > The reason to do an insecure delegation is so that the public dns doesn’t securely deny the existence of the zone. If there is a secure denial of existence, a validating
>stub resolver will not use responses from the local resolver because they will be bogus. 
>>> 
>>> This seems to be talking about a validating stub resolver that is configured to also get answers from a particular recursive resolver, yes?
>>> 
>>> 1) Wouldn't the stub get two conflicting NS records for .internal, one from the root itself and the other from the recursive? All attempts for lookups would have a 50% chance
>of going to the blackhole nameserver.
>>> 
>>> 2) Wouldn't having an insecure delegation in the root prevent the recursive from signing .internal itself because the root responds with an NSEC proving there cannot be a DS? 
>>> 
>>> Again, I could be missing something, but it seems that both of those would hurt the validating stub resolver. A validating stub resolver could instead easily be configured
>with the trust anchor for the recursive resolver it is configured for.
>>> 
>>> --Paul Hoffman

v2.31.3 | Report a Bug | By Email | System Status