Re: [DNSOP] additional special names Fwd: I-D Action: draft-chapin-additional-reserved-tlds-00.txt

Ralf Weber <dns@fl1ger.de> Wed, 29 January 2014 16:40 UTC

Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62BC51A0356 for <dnsop@ietfa.amsl.com>; Wed, 29 Jan 2014 08:40:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_64=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ORue9HjfmKTq for <dnsop@ietfa.amsl.com>; Wed, 29 Jan 2014 08:40:45 -0800 (PST)
Received: from nox.guxx.net (nox.guxx.net [78.46.109.173]) by ietfa.amsl.com (Postfix) with ESMTP id B61821A02F2 for <dnsop@ietf.org>; Wed, 29 Jan 2014 08:40:45 -0800 (PST)
Received: by nox.guxx.net (Postfix, from userid 65534) id 6F18BDB830B; Wed, 29 Jan 2014 17:40:42 +0100 (CET)
Received: from porcupinetree.ddns.nominum.com (PorcupineTree.ddns.nominum.com [64.89.225.138]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by nox.guxx.net (Postfix) with ESMTPSA id C595CDB811B; Wed, 29 Jan 2014 17:40:40 +0100 (CET)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Ralf Weber <dns@fl1ger.de>
In-Reply-To: <72A3E4AE-F116-4496-BADB-5973DEC46598@vpnc.org>
Date: Wed, 29 Jan 2014 08:40:38 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <C2A6625B-BEF7-41D6-B8BB-B870694CAFD9@fl1ger.de>
References: <20140129055438.2402.qmail@joyce.lan> <97E20887-2B9C-4EAD-826B-043306605F88@fl1ger.de> <72A3E4AE-F116-4496-BADB-5973DEC46598@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.1827)
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] additional special names Fwd: I-D Action: draft-chapin-additional-reserved-tlds-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jan 2014 16:40:47 -0000

Moin!

On 29 Jan 2014, at 08:10, Paul Hoffman <paul.hoffman@vpnc.org>; wrote:
>> There is a huge, easily-identifiable difference between adding a token *before* the application process that started in 2012 and then later asking for a hold-back, and adding it *after*.
> 
> All names in draft-chapin-additional-reserved-tlds were in widespread use before the application process. If someone wants to start using a new TLD now, they know where to go ask for it.
That they where in use before the new GTLD process doesn't change the fact that they were not supposed to be asked on the global DNS namespace.

>> I also don't think there are risks in delegation these other than
>> the applicants will get lots of traffic.
> 
> Others disagree. ICANN has documented many scenarios where there are security problems when what was earlier expected to either get local resolution or an NXDOMAIN starts getting real answers.
By risks I meant risks to the Internet as a whole. There surely is a security problem when you answer with an A record where you before gave back NXDomain for the person doing that. But that hasn't stopped people deploying NXDomain redirections and again the real problem is that you are using something in the global name space that is not supposed to be there. There are other uses of DNS where giving out an record instead of NXDomain has security implications (NXR redirections, fat finger domains, searchlists) and none of them have been treated special here. Also there are IMHO currently other more pressing security issues with the Internet than people getting an A record back for router.home.

So long
-Ralf