IETF Logo Mail Archive

Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa

Ted Lemon <mellon@fugue.com> Wed, 13 December 2017 22:15 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23731126D85 for <dnsop@ietfa.amsl.com>; Wed, 13 Dec 2017 14:15:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6V_Eby2P_B8o for <dnsop@ietfa.amsl.com>; Wed, 13 Dec 2017 14:15:03 -0800 (PST)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C34901205F0 for <dnsop@ietf.org>; Wed, 13 Dec 2017 14:14:56 -0800 (PST)
Received: by mail-qt0-x22d.google.com with SMTP id d4so5697498qtj.5 for <dnsop@ietf.org>; Wed, 13 Dec 2017 14:14:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=dd8vQ+NwJxd6SirZ2NKrKPWpDdcFt1Xgdglju75hEk8=; b=v1Vpd6KpFbsMo7pA2aXbzAV1IbAGN0H5DOG4j6PI0Mac+4JflKnuORa042fqYzJwt5 +vtBbzbZJj8+DKuMMN7SuR1cvBLuh3mETyyIPyWCHxawwxDjk3S7HYYlSq9W+p9ZXysu nvPWaxZ9/glwg+nhZy21J46cOHirDHKii6YXpbQ9WilRynTQBzUoJflGQqQBkDUco+tA YL0wZu/e+jZWQ660IIsOqcAw+HgD1aGV2zIAMDWOdL2NfueB4R7jHQA9+IRfjjXoAc7i rAqSIe9BrknfW1skVgoRNxk72iGA5btAv3tH9jj4kqQDQjxWWfWdEpSA2GFGdLjRVZrM cQJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=dd8vQ+NwJxd6SirZ2NKrKPWpDdcFt1Xgdglju75hEk8=; b=lOchcDQwU1nzqm8wUvZyP3ADU8f+qamCA2XmGkpokdD4vtEUaMtuPtKZTRpTUnJb4/ Rips41EH5Q4bWRnJDWYlUGCdwSFd3DO5ELMgUxzXCG6YeZ6YHhvXTWE1Xg2M7RDu2Srr UxuCa60XLL7rwD7j0lk+KL/RgDmk3EobIK21cP5IcL/2Jb1ZZcbbWL+6QVOotNPhzH29 0X5AGyV2CJklm7TzOPSY+yZJNvGqYTvBCc5PS7gyqL20BuRIXiNXV7H+hSDy8d4yR+Ga auXy073fAzMwf9qKl0JtsZ+wlqu7pVw0PNT+bxsWJhlaywTbNXHvTETzF55searODPR5 f0Hw==
X-Gm-Message-State: AKGB3mLgSYhXn1iVhIY8PzqNIinGkF4279WmWLxZbpC9XdsiLG4udcbF G9Ed1smqIPxfeO+iWc2EDwSod4w9bNY=
X-Google-Smtp-Source: ACJfBotx2B0/GH8RlNiN0RFxbLwSZu0LJzbmBM91x1fAfjd8rezv6pcOMM3JnjY5GXnUbnb/m3rmDQ==
X-Received: by 10.237.63.121 with SMTP id q54mr13522072qtf.337.1513203295930; Wed, 13 Dec 2017 14:14:55 -0800 (PST)
Received: from cavall.lan (c-24-60-163-103.hsd1.ma.comcast.net. [24.60.163.103]) by smtp.gmail.com with ESMTPSA id a17sm1706839qkj.6.2017.12.13.14.14.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Dec 2017 14:14:55 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <23CF8A88-F530-426D-A6A9-4B80AF28D603@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8A4C44B3-0598-4E5A-9B06-EF4C3E2D29FD"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Wed, 13 Dec 2017 17:14:54 -0500
In-Reply-To: <EC253232-3713-426E-9300-20AE38C8BE4F@hopcount.ca>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, dnsop@ietf.org, Paul Vixie <paul@redbarn.org>
To: Joe Abley <jabley@hopcount.ca>
References: <20171211090051.qjoruin7nkdjsnvd@nic.fr> <5A2E4B7C.50509@redbarn.org> <20171211091800.wonjnvhl3xrx6r4s@nic.fr> <118C37A8-0DEF-460B-8A79-AAE470D3CED8@hopcount.ca> <1B37BBA1-D141-441A-855E-1ACFF2DC15BD@fugue.com> <EC253232-3713-426E-9300-20AE38C8BE4F@hopcount.ca>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AtGtws7iqCFPNoXsgezjrpq6pHk>
Subject: Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 22:15:05 -0000

On Dec 13, 2017, at 4:46 PM, Joe Abley <jabley@hopcount.ca> wrote:
> The document actually specifies quite clearly that the delegation "MUST NOT include a DS record" which seems to be different from what you are saying. It also specifies that the delegation "MUST point to one or more black hole servers", which is pretty vague language following a MUST.

I second-guessed myself on the double negative in the previous message.   What I meant, and what I believe the document clearly says, is that there must be a delegation, and it must not be signed.   The point of this is to avoid either a secure denial of existence (the status quo) or a secure delegation.   Either of these would completely prevent home.arpa from working for a validating stub.

> I appreciate that the intention of homenet may well have been clear, but the text in section 7 is definitely not clear. I think actually it would have been reasonable for IANA to send it back as ambiguous before it got to the RFC Editor queue.

Can you point to the actual ambiguity?   The reason we said "one or more black hole servers" was to leave it up to the operator of .arpa to decide which black hole servers and how many of them.   That was a deliberate choice, not an omission.

v2.23.0 | Report a Bug | By Email