IETF Logo Mail Archive

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

"John Levine" <johnl@taugh.com> Wed, 19 October 2016 14:10 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BD89126D74 for <dnsop@ietfa.amsl.com>; Wed, 19 Oct 2016 07:10:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id If8vh7bPkV1r for <dnsop@ietfa.amsl.com>; Wed, 19 Oct 2016 07:10:17 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BB4F12942F for <dnsop@ietf.org>; Wed, 19 Oct 2016 07:10:16 -0700 (PDT)
Received: (qmail 44696 invoked from network); 19 Oct 2016 14:10:16 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 19 Oct 2016 14:10:16 -0000
Date: Wed, 19 Oct 2016 14:09:54 -0000
Message-ID: <20161019140954.31332.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <20161018220716.2A18956F019C@rock.dv.isc.org>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CZesGdFifKCtmDYqGhRw5p7eN1Y>
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 14:10:19 -0000

>You may not care that validating stub resolvers that ask for
>example.local get back answers that can be validated as NXDOMAIN
>without leaking queries to the root but I do.  Just adding the zone
>locally without having the insecure delegation results in just that
>condition.

It just occurred to me that we seem to disagree about what problem
we're solving here.

If we see a DNS query for .local or .onion, an application is trying
to use mDNS or Tor on a machine that doesn't implement them.  On
machines that do implement mDNS and Tor, neither does DNSSEC
signatures, so there is no reason to provide answers that the
application is not looking for.

So a cache stub that provides unsigned answers to .local and .onion
queries is just fine.  If the client treats that as SERVFAIL or
whatever it does with unverified answers, that's fine too.

R's,
John

v2.31.3 | Report a Bug | By Email | System Status