IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

George Michaelson <ggm@algebras.org> Sat, 04 February 2017 01:58 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 024851295ED for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 17:58:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jxxiZA6PeI3Z for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 17:58:45 -0800 (PST)
Received: from mail-vk0-x22c.google.com (mail-vk0-x22c.google.com [IPv6:2607:f8b0:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 060581295EA for <dnsop@ietf.org>; Fri, 3 Feb 2017 17:58:45 -0800 (PST)
Received: by mail-vk0-x22c.google.com with SMTP id t8so24794672vke.3 for <dnsop@ietf.org>; Fri, 03 Feb 2017 17:58:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kwp6LoPniS87Hj6EjmwMGvZNeJrYxqKBUVbMmmxp/c4=; b=PWVz45Av7j7vZwMnH+NzTV8gUzm8wljBFGk2xV+/IimTyRxYMdowpXNaFeYSoy9Q66 MhfiUPYpsXBrfATG47BmHqPWGoZbORdbmSmFZ2uC62Fjr6s0x0EZrKrOoxDaxxl7Qi4p 6g2rFJQ1HrIis6Kks3iwHpdidVuI6zjD3sW/3tQFANE7/GviCatVF6Iyl3Q9vIF14foh HGmKLO5vsOVHHp/lH7IqLjqO6OkFQKwkyqf1hExuzw8izJcm0ntx8/rZiGRAdPmIE46d 1VQqjEY9lRLNxbEF6CZjDPmFRa80aOpkIVIBRY8kwYyCrk5Ky3n1E6uZFv1MjMBRONHj xdgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kwp6LoPniS87Hj6EjmwMGvZNeJrYxqKBUVbMmmxp/c4=; b=bT+as4r8UxG2SvctWjqabDZxKbBD+Vvn49Oiw5nOi8vK/ZExF7rx4LKp7kBSSM5Kfn I1vIgZOXdPdY9NbRKiwH1M2Gbe14Zx0i3jZy+jokOsOqQZ3CtPBI0B5LqN3tQ1B4u5xe Lz/+x+/0sHXgCkg0y2Lrs/5wsQJLw28hyreAbK2NlOxLnkWs6lhkmwAsxLU6sPCEqz18 0ps1z1Zgf+JxyUUAzwjWjk4fJIw8z5/5O27JXTUuapbrgB5badLtUpmovMOISZUHcyy0 amT0qv+oPt5Fgql88vZ9W1CqC86fb4nXnl+BBno4gmwLURVIg3P1T0ZZgN1CyFEPhF1n fSrA==
X-Gm-Message-State: AMke39lHwuhHYYo1t9MF6FA+cm0HtEpWiIpMbJtetIicOFEjns5Sb53FokTCaRLebvpOe3WPgX9eM/X9xYH9Ig==
X-Received: by 10.31.85.4 with SMTP id j4mr21663vkb.1.1486173524094; Fri, 03 Feb 2017 17:58:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.103.48.211 with HTTP; Fri, 3 Feb 2017 17:58:43 -0800 (PST)
X-Originating-IP: [70.191.149.15]
In-Reply-To: <5BB1A3F5-5EFB-4164-9720-68E262E58636@fugue.com>
References: <CAHw9_i+8PA3FQx8FqW-xQ_96it7k-g5UrMB7fxARUi1gwQ++hw@mail.gmail.com> <20170201204455.6nymmjlj5lzq2ect@mycre.ws> <CAHw9_iJ50jWgsAe+hRKUtubfAtpt7+GEeCKEASzypcf86+4nYA@mail.gmail.com> <20170204015158.GB67739@mx2.yitter.info> <5BB1A3F5-5EFB-4164-9720-68E262E58636@fugue.com>
From: George Michaelson <ggm@algebras.org>
Date: Fri, 03 Feb 2017 20:58:43 -0500
Message-ID: <CAKr6gn1J1_OW=d8pc9S2ZW5Zfd1m9cQqOmOH-sTc5Rs46hpFdg@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DJcBK5fgItN3HNgZ8ZRNSoNLOUU>
Cc: dnsop WG <dnsop@ietf.org>, Andrew Sullivan <ajs@anvilwalrusden.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Feb 2017 01:58:47 -0000

sorry to be thick, but.. can we have both on a case-by-case basis somehow?
it feels like no, because the sign over the zone state implicitly
carries either denial of all false, or denial of none. I can't see how
it can be in a dualistic middle ground.

but if we could do it somehow, cleverly, it would be neat: those that
need to exist with DNSSEC as alternate namespaces can, while more
normal odd names, just exist, and those who want to be denied out of
all existence, are repudiated.

-g

On Fri, Feb 3, 2017 at 8:54 PM, Ted Lemon <mellon@fugue.com> wrote:
> On Feb 3, 2017, at 8:51 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
>
> If the resolver "has a local zone for alt" -- I think this means it is
> authoritative for that zone -- why would it ask the root about it at
> all?
>
>
> This is a rehash of the .homenet discussion we had a few weeks ago.   As
> long as the stub resolver isn't validating, it's no problem. If it is
> validating, then the recursive resolver can't fool the stub resolver if
> there's a secure denial of existence.
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email