IETF Logo Mail Archive

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

David Conrad <drc@virtualized.org> Tue, 17 March 2015 17:49 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ECB41A8822 for <dnsop@ietfa.amsl.com>; Tue, 17 Mar 2015 10:49:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHtzwfyY5ycr for <dnsop@ietfa.amsl.com>; Tue, 17 Mar 2015 10:49:18 -0700 (PDT)
Received: from mail-pa0-f45.google.com (mail-pa0-f45.google.com [209.85.220.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41F4D1A8827 for <dnsop@ietf.org>; Tue, 17 Mar 2015 10:49:18 -0700 (PDT)
Received: by pabxg6 with SMTP id xg6so3092327pab.0 for <dnsop@ietf.org>; Tue, 17 Mar 2015 10:49:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; bh=OvsOmDfbcK3u5daZolaoMP/q4/ZkkACPzpg8zO9HtmU=; b=eYRSPXylbPBdCJsyhYo+Ea8LD2qYkkVkaza/E7epCL0ckQOy3XUVfyimiT5JhLIxne Lg6LO2vIel7/lE5zEU2y05Pd0tCA8kAVNQS+YdLl5lLbpG5lqdECpAFnkOeBx0ZE469r rmubZz4phMTTnGd2O0xOfrCj9boah3/8A27L+x5xr56T43fJ+0dbTBe8RjDqELMIOCFA s7rk2Ip8W8JpcGwvvz0RDrhVyhL30uCyfzRo935scyYCOInmxY4P/PHtYG7FTEqToied TOqcfBCj81IjgcIl4OWwdany0xdet8MgrdQMOu5HWfAwT2TiN4YqSuM1JcHOl1G7TvBa TZxQ==
X-Gm-Message-State: ALoCoQkgFTf59fW8lvIBojSIl6m2OWwkdk3sLG9N8A7H+TRXAx541osZE+lxRHiQSiUXRwoGQ66M
X-Received: by 10.70.65.39 with SMTP id u7mr92450182pds.11.1426614557871; Tue, 17 Mar 2015 10:49:17 -0700 (PDT)
Received: from [10.0.1.9] ([73.162.11.223]) by mx.google.com with ESMTPSA id w1sm23462206pdp.25.2015.03.17.10.49.15 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Mar 2015 10:49:16 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_FF61A8BE-8CBF-4482-AD84-91AAC31631CB"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5b5
From: David Conrad <drc@virtualized.org>
In-Reply-To: <515E25C7-B711-4C41-8C8D-2B5A57DF9B1E@difference.com.au>
Date: Tue, 17 Mar 2015 10:49:13 -0700
Message-Id: <6CF06CE1-FB50-4BD8-AF54-4CCAAEA93B0B@virtualized.org>
References: <CAFggDF0XX3v7yGsaCwFnE7cjK0yz4-frxFgoBJfnztO8k-LFBg@mail.gmail.com> <alpine.LFD.2.10.1503162052420.20709@bofh.nohats.ca> <D12DE3BF.B714%alecm@fb.com> <515E25C7-B711-4C41-8C8D-2B5A57DF9B1E@difference.com.au>
To: David Cake <dave@difference.com.au>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/E10hPebCPFOZzsrLBFdFDpJaCUM>
Cc: Christian Grothoff <christian@grothoff.org>, Alec Muffett <alecm@fb.com>, dnsop <dnsop@ietf.org>, Richard Barnes <rlb@ipv.sx>, Mark Nottingham <mnot@mnot.net>, Brad Hill <hillbrad@fb.com>, Jacob Appelbaum <jacob@appelbaum.net>, Paul Wouters <paul@nohats.ca>
Subject: Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 17:49:20 -0000

Hi,

> 	More details on the dangers associated with these certificates in the context of an active gTLD expansion especially in ICANN SSAC document SSAC057
>  https://www.icann.org/en/system/files/files/sac-057-en.pdf <https://www.icann.org/en/system/files/files/sac-057-en.pdf>
Yes.

> 	As per that document, ICANN security team have been among the groups pressuring to have the local namespaces loophole closed for at least a couple of years now. And the problem has scuttled some gTLD applications that are regarded as too tainted by the issue already (e.g. .corp).

To be clear, the CA stuff isn't the sole reason applied for gTLDs like .corp were 'scuttled' -- the large number of queries for .corp and .home (in particular) seen at the root suggested the risk of name collision was too high (see https://datatracker.ietf.org/doc/draft-chapin-additional-reserved-tlds/ <https://datatracker.ietf.org/doc/draft-chapin-additional-reserved-tlds/>).

> 	I agree with Richard Barnes that the special purpose behaviour of .onion always returning an NXDOMAIN where possible to prevent information leakage is enough to justify its inclusion on the Special-Use List. While it will be difficult to update all resolver implementations everywhere it shouldn’t be hard to achieve significant compliance (can’t you implement this requirement with a very small amount of RPZ config?), and thus significant mitigation of the information leakage issue can be achieved.

The risk of information leakage will remain as long as the query leaves the local machine (making the assumption that the local machine can be trusted).  This risk will remain as long as APIs/libraries do not consult the Special Names Registry and don't forward names in that registry to the DNS for lookup (read: a very long time). Qname Minimization may help in the future (assuming it moves forward), but given the circumstances of folks who rely on .onion, I don't think that can be relied upon.

> 	I’m generally in favour of this proposal.

+1

Regards,
-drc

v2.23.0 | Report a Bug | By Email