IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 10 February 2017 00:40 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0174B1295DF for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 16:40:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j4yxuc8qb1JJ for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 16:40:24 -0800 (PST)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1ADA129512 for <dnsop@ietf.org>; Thu, 9 Feb 2017 16:40:24 -0800 (PST)
Received: by mail-io0-x234.google.com with SMTP id j13so38943567iod.3 for <dnsop@ietf.org>; Thu, 09 Feb 2017 16:40:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gM2Kbst1J6++MBow0sKWvbGeOei0JXYUKJ3q1FLk05o=; b=Ult8rgJlejlKtMi5Lvx4ivGI/GVxSvNQgckwOQopPpF49QGFWgxYHbvMR/dxesEwOp UanzNXHcP0zHF7HHQglZX5puOn7YTAz0UMjmYrcygnlEbRYUwBwCXcRAeevNyU3jIeHH U6EFsxlc/NbJo/nqMP603/hwLJrVPO/qW9hkzGzx0qNJpZPhoK6Mkg/7X+62+kREvffJ LlsJEpM3AMNzq2RxTLg//k9ghblm6YknqMuT1m67xP1O2pnAV5ubqwSCcv500oPvDsNo biPac1+Ko6TIISoPoeRLebH7WSGvoXRfbKFnWQiYijkG/M963OT/+si2e/AT9w4Qe/Tj DQXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gM2Kbst1J6++MBow0sKWvbGeOei0JXYUKJ3q1FLk05o=; b=Nf9JOq7qPahDMi86W4nyNcf2ks2Da8qWIkP7Mq7QkVWtcC8OuDRhBSHriDSZz8HOAE yOMP1ikcqIu8jKYKZqPFRy9dxyfm4NwaFHJO4GG7MmGS9XZ8dvA9lOHhB0b5XBgYxP5d CJXbE86ITgRdjGkb0SpgspBckxDr5tzqci5bAE3lePDpZavlKMt3dhpV5+rSXz8F6Hzf kSOEDxQgmEDcG3hasYCKojRHtCzRzmIQpt9vE0suttzw9XgJlG60ugaQfsjheYLs94LH 8Le6NrrGMINRoBvCY9czkn2HWK0y5eqvKJgXLE3j9ATsRjrXEQgahXvChj+GcAWJbwPS yQoA==
X-Gm-Message-State: AMke39ntc3/aOXCGh201chtc68FCvW0/6cLfk8ApPUKNsZYCPaY6JjWdh2jrns7aEYhLikv3boYU0LZvSdn+xA==
X-Received: by 10.107.149.18 with SMTP id x18mr5876059iod.167.1486687224105; Thu, 09 Feb 2017 16:40:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.133.208 with HTTP; Thu, 9 Feb 2017 16:40:23 -0800 (PST)
In-Reply-To: <20170209234726.D30AD6366A94@rock.dv.isc.org>
References: <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <FB835756-2C46-40A9-88ED-2F8ADF812BA6@fugue.com> <20170208052544.862956356F33@rock.dv.isc.org> <FFAFD844-824C-44EA-A4B1-1AD28B4FE95C@fugue.com> <20170208060208.8C8E1635864D@rock.dv.isc.org> <E0A42577-0984-4ADD-8658-91413CBE783D@fugue.com> <20170208194208.DB02C635DD72@rock.dv.isc.org> <CAH1iCipA5nvWJqjdGUwJeeT_eU8EH8VYJU2hX1hJoiTb617K8Q@mail.gmail.com> <20170209163123.56hdbzaluekmvbh7@nic.fr> <20170209195722.DC1AB636586C@rock.dv.isc.org> <0394528C-99CD-41D4-9AB6-844D1318264C@gmail.com> <20170209204506.BC40D6365CBE@rock.dv.isc.org> <12D7473B-3A22-4A8D-9C13-2AEEDEABB879@fugue.com> <20170209224851.2FB1B63666E6@rock.dv.isc.org> <CAH1iCiqi_xJjwXvsR-x76fcz20NiugnjYqameK1ZHWd+54SLpw@mail.gmail.com> <20170209234726.D30AD6366A94@rock.dv.isc.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Thu, 09 Feb 2017 16:40:23 -0800
Message-ID: <CAH1iCirdLita8=eGR6SqWGa0UKRx0aq=2XCvkmF6x=xjh4yfDA@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary="001a1140fee4e29498054822576c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ECwSEGF4J0ebdGSwSF44BizJUhg>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Ted Lemon <mellon@fugue.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 00:40:26 -0000

On Thu, Feb 9, 2017 at 3:47 PM, Mark Andrews <marka@isc.org> wrote:

>
> In message <CAH1iCiqi_xJjwXvsR-x76fcz20NiugnjYqameK1ZHWd+
> 54SLpw@mail.gmail.com>
> , Brian Dickson writes:
>
> > Are you saying that leakage when the local namespace is non-existent, is
> > a/the issue?
>
> Because when TPB go on a witch hunt for all users of xxxx.alt we
> don't want the root servers operators to be able to return the
> addresses.  It's not a matter of if, just when.  We have seen that
> happen too many times.
>

I'm not sure who "TPB" is, but...

If you really care about privacy, IMHO, the place to instantiate the
private namespace, is under one of the heavily used AS112 zones.

E.g. 10.in-addr.arpa, or 168.192.in-addr.arpa.

It's unsigned, by default (for BIND) local already, and even if a leak
occurs, it will be hiding among the sheer volume of crap.
Plus, having the AS112 decentralization applied, means any incidental
leakage is going to be nearly impossible to find.

Using a new TLD for local use-cases that do want to be in a privately
forked piece or the global namespace, is perhaps unwise.

One thing to consider: the client will not know whether the resolver has
leaked or not.

Maybe this should be a DPRIVE topic, rather than general dnsop?

Brian

v2.23.0 | Report a Bug | By Email