IETF Logo Mail Archive

Re: [DNSOP] on private use TLDS

Joe Abley <jabley@hopcount.ca> Thu, 28 November 2019 22:20 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BB621208D3 for <dnsop@ietfa.amsl.com>; Thu, 28 Nov 2019 14:20:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6GoaTTn8VKM for <dnsop@ietfa.amsl.com>; Thu, 28 Nov 2019 14:20:13 -0800 (PST)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6716D120033 for <dnsop@ietf.org>; Thu, 28 Nov 2019 14:20:13 -0800 (PST)
Received: by mail-qk1-x72e.google.com with SMTP id q28so4985440qkn.10 for <dnsop@ietf.org>; Thu, 28 Nov 2019 14:20:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=TdorOnACAxEGFAWcCPADU/QDgtB4xHznElYRBhJkVx8=; b=JR6KK93iSOYe3oWK5PZ7ubkFjeLDRtKFU1TUO4aI0k5vGGaSF64jy/VX5BltD7mstS ZEUeUlgACVzSj3ziV0GylgsNkNUJgPO2+MhEzCxC9NWXGTszOtK1BRN24fAPvaJ8WGFV WNYSjWSZL3N+t3kVjXI4+HlTlmGjzALFLgLhs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:message-id:in-reply-to:references :subject:mime-version; bh=TdorOnACAxEGFAWcCPADU/QDgtB4xHznElYRBhJkVx8=; b=UQYcOtNilRt18lz0YPMhbVobgm+Kmox+2cHMwqCjs2mJ4AKAIW9GduGWlc6+g6P9t6 fC9lxWSdAHVhnJtG72OCdegVuaaTFdIwcCHy7JqtaVjy8533v20RvzpWPgNpf2qQc2N4 Ywpmu0SL14RwigayYEoSl3Vb3+x4Du+gqoRe3WMRpNiKbKoNiymJvkoS/zx3ambia8ih hAb9np7hmPTnvfq+kDRIJayT/YfMK48ZsMV/5PUfL08e2xWIJyLOVaOMzNUZYbQWG4Rd x80niTlEeom9UWHRuroX+c/C5Cgu9dSiGz1nhmEBD52Ax9J4YYoH6ukNGx1vueJmWesO V4xw==
X-Gm-Message-State: APjAAAXCH3dYJqA7VHxswMPcttKo5kTYEWpF+GWDD+Oa5WqhMzA9EgJD bS534aINZy4RG49ZoEfC/TZPLXITAH8Cgay3
X-Google-Smtp-Source: APXvYqwEp3EU0tFyMxnUVEp+FCQYYq5SJZhHh4GpIXUqM2LOI4cWtnJ8qCajLnAzmXw4ZTLZ4ogkNw==
X-Received: by 2002:a37:7282:: with SMTP id n124mr12399839qkc.129.1574979611952; Thu, 28 Nov 2019 14:20:11 -0800 (PST)
Received: from [2607:f2c0:e784:350b:d079:8f04:70:0] ([2607:f2c0:e784:350b:5052:4fd:6fd4:1d5]) by smtp.gmail.com with ESMTPSA id o70sm9262161qke.47.2019.11.28.14.20.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 28 Nov 2019 14:20:11 -0800 (PST)
Date: Thu, 28 Nov 2019 17:20:09 -0500
From: Joe Abley <jabley@hopcount.ca>
To: dnsop@ietf.org, Doug Barton <dougb@dougbarton.us>, John Levine <johnl@taugh.com>
Message-ID: <73256f09-8083-4b36-ad1e-f82f382a0b9c@Canary>
In-Reply-To: <fb307c7a-348a-03d3-3d8e-8e683cec603d@dougbarton.us>
References: <20191128165507.2A60BFDF451@ary.qy> <fb307c7a-348a-03d3-3d8e-8e683cec603d@dougbarton.us>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="5de0481a_ded7263_88cd"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EbB8tD0ABxbn5BpHiOozwLiJvc4>
Subject: Re: [DNSOP] on private use TLDS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 22:20:15 -0000

Hi Doug,

I am not suggesting that you are wrong in your final paragraph, and I am not philosophically opposed to reserving a label in the root zone for private use, somehow analogously to RFC1918, but I think it's worth challenging how obvious this really is. (Yours is just a convenient hook to hang this reply to; it's not really directed just at you.)

I do think the semantic meaning of the label is worth thinking about, and I am wary of particular scripts or languages being chosen arbitrarily. I realise "internal" and "private" are sensible labels to use for this kind of thing if you are English-speaking and used to reading Latin script; I don't know that it's reasonable not to care that they might not be sensible in other contexts. This to me is a much more important conversation than bikeshedding about what regulatory agency has said what about what.

It's also perhaps worth mentioning that the mechanics of how to provision (or not provision) such a name with regard to DNSSEC validation by various elements of the wider ecosystem have been a matter of some debate in other venues. I doubt that dnsop is immune to that. I won't fulfil that epectation by saying more in this message. :-)

So, on the subject of how obvious it is that we need to reserve a top-level label for private namespaces,

- has the advice to anchor a private namespace in a registered domain in the private namespace really been received and judged to be insufficient? Or has it just not been received? Could such advice be delivered in a more effective way?

- does the growth in observed query traffic for names with non-existant top-level labels really support the idea that squatting on arbitrary undelegated TLDs is on the rise? Is it possible there are other effects? Have we normalised the observed growth against other known causes of growth? If this phenomenon is actually becoming less common, does it need a solution beyond "wait"?

- what are the possible negative effects of providing a TLD label for use in private namespaces? We know that in the addressing realm, RFC 1918 and similar private-use addresses lead to collisions during M&A, interconnections, etc. Perhaps these are reasonable trade-offs for addresses. Is the same true for names?

- does promoting a single anchor for private namespaces concentrate traffic that leaks from those internal contexts to the Internet's DNS? If the leakage of queries that are intended to be private represents a security concern, does the concentration of targets for that traffic on the Internet make the security concern worse?

For the record, I don't personally see any enormous harm from standardising something like Warren's ".internal" (or Roy's ".zzz", to make it clear that I'm not talking about the specific label). But I do think questions like the ones I mentioned are worth putting some effort into answering.

Perhaps I've missed some elegant and robust analysis, but to date all I've seen is "nobody likes the advice to register MYCO.COM (http://MYCO.COM) and use that, so obviously we need to do something". If that's really where we are, it seems like it would be comforting to be able to say so more convincingly.

Joe

> On Thursday, Nov 28, 2019 at 16:38, Doug Barton <dougb@dougbarton.us (mailto:dougb@dougbarton.us)> wrote:
> On 11/28/19 8:55 AM, John Levine wrote:
> > In article <71ad677a-8c88-8916-fe02-7d0d8ae930b9@dougbarton.us> you write:
> > > I agree with Matt, Bill Woodcock, Steve Crocker, and others that have
> > > expressed that we should stay out of ISO's sandbox. Whatever the rules
> > > are today, they can change, and poaching their stuff for our purposes is
> > > bad form (and yes, I feel that poaching is what is being proposed, in
> > > spite of the arguments to the contrary).
> >
> > I don't see how relying on ISO's advice is poaching. They say:
>
> You, like Ted, are ignoring the fact that ISO can choose to change those
> rules.
>
> > > ICANN has already said that it's not going to ever delegate CORP, HOME,
> > > or MAIL.
> >
> > They said indefinitely defer which is not the same thing at all.
>
> Ok, so if you think there is a risk here, then it should be mitigated by
> working together with ICANN on a draft that codifies that they will
> never be delegated. Since there is apparently a need for additional such
> names (like INTERNAL) then they should be included.
>
> Other than some sort of gratuitous "we hate ICANN so we don't want to
> work with them" thing, it's not at all clear to me why we wouldn't want
> to lock the necessary resources down in cooperation with the only other
> entity that has anything to say about what happens in the root zone.
>
> > The IETF has already decided to stay out of the home/corp/mail
> > argument
>
> The IETF can change its mind too. :)
>
> Seriously, there is obviously a need to have private-use TLDs that we
> can guarantee will never be part of the public root zone. So let's make
> that happen, in a way that we can be sure will never be pulled out from
> under us.
>
> Doug
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email