Re: [DNSOP] ALT-TLD and (insecure) delgations.

Ted Lemon <mellon@fugue.com> Wed, 08 February 2017 21:13 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19C11129478 for <dnsop@ietfa.amsl.com>; Wed, 8 Feb 2017 13:13:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id obZnzIrJuJt5 for <dnsop@ietfa.amsl.com>; Wed, 8 Feb 2017 13:13:01 -0800 (PST)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E2B2129472 for <dnsop@ietf.org>; Wed, 8 Feb 2017 13:13:01 -0800 (PST)
Received: by mail-qt0-x22c.google.com with SMTP id x49so177967544qtc.2 for <dnsop@ietf.org>; Wed, 08 Feb 2017 13:13:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=hCK5QLgCtADLimbjJLmCgYdd318tDtAWRr2KFHP5TA0=; b=cmvWs1Qd/9L0MMwtu9bYf6jwiOjWAFM1ifJlJOPJNzaoGjbsICxbgxLViOQ2+qnYWI mYvGfJFJJPQ3reVauxpgZoMX3d1ydwuG2wtR7+OvN8RShFZax+RSWEBJe8zLE5ufffp8 OV58HuUQfQ8vYGj3S0yZNvmNg4jpKqLRsoUzZAAT98mUwqv/Hzqfj/p4/b3Pg0tIzhGV 1onabmNtY3fSp0TlSL7lMvx1I9+zvftGVU5xOBajvQUdkFxg2QhW+ss0zPNotolUo7di bAmx+oqzHZlmbhsfTQQE6OaLcNYTxYhOMtY62oq7ZXQ7DrzlC/dLDoX9ptAS6xEvQ+wC kWmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=hCK5QLgCtADLimbjJLmCgYdd318tDtAWRr2KFHP5TA0=; b=Xw0aheStsus0vBcnCEaV1jOYnJF6HB2+pFkJ7XAzo6/PajsQ2xBCY79d6Zl4R1PfON XR7Qifi1FdO3YuNMl1vy8HsVyMRPCU5XiwYUgwmcQPraBuSE9Z/eJDLW6mDtiiDPeNGJ S6p4/OjZ9L1MkPAnBWl/PMxgOAHV/dSv3B6AMGfnc+Np8zbqxU18soMdUXyckEamGXpP 6+ZkkQyRQjCcT0aMXGHUMwiAKsvwmq/SZfPLCeBwyOc8xrhKvwL2KL9WhRAj8Ear0iP6 dLnPG2kAD30tS2R/3hyu23xCBBQ8XHxi3E0Anro3Ckh9n7KxUcycB66/pp3jeXgE17qR QFcg==
X-Gm-Message-State: AMke39mXLaVfk9YFGYOCl3YPGWSRP7Q+IAE6ibZHUgziaqqlwBVn4q3jmbZgFOYRFyt97Q==
X-Received: by 10.237.55.65 with SMTP id i59mr23549552qtb.261.1486588380335; Wed, 08 Feb 2017 13:13:00 -0800 (PST)
Received: from [192.168.1.228] (c-73-167-64-188.hsd1.nh.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id u5sm7208304qkd.46.2017.02.08.13.12.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 13:12:59 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <A6839264-7054-4A08-828B-66BFA6C94352@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0242884B-41F6-4261-AB31-4EE545B5ED65"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 8 Feb 2017 16:12:57 -0500
In-Reply-To: <20170208203018.CF0B5635DFA1@rock.dv.isc.org>
To: Mark Andrews <marka@isc.org>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <CAH1iCipKwcOsMQY3kjvSZ42LMK37GLD6GP2AVtnWK0c83k-RiA@mail.gmail.com> <20170207040552.8BDCC632F192@rock.dv.isc.org> <3581BE55-B178-4298-8EE8-73FD16B4216D@gmail.com> <D4C0D518-A3ED-4555-93DA-2EA12D82A662@fugue.com> <CAHw9_iK7Vt+ZNw8=E-b+w9gGhwB9fZNqHYp2pqKqT__RgcDttQ@mail.gmail.com> <5CA637EE-C0B6-4E5C-A446-A84431176D0C@fugue.com> <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <FB835756-2C46-40A9-88ED-2F8ADF812BA6@fugue.com> <20170208052544.862956356F33@rock.dv.isc.org> <FFAFD844-824C-44EA-A4B1-1AD28B4FE95C@fugue.com> <20170208060208.8C8E1635864D@rock.dv.isc.org> <E0A42577-0984-4ADD-8658-91413CBE783D@fugue.com> <20170208194208.DB02C635DD72@rock.dv.isc.org> <00767076-FA43-42C0-A4AF-39F4E1087F11@fugue.com> <20170208203018.CF0B5635DFA1@rock.dv.isc.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FR8AA1IeZ68CnvULazTXNzFv2gE>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 21:13:03 -0000

On Feb 8, 2017, at 3:30 PM, Mark Andrews <marka@isc.org> wrote:
> And if the service has the same privacy issues as .onion has?
> 
> So we leak names until every recursive server in the world is
> validating (what % is that today?) and supports agressive negative
> caching (still a I-D).

I feel like I am arguing with a wall, so if this doesn't work I will just give up.   But if it's okay for us to ask resolvers to make a chance, it is okay for us to ask resolvers to make the right change.   And if they don't, yes, it's possible that some queries will leak.   There is nothing we can do to prevent that other than harden caching servers and stub resolvers; if we are going to do that, we might as well do it right, by caching the full proof of nonexistence, rather lying about what's in the root zone.