Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 19 October 2016 00:16 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7925F129504 for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 17:16:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMVJxMrWq2ud for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 17:16:47 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 393BE129446 for <dnsop@ietf.org>; Tue, 18 Oct 2016 17:16:46 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id z189so21412792wmb.1 for <dnsop@ietf.org>; Tue, 18 Oct 2016 17:16:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=hU2FoTdyuJz9a9Fh5MEmIwy1C6SSFxeECp2Um+DR3+c=; b=tja/syfYPQC6byMXUr6hLBrufyUFtrrO/QB2WL+MxR3qzP34G7iSGEy/x03qqBMDTp baRNafeYrGmgp3rxgWxR2Pkiw7nOX/TtqiYzpqhIQpz0ONNVdcpm4jZOCSscXuMiBHr4 5okwwT/J/+oENTrKGXD3FiLhOzAwdmp7OQTE3YCWPjUGB2M3tAPDkx6e9QICnCwDZ5oC PjKfS093aOsmRivsbKW5GL/2V0PbYDAMWXP/lqObV6RmZS9gsMn+YqYR7tCxj/9TOENz 0NbMCEg6qbt9kKFc8aMyH7namkyu2ByhjDKGnaYXVLLgt++Wbnh1VJFB5qHH8diI0df9 Saew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=hU2FoTdyuJz9a9Fh5MEmIwy1C6SSFxeECp2Um+DR3+c=; b=LMS6DP3rfFM/fEsZxDQnWgiKwa0XnxHpTanm/YxlLZnQxmiVL7ZeR5CeXg4rCyA0UT uqNFyXq3Md6PQqpE6vwZPzjJoa2WYi+eBywsGJ7IU8X7BGnC3LbPJWDC6FB158PA2Bct fd1WPNv/Te+jS8BKrgJvkfmTH4oRwlWZ7/8nf2M7tqjuJDrmzcSDGWptDBbi1+GydMyp loVXmqYVtRhmGzHV65bVas5BhfvcIX07xWRRkMkV1a8/6HWEM6uNjnV9MC1ShO7aISrG HU2h1ynGHVERjx2j73toNQ9Asycp4j2AqVvkTdRf26zDJ5TvJAIoS019mfd/ZICl/Sfi MsJA==
X-Gm-Message-State: AA6/9Rlc7fb6MzC3ZGAISxqlciEHO8Fi3Jc9RgFKPUeUIGWaE0eJ5skKTX+wA+0J0CqQLWV2wcD60mybtuNiOg==
X-Received: by 10.28.222.70 with SMTP id v67mr2681234wmg.84.1476836204411; Tue, 18 Oct 2016 17:16:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.203.207 with HTTP; Tue, 18 Oct 2016 17:16:43 -0700 (PDT)
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 18 Oct 2016 17:16:43 -0700
Message-ID: <CAH1iCiqhHRB6dppvaNSfvTm+BA19RNaXt3xfe7gg=mfcFOOySg@mail.gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a114b103c5b002f053f2cb9d1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/GUady-0ZY4CpFI2KhhFatyX-R7Y>
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 00:16:49 -0000
A short time ago, in a time zone not far away, Warren Kumari wrote: On Fri, Oct 14, 2016 at 10:04 AM, Paul Wouters <paul at nohats.ca> wrote: > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: > >> draft-bortzmeyer-dname-root >> >> <https://datatracker.ietf.org/doc/draft-bortzmeyer-dname-root/?include_text=1>, >> which proposes to "sink" special-use TLD (may be you've heard of RFC >> 6761 "special use domain names"?) using AS 112, > This is tricky. We want DNS resolvers to not send these onto the > internet. But by adding delegations in the root to AS112, aren't > we making it more likely that the queries leak further onto the net? My observation here is "yes and no"; the nature of AS112 is that anyone can deploy an instance, pretty freely/easily. Basically, the only thing that changes is where those leaks go, not whether they occur. The DNAME to AS112++ is a (root) server-side thing, which is not mutually exclusive (compared to resolver side solutions). Doing BOTH is probably the most conservative approach. DNAME will work in a backwards-compatible fashion with older resolvers. (This was confirmed in the AS112++ work, by Geoff Huston and George Michaelson, kudos to them. DNAME w/CNAME synthesis FTW.) Anything else is an optimization, e.g. RFC 6303 stuff. So, back in ~Feb 2014 we had very similar discussion about ALT-TLD, AS112 delegations and DNAME. Initially the ALT-TLD document (https://datatracker.ietf.org/doc/draft-ietf-dnsop-alt-tld/) had .alt being delegated to "new style" AS112 nameservers, but Joe Abley pointed out that this would be a lame delegation. A minor caveat: we should be careful in the language we use, to distinguish "delegate" (use NS) vs DNAME. A delegation would indeed be lame, while DNAME to AS112++ will never be lame, per se. I agree, we should take "delegate" off the table. We also discussed using DNAME, but the general view seemed to be that getting this deployed in the root would be an uphill battle; much of this discussion was happening during the new gTLDs process , "the variants problem", bundling, etc. What is the consensus view of now vs 2014? Has anything changed, do we think? (I recognise the difficulty in consulting the "magic 8 ball" where deployment in the root is concerned.) There is also a big difference between "reserving" something and actually getting it delegated, even for a "null" answer. Again, technically, in the DNAME to AS112++, this would be for an "NXDOMAIN" answer. But, this is a big difference, in that the result is indistinguishable from the querier's point of view. The consensus seemed the be that adding things like .alt to the RFC6303 ( "Locally Served DNS Zones") registry was sufficient. I think that the consensus was correct -- RFC6303 zones come baked into most authoritative resolver packages, and the time to upgrade the majority of "served users" isn't that long (especially if you get this into the registry shortly before a large CVE :-P). Anything which isn't caught by Locally Served Zones simply flows upwards till it hits the root -- which is already handling this garbage anyway... So, back to Stephane's original question -- I think that documenting the current state is useful, or we will have this discussion all over again in a few months.... Below is the .ALT IANA considerations, and extracts of the 6761 "questions": 4. IANA Considerations The IANA is requested to add the ALT string to the "Special-Use Domain Name" registry ([RFC6761], and reference this document. In addition, the "Locally Served DNS Zones" ([RFC6303]) registry should be updated to reference this document. 4.1. Domain Name Reservation Considerations This section is to satisfy the requirement in Section 5 of RFC6761. [SNIP] 4. Caching DNS servers SHOULD recognize these names as special and SHOULD NOT, by default, attempt to look up NS records for them, or otherwise query authoritative DNS servers in an attempt to resolve these names. Instead, caching DNS servers SHOULD generate immediate negative responses for all such queries. (I would point out that doing "in situ" AS112++ on the caching DNS server is one way to accomplish this.) 5. Authoritative DNS servers SHOULD recognize these names as special and SHOULD, by default, generate immediate negative responses for all such queries, unless explicitly configured by the administrator to give positive answers for private-address reverse-mapping names. For this (5), using the DNAME solution does this explicitly, while "reserve but don't do anything" does this implicitly. I like the explicitness of DNAME, only because it tells a human making inquiries that this is in fact "special". Brian "DNAME" Dickson
- [DNSOP] Future of "Using DNAME in the DNS root zo… Stephane Bortzmeyer
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Paul Wouters
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Stephane Bortzmeyer
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Paul Wouters
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Brian Dickson
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Bob Harold
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Stephane Bortzmeyer
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Warren Kumari
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… George Michaelson
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… George Michaelson
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Brian Dickson
- Re: [DNSOP] [as112-ops] Future of "Using DNAME in… Aleksi Suhonen
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine