Re: [DNSOP] ALT-TLD and (insecure) delgations.

Ted Lemon <ted.lemon@nominum.com> Fri, 10 February 2017 02:54 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E66F129683 for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 18:54:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nvcqh-DO0F0u for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 18:54:41 -0800 (PST)
Received: from sjc1-mx02-inside.nominum.com (sjc1-mx02-inside.nominum.com [64.89.234.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C88E12968C for <dnsop@ietf.org>; Thu, 9 Feb 2017 18:44:55 -0800 (PST)
Received: from webmail.nominum.com (cas-04.win.nominum.com [64.89.235.67]) (using TLSv1.2 with cipher AES128-SHA256 (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by sjc1-mx02-inside.nominum.com (Postfix) with ESMTPS id 3FAB174001F for <dnsop@ietf.org>; Fri, 10 Feb 2017 02:44:55 +0000 (UTC)
Received: from [192.168.1.228] (73.167.64.188) by CAS-04.WIN.NOMINUM.COM (192.168.1.101) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 9 Feb 2017 18:44:54 -0800
From: Ted Lemon <ted.lemon@nominum.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F030304D-E773-4493-8A86-C372A21102A6"
MIME-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Thu, 9 Feb 2017 21:44:53 -0500
References: <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <FB835756-2C46-40A9-88ED-2F8ADF812BA6@fugue.com> <20170208052544.862956356F33@rock.dv.isc.org> <FFAFD844-824C-44EA-A4B1-1AD28B4FE95C@fugue.com> <20170208060208.8C8E1635864D@rock.dv.isc.org> <E0A42577-0984-4ADD-8658-91413CBE783D@fugue.com> <20170208194208.DB02C635DD72@rock.dv.isc.org> <CAH1iCipA5nvWJqjdGUwJeeT_eU8EH8VYJU2hX1hJoiTb617K8Q@mail.gmail.com> <20170209163123.56hdbzaluekmvbh7@nic.fr> <20170209195722.DC1AB636586C@rock.dv.isc.org> <0394528C-99CD-41D4-9AB6-844D1318264C@gmail.com> <20170209204506.BC40D6365CBE@rock.dv.isc.org> <12D7473B-3A22-4A8D-9C13-2AEEDEABB879@fugue.com> <20170209224851.2FB1B63666E6@rock.dv.isc.org> <CAPt1N1nLmdoZ_3Kb8Kfp9sTsN-GYqo1A9CF3j4zb7QCvO3SLew@mail.gmail.com> <20170209232830.0DE1B63669D6@rock.dv.isc.org> <CFB6BEB2-4110-406A-A917-FC6361061B1C@fugue.com> <20170210004801.EEFE9636B89C@rock.dv.isc.org> <653 A3403-DFC8-491A-B083-7873D1886A12@fugue.com> <20170210015725.BF777636C97F@rock.dv.isc.org>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <20170210015725.BF777636C97F@rock.dv.isc.org>
Message-ID: <E5AB0A08-0DDA-496A-811E-25C1BA2765BA@nominum.com>
X-Mailer: Apple Mail (2.3259)
X-Originating-IP: [73.167.64.188]
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HhD7ToxtawLvvQJWRPOqwjRKui4>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 02:54:42 -0000

On Feb 9, 2017, at 8:57 PM, Mark Andrews <marka@isc.org> wrote:
> I'm developing software that will be run on private internets with
> various degrees of compentence from the adminitrators as well as
> the public Internet.  That private internet may have a ENT for ALT
> that returns NXDOMAIN.  The server has to work in that environment.

I don't know what an ENT is.   In any case, I don't see what this has to do with what we are talking about.   It is an absolute fact that if you want ALT queries not to leak you need to have a specially-configured recursive resolver, or else one that is really quite up to date.   If you have one that is really quite up to date, a secure denial of existence will do the right thing.

So we are really just arguing about how to specially configure out-of-date resolvers.   This is really out of scope.   There is nothing dnsop can do to make sure that these queries do not leak, so we should just decide what the right design is assuming that all the moving parts are working correctly, and leave it at that.