IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld

Mark Andrews <marka@isc.org> Tue, 06 May 2025 20:42 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E37D9259B644 for <dnsop@mail2.ietf.org>; Tue, 6 May 2025 13:42:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="IS60hAmK"; dkim=pass (1024-bit key) header.d=isc.org header.b="ghCjHSNH"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_i6udvbious for <dnsop@mail2.ietf.org>; Tue, 6 May 2025 13:42:27 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BD2F1259B63F for <dnsop@ietf.org>; Tue, 6 May 2025 13:42:27 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 8BED73AB36E; Tue, 06 May 2025 20:42:26 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 8BED73AB36E
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1746564146; cv=none; b=NXJizlFJ4Unf906aiBY+rY/ahbuvRArUyVogZqs+do4sAHA35WW2fyv/mtpegvVgZ5QkbmHjUVJDJlwZMn6HCWD8fw7EDYfeX56kosFx9NxhvNToHmUs/K28OvFMY0R6khBt+DDqMwEKyubsjiPazVFc7isgCS5bL3U4Qzt2WxM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1746564146; c=relaxed/relaxed; bh=btjkjWvQmsANtoulmteeNyfItBdfS8QmGoPLp0qhb7o=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=qp9BPwkPw7LjhC+/1U8DZ6rWs+pAIFbEVLirG3BZxwqhU95qYBFW2abXL4ingZMV0iv5xnzF1mAb08ZVjy2/YsBGsK0pwAT4el/vAkPq0qFj9sXUIQX0/QqqeiNskoKhgav6qI48HeAKKFYiZLzZ0W6fjWP8CTcDkjBl2fWjtIY=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 8BED73AB36E
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1746564146; bh=IJhZkGPsDQfj8Tp0yHn3IIcDyYFZh1yUXuG76pYHhck=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=IS60hAmKwXXru/YBsKmvUIMNp0zzWw4R5yYGbqAEHwjrYoiKTW8TnytsmhI8ZdP2a 1yDzPA/juqzRhgOMG6mGA/vEIqxulsZjwKvzK2saQHjgfjuELseam47sfkSuqrZKtg l5HrQCHFW/FsE2grjdaFuAxRGdGB1J6uS3MKnq+Y=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 8539113A1040; Tue, 6 May 2025 20:42:26 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 5C50113A1043; Tue, 6 May 2025 20:42:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 5C50113A1043
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1746564146; bh=btjkjWvQmsANtoulmteeNyfItBdfS8QmGoPLp0qhb7o=; h=From:Mime-Version:Date:Message-Id:To; b=ghCjHSNHM4GfW0lRfn2z+KbBl7zauc1XCnuKjT/QcgLEmAvTyxurpHR3yUW+c9HbC S3bQvfCdBIX+n2x5U66KHWLNmorCYItJ2KolNnvSVU+JkMe6AbqRlKA6RVIbzHGHAb TI7oF3XNmYZ6ffMNZzpIWKlPUnsv4q0SYZX0S5Lo=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id yKugvcxF8A7s; Tue, 6 May 2025 20:42:26 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id 1793C13A1040; Tue, 6 May 2025 20:42:26 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Wed, 07 May 2025 06:42:13 +1000
Message-Id: <D4177A34-3EF6-45D9-8076-49A12BFCE81F@isc.org>
References: <C3487997-B656-4A6D-A069-752077629957@icann.org>
In-Reply-To: <C3487997-B656-4A6D-A069-752077629957@icann.org>
To: Paul Hoffman <paul.hoffman@icann.org>
X-Mailer: iPhone Mail (22E252)
Message-ID-Hash: ID4Y5CNXL3IXFAZN7NKCG3RE7SWLYCOM
X-Message-ID-Hash: ID4Y5CNXL3IXFAZN7NKCG3RE7SWLYCOM
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ted Lemon <mellon@fugue.com>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HxGBKw8fHE5L_gsGhJFy5Yd0jhg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

While this is an interesting issue how does this differ from what already exists for every mobile device which connects to a network with private names today?  These names resolve it NXDOMAIN or not depending on the attachment point.  
Traditionally stub resolvers only keep answers for as long as they need them for. That is usually significantly less than the TTL of the returned answer, often milliseconds.   If there is a on device cache it can be partially flushed on SSID changes.  If the device is worried about spoofed answers it can install (additional) trust anchors based on SSID that are  initially added using out of band methods and maintained using RFC 5055. 

For hardwired devices there are profiles that can be set by the user when they connect.  They flush the local cache today of you have a Mac and other OS have similar capabilities. Trust anchors can be set via that mechanism.  

Note negative trust anchors are NOT used above. 

-- 
Mark Andrews

> On 7 May 2025, at 04:11, Paul Hoffman <paul.hoffman@icann.org> wrote:
> 
> On May 6, 2025, at 09:56, Ted Lemon <mellon@fugue.com> wrote:
>> 
>> I think that you're trying to solve two different problems here. The first problem is just generally what can you do to avoid causing a validation failure? The second problem is, how can you actually validate locally served domains?
>> 
>> They are both really interesting questions, and I think that it would be very useful to consider how we would solve the problem of validating locally served domain.
>> 
>> However, this is not absolve us of the responsibility to make sure that we don't accidentally cause validation failures where they are inappropriate. We already have prior art on this. We know how to solve this problem. RFCs that solve this problem all solve that and exactly the same way.
> 
> ...and that way might not work the way we want, and thus should be defined in RFCs before we make recommendations about them. In specific, we don't have any RFCs that deal with insecure delegation for clients that move around.
> 
> Assume that a resolver for a corporate network uses .example as a TLD for its internal users. A user starts up their laptop when outside the network, and try to access foo.example.
> 
> - If .example is not listed in the root zone, they get a short-lived NXDOMAIN. When they move on to the corporate network after a short period of time, and try again, they get the address for foo.example.
> 
> - If .example has an insecure delegation, they get a two-day TTL to a nameserver that will tell them that foo.example doesn't exist.  When they move on to the corporate network after a short period of time, they still believe that foo.example doesn't exist because they believe the nameserver for .example is the one in the insecure delegation at the root.
> 
> This can probably be fixed, but we don't currently have such a fix in an RFC. I suspect there will be strong disagreement about what the fix should be (I have no opinion, and probably won't later). Saying "We already have prior art on this" understates what the "this" is.
> 
> --Paul Hoffman
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

v2.31.3 | Report a Bug | By Email | System Status