IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld

Warren Kumari <warren@kumari.net> Thu, 18 June 2020 18:24 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 366FF3A0AD7 for <dnsop@ietfa.amsl.com>; Thu, 18 Jun 2020 11:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TzCKL4fmnMvH for <dnsop@ietfa.amsl.com>; Thu, 18 Jun 2020 11:24:53 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E79F73A0ACD for <dnsop@ietf.org>; Thu, 18 Jun 2020 11:24:52 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id a9so8449433ljn.6 for <dnsop@ietf.org>; Thu, 18 Jun 2020 11:24:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Dg4dNHJHgsfb+rdy7iGjDNrRbxySAInyNAcA14Cr0cw=; b=siWU4+asTvBf4m3SKyoeI13aAJ+33I5GQjTFDBJmrGSPZFEusToFE3OHMgmfFbFzwM G6cjKMij4Cj+rbUgB6zvYMccyhk4ulqeo1LTPO+fKUO1m2ppPOzpcHgnQt62VWoT7iLp F41CB0IBMfy8tysjtIitBERkKI2/X0JROIIDBngpVAXbF0BgXs+VV2Brb2wL0w6JKCim MpkaYzbdPreguGNzYNRRVhbQdR30i37oN5LpAbquEtbkuHVmurb/riVIpFvR6ko2x8AD v7NZdJwjDzg+SGS66K3Z6+8b0T/s9XDrmxup6XP+kpIFPLWso6+lDuwK1reJO+98B0Dw kF3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Dg4dNHJHgsfb+rdy7iGjDNrRbxySAInyNAcA14Cr0cw=; b=TswL6/g5yJ1Mk04KXISrLTdWLIhZcyBp5Yb4a1wAcdF6X7uZsvfpuMbE8+m6Rnz2zC fa/abCtb5hJC/dV3fJ71V5w4vPsMzR5tJYOoJ2ZBPMF/odB6oNZcTKRsjwEnYyfW3Koq 1MPzZLR9/jpqWd7GLJkJjXm1DLJOX+E3uVIzvw8x/WMDzq4WbcyLUUHDNOUheUDDqZ1J QPuUrza8yY+Odjd2Kcx4Ou5SHeyaO5RxSskZrgd1fyVsDAcogbSMCic0oKgLEy4Fwn9T CxAu/E1crzmj2KIUkq9wH8iG7IflzlSjNVu35kUmYIvrZ3khh25roD7IhOt2UYEXyXH7 A0JQ==
X-Gm-Message-State: AOAM530MwJpGNuYLDqXB/iAnmU5Yt0cnTIN+qrDDPt7jS9bpE/f91z9H E8+egbNWDOJmL5dNGpT44lq9xylkpuv30G6AYmiSZw==
X-Google-Smtp-Source: ABdhPJwzk24e4w6gGjlHlEGyDlfgzGiZtqknrLmtcpKt7fMEotkG9FjcxVRSkgsxZVWagBILKsfq9H6g8PdS0lTo2mM=
X-Received: by 2002:a2e:3003:: with SMTP id w3mr2924461ljw.11.1592504690536; Thu, 18 Jun 2020 11:24:50 -0700 (PDT)
MIME-Version: 1.0
References: <78f0cb84-f1b3-43c1-0798-c2c8ee55e1e6@nic.cz> <FE1E6C98-8B6C-49D1-AB17-729EA1B10A6C@fugue.com>
In-Reply-To: <FE1E6C98-8B6C-49D1-AB17-729EA1B10A6C@fugue.com>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 18 Jun 2020 14:24:13 -0400
Message-ID: <CAHw9_i+XbjZc-QbhL1n=LAmM9mcTXp_jsQXd1q_pYkk+N_21Ug@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>, dnsop <dnsop@ietf.org>, Roy Arends <roy@dnss.ec>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IVGyTXnqQ5YFc793b1-SC5eGPxw>
Subject: Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 18:24:55 -0000

On Thu, Jun 18, 2020 at 1:47 PM Ted Lemon <mellon@fugue.com> wrote:
>
> It can be solved with a trust anchor as well, but that relies on there being a central validating resolver rather than validating stub resolvers on hosts, and personally I don’t find that deployment model very compelling anymore—I think that stub resolvers should validate.  If I get my way, then we’re going to see these “private” domains start to fail.

... and I should point out that this was one of the arguments in
https://tools.ietf.org/html/draft-wkumari-dnsop-internal-00#section-4.3
for an (insecure) delegation (just like home.arpa has). Currently
operating system vendors (and similar) cannot realistically ship
validating stub resolvers - having BYOD users suddenly unable to
resolve www.corp on your shiny new phone/tablet/laptop results in
outrage, and customers buying your competitors widget instead.

The presentation at
http://slides.com/wkumari/deck-f68ee558-abac-4af2-9357-5669734d3445-5-8#/3/0/0
(slide 6) only briefly touched on it:
Has to be a TLD for non-technical / aesthetic reasons
DNSSEC requires that this be added to the root (with a DNSSEC insecure
delegation).
-happy to cover the reasons off-line
  -no process for this.
    - Will require creating one!


People (rightly IMO) said that this isn't DNSOP work, and should be
taken to ICANN instead.



The above presentation also said:
Users want an internal / disconnected namespace
... but we told them not to do this.

Squatting on TLDs causes various issues like:
pollution of the namespace  e.g .home, .corp, .mail, ...
potentially collisions
  excess root / recursive lookups
  somewhat mitigated by Aggressive NSEC
  leaking of "internal" names

Actually we say "Use something under a registered domain"
We are the adults, this is risky behavior, you don't actually want to do this
We also preach abstinence
Regardless of what we think of the behavior, we can't stop people
doing this - but we can make it less risky.


This seems to be related to much of what was said earlier --
regardless of what we think of people using a private/internal name,
there are no protocol police, and we cannot prevent it - but we can
posibly coral the badness into fewer places...

I'm limiting my involvement in this thread - I'm also working on the
SSAC .internal document
(https://mm.icann.org/pipermail/ncap-discuss/2020-June/000432.html),
and take the ICANN SSAC confidentiality agreement seriously.
While I have asked my co-AD to be responsible for the document
(https://mailarchive.ietf.org/arch/msg/dnsop/13iQFI6V3yJ90SxbqSy8UubQ6bU/)
I'm being extra cautious in this thread...

W



>
> Sent from my iPad
>
> On Jun 18, 2020, at 1:36 PM, Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote:
>
> 
> On 6/18/20 7:22 PM, Ted Lemon wrote:
>
> I suspect it will work like every other locally-served domain or every other private namespace that exists today, i.e. just fine with no configuration changes expected or required on dependent (downstream) DNS clients. And if there are new species of resolver that need to be accommodated (e.g. validating, hybrid stub/full service resolvers embedded in applications), whatever configuration or auto-discovery mechanisms are required to support those other locally-served zones can surely be easily extended to these ISO-3166-2 codes if they are used in any particular private network.
>
>
> What I’m getting at is that the secure denial of existence will mean that a DNSSEC-aware resolver, when asked to look up a name under .xa, for example, will always return NXDOMAIN.
>
> Yes, but squatting is usually done at root names already, so the issue isn't new.
>
> Modifying DNS past the last validator is generally troublesome.  Modifying it inside the last validating resolver can be fine, as the implementation can "prioritize" the modifications over validation and aggressive caching (but as an implementor I still find this troublesome).
>
> --Vladimir
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email