Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld
Warren Kumari <warren@kumari.net> Thu, 18 June 2020 18:24 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 366FF3A0AD7 for <dnsop@ietfa.amsl.com>; Thu, 18 Jun 2020 11:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TzCKL4fmnMvH for <dnsop@ietfa.amsl.com>; Thu, 18 Jun 2020 11:24:53 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E79F73A0ACD for <dnsop@ietf.org>; Thu, 18 Jun 2020 11:24:52 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id a9so8449433ljn.6 for <dnsop@ietf.org>; Thu, 18 Jun 2020 11:24:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Dg4dNHJHgsfb+rdy7iGjDNrRbxySAInyNAcA14Cr0cw=; b=siWU4+asTvBf4m3SKyoeI13aAJ+33I5GQjTFDBJmrGSPZFEusToFE3OHMgmfFbFzwM G6cjKMij4Cj+rbUgB6zvYMccyhk4ulqeo1LTPO+fKUO1m2ppPOzpcHgnQt62VWoT7iLp F41CB0IBMfy8tysjtIitBERkKI2/X0JROIIDBngpVAXbF0BgXs+VV2Brb2wL0w6JKCim MpkaYzbdPreguGNzYNRRVhbQdR30i37oN5LpAbquEtbkuHVmurb/riVIpFvR6ko2x8AD v7NZdJwjDzg+SGS66K3Z6+8b0T/s9XDrmxup6XP+kpIFPLWso6+lDuwK1reJO+98B0Dw kF3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Dg4dNHJHgsfb+rdy7iGjDNrRbxySAInyNAcA14Cr0cw=; b=TswL6/g5yJ1Mk04KXISrLTdWLIhZcyBp5Yb4a1wAcdF6X7uZsvfpuMbE8+m6Rnz2zC fa/abCtb5hJC/dV3fJ71V5w4vPsMzR5tJYOoJ2ZBPMF/odB6oNZcTKRsjwEnYyfW3Koq 1MPzZLR9/jpqWd7GLJkJjXm1DLJOX+E3uVIzvw8x/WMDzq4WbcyLUUHDNOUheUDDqZ1J QPuUrza8yY+Odjd2Kcx4Ou5SHeyaO5RxSskZrgd1fyVsDAcogbSMCic0oKgLEy4Fwn9T CxAu/E1crzmj2KIUkq9wH8iG7IflzlSjNVu35kUmYIvrZ3khh25roD7IhOt2UYEXyXH7 A0JQ==
X-Gm-Message-State: AOAM530MwJpGNuYLDqXB/iAnmU5Yt0cnTIN+qrDDPt7jS9bpE/f91z9H E8+egbNWDOJmL5dNGpT44lq9xylkpuv30G6AYmiSZw==
X-Google-Smtp-Source: ABdhPJwzk24e4w6gGjlHlEGyDlfgzGiZtqknrLmtcpKt7fMEotkG9FjcxVRSkgsxZVWagBILKsfq9H6g8PdS0lTo2mM=
X-Received: by 2002:a2e:3003:: with SMTP id w3mr2924461ljw.11.1592504690536; Thu, 18 Jun 2020 11:24:50 -0700 (PDT)
MIME-Version: 1.0
References: <78f0cb84-f1b3-43c1-0798-c2c8ee55e1e6@nic.cz> <FE1E6C98-8B6C-49D1-AB17-729EA1B10A6C@fugue.com>
In-Reply-To: <FE1E6C98-8B6C-49D1-AB17-729EA1B10A6C@fugue.com>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 18 Jun 2020 14:24:13 -0400
Message-ID: <CAHw9_i+XbjZc-QbhL1n=LAmM9mcTXp_jsQXd1q_pYkk+N_21Ug@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>, dnsop <dnsop@ietf.org>, Roy Arends <roy@dnss.ec>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IVGyTXnqQ5YFc793b1-SC5eGPxw>
Subject: Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 18:24:55 -0000
On Thu, Jun 18, 2020 at 1:47 PM Ted Lemon <mellon@fugue.com> wrote: > > It can be solved with a trust anchor as well, but that relies on there being a central validating resolver rather than validating stub resolvers on hosts, and personally I don’t find that deployment model very compelling anymore—I think that stub resolvers should validate. If I get my way, then we’re going to see these “private” domains start to fail. ... and I should point out that this was one of the arguments in https://tools.ietf.org/html/draft-wkumari-dnsop-internal-00#section-4.3 for an (insecure) delegation (just like home.arpa has). Currently operating system vendors (and similar) cannot realistically ship validating stub resolvers - having BYOD users suddenly unable to resolve www.corp on your shiny new phone/tablet/laptop results in outrage, and customers buying your competitors widget instead. The presentation at http://slides.com/wkumari/deck-f68ee558-abac-4af2-9357-5669734d3445-5-8#/3/0/0 (slide 6) only briefly touched on it: Has to be a TLD for non-technical / aesthetic reasons DNSSEC requires that this be added to the root (with a DNSSEC insecure delegation). -happy to cover the reasons off-line -no process for this. - Will require creating one! People (rightly IMO) said that this isn't DNSOP work, and should be taken to ICANN instead. The above presentation also said: Users want an internal / disconnected namespace ... but we told them not to do this. Squatting on TLDs causes various issues like: pollution of the namespace e.g .home, .corp, .mail, ... potentially collisions excess root / recursive lookups somewhat mitigated by Aggressive NSEC leaking of "internal" names Actually we say "Use something under a registered domain" We are the adults, this is risky behavior, you don't actually want to do this We also preach abstinence Regardless of what we think of the behavior, we can't stop people doing this - but we can make it less risky. This seems to be related to much of what was said earlier -- regardless of what we think of people using a private/internal name, there are no protocol police, and we cannot prevent it - but we can posibly coral the badness into fewer places... I'm limiting my involvement in this thread - I'm also working on the SSAC .internal document (https://mm.icann.org/pipermail/ncap-discuss/2020-June/000432.html), and take the ICANN SSAC confidentiality agreement seriously. While I have asked my co-AD to be responsible for the document (https://mailarchive.ietf.org/arch/msg/dnsop/13iQFI6V3yJ90SxbqSy8UubQ6bU/) I'm being extra cautious in this thread... W > > Sent from my iPad > > On Jun 18, 2020, at 1:36 PM, Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote: > > > On 6/18/20 7:22 PM, Ted Lemon wrote: > > I suspect it will work like every other locally-served domain or every other private namespace that exists today, i.e. just fine with no configuration changes expected or required on dependent (downstream) DNS clients. And if there are new species of resolver that need to be accommodated (e.g. validating, hybrid stub/full service resolvers embedded in applications), whatever configuration or auto-discovery mechanisms are required to support those other locally-served zones can surely be easily extended to these ISO-3166-2 codes if they are used in any particular private network. > > > What I’m getting at is that the secure denial of existence will mean that a DNSSEC-aware resolver, when asked to look up a name under .xa, for example, will always return NXDOMAIN. > > Yes, but squatting is usually done at root names already, so the issue isn't new. > > Modifying DNS past the last validator is generally troublesome. Modifying it inside the last validating resolver can be fine, as the implementation can "prioritize" the modifications over validation and aggressive caching (but as an implementor I still find this troublesome). > > --Vladimir > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Shumon Huque
- Re: [DNSOP] Call for Adoption: draft-arends-priva… John Levine
- [DNSOP] Call for Adoption: draft-arends-private-u… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Bob Harold
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Dmitry Belyavsky
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Brian Dickson
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Erwin Lansing
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Jaap Akkerhuis
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Paul Wouters
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Geoff Huston
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Paul Vixie
- Re: [DNSOP] Call for Adoption: draft-arends-priva… John Levine
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Dr Eberhard W Lisse
- Re: [DNSOP] Call for Adoption: draft-arends-priva… John R Levine
- Re: [DNSOP] [Ext] Call for Adoption: draft-arends… Paul Hoffman
- Re: [DNSOP] Call for Adoption: draft-arends-priva… S Moonesamy
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Rubens Kuhl
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Michael StJohns
- Re: [DNSOP] [Ext] Call for Adoption: draft-arends… Paul Hoffman
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Paul Wouters
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Michael StJohns
- Re: [DNSOP] Call for Adoption: draft-arends-priva… John Levine
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Tony Finch
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Wes Hardaker
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Brian Dickson
- Re: [DNSOP] Call for Adoption: draft-arends-priva… John Levine
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Scott Morizot
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Brian Dickson
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Paul Vixie
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Suzanne Woolf
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Wes Hardaker
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Tony Finch
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Paul Wouters
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Paul Vixie
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Tony Finch
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Paul Vixie
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Geoff Huston
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Tony Finch
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Christian Huitema
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Wes Hardaker
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Brian Dickson
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Tony Finch
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Brian Dickson
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Tony Finch
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Tony Finch
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Brian Dickson
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Tony Finch
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Petr Špaček
- Re: [DNSOP] Call for Adoption: draft-arends-priva… John R Levine
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Mats Dufberg
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Jim Reid
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Mats Dufberg
- Re: [DNSOP] Call for Adoption: draft-arends-priva… John Levine
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Ted Lemon
- Re: [DNSOP] Call for Adoption: draft-arends-priva… John Levine
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… John R Levine
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Warren Kumari
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Dr Eberhard W Lisse
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Petr Špaček
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Paul Vixie
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Robert Mortimer
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Ted Lemon
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Paul Wouters
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Philip Homburg
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Paul Wouters
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Philip Homburg
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Ted Lemon
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Vladimír Čunát
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Ted Lemon
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Warren Kumari
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Ted Lemon
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Philip Homburg
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-arends-priva… Roy Arends