Re: [DNSOP] ALT-TLD and (insecure) delgations.
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 07 February 2017 07:56 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0E9812941E for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2017 23:56:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OBiSuoesxVJY for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2017 23:56:00 -0800 (PST)
Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39434129488 for <dnsop@ietf.org>; Mon, 6 Feb 2017 23:56:00 -0800 (PST)
Received: by mail-it0-x233.google.com with SMTP id c7so73963929itd.1 for <dnsop@ietf.org>; Mon, 06 Feb 2017 23:56:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JXgXkYnDg6cEs7lUZW4Sw/p6c7IDj4UAQMY2TqtlOqE=; b=u1z3bw+x2hf08X8glj1N6h4/H33VOt4qK/S6b/exthtHbZ91hlY3z+kOkqyFnGnQWR Q2Jw5MH8X4qSM+dqHkZGc5vXXRM7nEPWaTtrhCCULbWh1CDsg51iyKhumQ3VKywsrumH wlVhIE3VkRZpUCZUvgsmn79fHDrfEJ/3sa/6cU2W5ButMJpMTvzNo843j7A9aeZk4XhY ZvezmYrZsMEBeHbZW+TtXIFF/ISh04fxWh4icHvjw/mh0eX/7fNfx+f3oBUvsk9W/vRL xaMK/YmmshwksEwriCgaNFB68w0Ty1CKhaQ6ppzKHdUmk9yyTfkIGsrNXt09SHAQWlbX ymRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JXgXkYnDg6cEs7lUZW4Sw/p6c7IDj4UAQMY2TqtlOqE=; b=FldJoeAeVtqEokYDftXqbVnhsCZBRABllAMmrGC4oiBu8QuO0hVl5BfZe0yhnh8I4w QTj5bpOUSYUAU8VV44OHCJfOFkHY30eJzfggBlIMSsRklobm0wMTTc5jgSCzQ41uXQLG /TpwUTji+kOEE18S1IV3/fdMwxb/Jb5Knuxf9ck2afT1/FH9q20J3Fu/h+5YmP+PIQ2I yaYPE47uSvegHRaBcUgn8tT6pu5/oRhu8FyAfghWZoTkntu0XvHtdEoylK1U5JH6tBj0 h8vXTun54Z5gDdRWT5sD1AugEkBdMO5NST+v3XFLa/LRpUvghFHhzh/vydQAbYcEMH4H yfTg==
X-Gm-Message-State: AIkVDXISoUyR58xVeU8i/42tTQLxN4BnbLEgJzQQsuyEQHHrN7UNSG9S85/xm+rQA8eIaLRgleYS0mObBCP0Pw==
X-Received: by 10.36.105.148 with SMTP id e142mr10837502itc.95.1486454159540; Mon, 06 Feb 2017 23:55:59 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.133.208 with HTTP; Mon, 6 Feb 2017 23:55:58 -0800 (PST)
In-Reply-To: <20170207072750.333B56339A7F@rock.dv.isc.org>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <CAH1iCipKwcOsMQY3kjvSZ42LMK37GLD6GP2AVtnWK0c83k-RiA@mail.gmail.com> <20170207040552.8BDCC632F192@rock.dv.isc.org> <3581BE55-B178-4298-8EE8-73FD16B4216D@gmail.com> <20170207063146.BC04763357A9@rock.dv.isc.org> <99431A77-7B62-4655-89EF-FAA32F2A82F6@gmail.com> <20170207072750.333B56339A7F@rock.dv.isc.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 06 Feb 2017 23:55:58 -0800
Message-ID: <CAH1iCipZaM1d2t2TX9FW3HMrBWbm0t4Ou0UBSS62SUjj298M-w@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary="001a113f6fde278e9b0547ec143a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IZBqjdk50LNxvyffE0evTaRUbsM>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 07:56:01 -0000
On Mon, Feb 6, 2017 at 11:27 PM, Mark Andrews <marka@isc.org> wrote: > > In message <99431A77-7B62-4655-89EF-FAA32F2A82F6@gmail.com>, Brian > Dickson writes: > > The suggestion of DNAME to empty.as112.arpa involves some subtle details, > > which IMHO may in combination be the right mix here. > > > > The DNAME target is an insecure empty zone. > > > > This avoids the validation issue, and facilitates use of local "alt" > > namespaces. > > No it doesn't. > > > The default response to queries under alt would be unsigned NXDOMAINs. > > No, it would be a secure response saying that foo.alt is covered > by a DNAME. The names under empty.as112.arpa are unsigned NXDOMAINs. > > The difference between the two descriptions is critical to why a > DNAME in the root zone will not work. You *have* to leak names to > the root to get a DNAME returned by ordinary processing because the > DNAME is signed. > > > I am not seeing a problem with this. > > > > Am I missing anything? > > Yes. A solution that *works*. > > What are the specific requirements for the solution? I am inferring that the following are needed: The ability to have a local authority server for *.alt, where responses to queries with DO=1 do not include any DNSSEC RRs, i.e. unsigned responses. The ability to have validating forwarders configured to point to one or more resolvers, where the resolvers are configured to use these alt server(s) (directly or indirectly) The ability of validating stub resolvers to accept the answers received (not BOGUS). Does the existence of query rewriting matter, as long as the end result RDATA is the expected value? I.e. If the query is "my-thing.foo.alt", returns a combo of "alt DNAME empty.as112.arpa" plus "my-thing.foo.empty.as112.arpa <RRTYPE> <RRDATA>", is that acceptable, as long as there is no validation failure? Whatever initiated the DNS call, via the stub, would get back <RRDATA>, and presumably be unaware of the presence of the DNAME. I just want to be sure what is or is not acceptable, and what is explicitly within the requirements for a working solution. Brian
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Steve Crocker
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Steve Crocker
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Steve Crocker
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Patrik Fältström
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. william manning
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mukund Sivaraman
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Tony Finch
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Tony Finch
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Woodworth, John R
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] solving a problem by creating a worse… Suzanne Woolf
- Re: [DNSOP] solving a problem by creating a worse… John Levine