Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 15 June 2020 18:21 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 960313A0840 for <dnsop@ietfa.amsl.com>; Mon, 15 Jun 2020 11:21:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Wo6JpbMrR7w for <dnsop@ietfa.amsl.com>; Mon, 15 Jun 2020 11:21:24 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E27303A07CA for <dnsop@ietf.org>; Mon, 15 Jun 2020 11:21:23 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id o2so9929797vsr.0 for <dnsop@ietf.org>; Mon, 15 Jun 2020 11:21:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4iaLxr8Nz+bRjS0N4NM75iP6SrhZJQX7gyRSUDLMWm0=; b=neoDZncImalhm+UM2idnAwKR72Mf8tL8cGrQQP06ei9NgCLYcbknSrVfhhb7DyTWWb hnEKOdGw9H27LjfyRV3X3r6GBO+/aHBvJ5SN3Atuw946RjLJBbLZkiP0WmHULSIyBeRI DRdeclIb57dA8/MmFvH/v4ZSIZsVlZs7K+tBzYVKQbiQeBCLrJ8pHdnFAiHihWaY8L+X udR0sd45e1+e2n9Xobi6BH4yQguBMx8/WVdYaUt6zn3Sg6dOemrqQY4H33lw6DgA8zbX +vDT7BrLcQF3jI7MDawjEMEmN5b4/qOPSdy289+rOer7h5jmXgv434kXohiXngjnmKZ9 TcLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4iaLxr8Nz+bRjS0N4NM75iP6SrhZJQX7gyRSUDLMWm0=; b=BQq7Ve7qy08NmDs9MSQTEYNDkkdUV0EaEykMuKFXA7+v/RbXTuZ4G6HTbB3yItyrPQ Ai1reHPeyn5TDWTjPueMB7UvSJ5s8jXlyf4JJ93wSC7siuXu9qK+nHbJevs28UecyZWq j/ADNucXJaZP0QskHmwBHFoQCVon2XGj4e+OCouHGma8yCUtqAouGZRfgen6BaqMFGMx LtDQpXXFsOoQZYb8rjS/mnTq6a7ngae1vYW6rnelBrAgJAzuLZ4tsALNhkpkPJO4Lskg v3+YyMHp+TyReZ7rlUn25aFh96nKGCgfrC9nGISEn4L0Ucjbm5nczOVTBzCE8kHq9VQz MuPQ==
X-Gm-Message-State: AOAM533FD5ubea2n9m5JcMNxtg83WugL/gb/Gywmk6JURMrsLEcD2f4W QJcK8PHJwIxgUDD9U4XB2aJpQRDsQ+gij5/byPc=
X-Google-Smtp-Source: ABdhPJyYrhksBGH4CUK/7BAyaRiwWgd2SU1aP+13CmQBcv7JWHM8usu4hQAf3v7bMuw0kb0LRSJkr++D5C89bSN9TPE=
X-Received: by 2002:a67:d201:: with SMTP id y1mr16016372vsi.75.1592245282900; Mon, 15 Jun 2020 11:21:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAH1iCiouFfMRYoREwhhTbQfnNserw3RVUPs8Pzc8CvNEhysYCw@mail.gmail.com> <20200615174753.225EC1ABFFA1@ary.qy>
In-Reply-To: <20200615174753.225EC1ABFFA1@ary.qy>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 15 Jun 2020 11:21:11 -0700
Message-ID: <CAH1iCiqA2qy7aZXh5-v2OZDRcDSf4qmU6g0Maxh4JV0SHnp_Vw@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007b92bd05a8237edf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JGp-WyE-F5O6EMHCx9xb5uM4hXs>
Subject: Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2020 18:21:26 -0000

On Mon, Jun 15, 2020 at 10:47 AM John Levine <johnl@taugh.com> wrote:

> In article <
> CAH1iCiouFfMRYoREwhhTbQfnNserw3RVUPs8Pzc8CvNEhysYCw@mail.gmail.com> you
> write:
> >E.g. use an FQDN belonging to you (or your company), so the namespace
> would
> >be example.com.zz under which your private names are instantiated.
>
> The obvious question is if an organization is willing to use
> example.com.zz, why wouldn't they use zz.example.com with split
> horizon DNS to keep that subtree on their local network?
>

There are lots of reasons that are subtle.
The main one is failure modes and the implications.
I.e. Attempting to use a third-party resolver, or if a VPN disconnects,
etc. should only send queries to the root servers (and get NXDOMAIN
responses).
Similarly, any operational failure on the split-brain itself has the same
result (root servers only).

Another one is search lists. Using search lists with domains that terminate
in one of these non-TLDs (e.g. zz) ensures that the same semantics applies
(root only).

This is one place where QNAME minimization is also significantly beneficial.

Independent of this proposal, I think it would be good to delegate these
non-TLDs to the AS112++ servers (RFC 7535), to limit impact on the root
servers.

Also independent of that, I also think it might be worth considering
whether/how to upgrade RFC 7534 to use a signed zone and securely
delegating to that from as112.arpa.

One completely bonkers idea would be to deploy a wildcard delegation in the
root zone to AS112++ servers, rather than doing piecemeal delegations, but
that's not a hill I'm willing to die on. :-)


> For whatever reason, people like short names where short means two
> components.
>

Yes, and people like ponies.

The only time short names have any applicability is when connecting to
hosts directly, e.g. with SSH, and where some form of search list appends
the rest of the name.
That practice is better handled within SSH config files rather than in DNS
search lists.

Someone should write that up as a BCP. :-)

Brian