Re: [DNSOP] additional special names Fwd: I-D Action: draft-chapin-additional-reserved-tlds-00.txt

Norbert Bollow <nb@bollow.ch> Mon, 03 March 2014 09:26 UTC

Return-Path: <nb@bollow.ch>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B8A31A0770 for <dnsop@ietfa.amsl.com>; Mon, 3 Mar 2014 01:26:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.747
X-Spam-Level:
X-Spam-Status: No, score=-4.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uxXJpgLHhxrw for <dnsop@ietfa.amsl.com>; Mon, 3 Mar 2014 01:26:16 -0800 (PST)
Received: from beta.bollow.ch (beta.bollow.ch [193.37.152.11]) by ietfa.amsl.com (Postfix) with ESMTP id BDEF11A0AF2 for <dnsop@ietf.org>; Mon, 3 Mar 2014 01:26:15 -0800 (PST)
Received: from quill (138-12.62-81.cust.bluewin.ch [81.62.12.138]) by beta.bollow.ch (Postfix) with ESMTPSA id 021D714049B; Mon, 3 Mar 2014 10:37:46 +0100 (CET)
Date: Mon, 3 Mar 2014 10:25:35 +0100
From: Norbert Bollow <nb@bollow.ch>
To: Warren Kumari <warren@kumari.net>
Message-ID: <20140303102535.6f276963@quill>
In-Reply-To: <CAHw9_iJa_OhzHVCQ4L0Aj+m=zAp6w=mJpAV-_ueh9iukhb3bnA@mail.gmail.com>
References: <20140129055438.2402.qmail@joyce.lan> <97E20887-2B9C-4EAD-826B-043306605F88@fl1ger.de> <54BE75D7-E70B-46AB-93C1-042E655BB5E7@apple.com> <D0AC0015-63C3-4C03-A8D0-888C435D2775@virtualized.org> <20140226100311.E73CA1069B39@rock.dv.isc.org> <8FEAF0FC-2AC3-4F39-9825-7068AAA6E40D@hopcount.ca> <CAHw9_iJa_OhzHVCQ4L0Aj+m=zAp6w=mJpAV-_ueh9iukhb3bnA@mail.gmail.com>
Organization: ZielBaum Beratung N. Bollow
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; i486-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/JrE59c3aBNWmnrXLrn-lr2Rc28o
Cc: Stuart Cheshire <cheshire@apple.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Joe Abley <jabley@hopcount.ca>, David Conrad <drc@virtualized.org>
Subject: Re: [DNSOP] additional special names Fwd: I-D Action: draft-chapin-additional-reserved-tlds-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 09:26:19 -0000

Warren makes a strong argument in favor of .alt I think.

Another related aspect is that if something like onion.notreallydns.org
is used, with notreallydns.org registered for the specific purpose of
providing a home for one or more non-resolving dns-like names, it
is very non-trivial to guarantee that whoever has registered the
notreallydns.org name will continue paying the yearly fees forever. If
the registration lapses, an attacker could become the new holder of the
notreallydns.org domain and use it to snoop and/or serve malware...

Greetings,
Norbert
 

Am Sun, 2 Mar 2014 22:20:48 +0000
schrieb Warren Kumari <warren@kumari.net>;:

> On Wed, Feb 26, 2014 at 2:34 PM, Joe Abley <jabley@hopcount.ca>; wrote:
> >
> > On 26 Feb 2014, at 5:03, Mark Andrews <marka@isc.org>; wrote:
> >
> >> In message <D0AC0015-63C3-4C03-A8D0-888C435D2775@virtualized.org>;,
> >> David Conrad writes:
> >>
> >>> On Feb 25, 2014, at 9:51 AM, Stuart Cheshire <cheshire@apple.com>;
> >>> wrote:
> >>>> If we have *some* pseudo-TLDs reserved for local-use names,
> >>>
> >>> I would think =
> >>> http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#User-assigned_code_element=
> >>> s would be appropriate for this purpose.
> >>>
> >>> Regards,
> >>> -drc
> >>
> >> Whatever is used needs to be insecurely delegated so that in app
> >> validation will work.
> >
> > I still don't see why we need a TLD, or a delegation/reservation
> > under ARPA.
> >
> > There are many, many TLDs under which an application/protocol
> > implementer can reserve some namespace for their exclusive use at
> > low cost ($10/year, say). Why is this approach not preferred for a
> > new application/protocol? It seems far simpler.
> 
> Yes, and it is -- but it means that leakages hit more folk.
> 
> >
> > Perhaps all that is missing is some guidance that says "you
> > shouldn't hijack namespaces that you don't control, even for
> > non-DNS applications; register a domain instead".
> 
> Because for some things, people specifically do *not* want it to hit /
> go through the DNS -- this is why they have done this, and *not* just
> registered e.g onion.com...
> 
> For example, I'm a  *huge* Justin Beiber fan. I, and a bunch of my
> fellow closet Bieberites hang out on the-bieb-is-cool.onion. (you
> don't really think we want everyone to know that we obsess over every
> little antic, do you?)
> 
> Last week I emailed my friend a link to
> http://www.the-bieb-is-cool.onion/Justins_New_Shoes.html.
> Unfortunately, he was just *so* excited to see that the Bieb has new
> sneakers that he clicked on the link from his phone (which doesn't
> have the ToR interceptor software installed). This, of course, means
> that the "DNS like" name, which should not really be used in a DNS
> context suddenly hit the DNS.  Only his recursive and the root saw
> this, and that's embarrassing enough, thank you.
> 
> This is bad enough, but if people built stuff like this under
> .onion.eff.org (or foo.onion.arpa), there would now be many more
> people in the list who knew our shameful little secret.
> 
> Obviously this is a somewhat contrived example (after all, who
> wouldn't want to make it widely known that they *love* Justin
> Bieber!), but lets instead pretend I'm using an overlay network as a
> political dissident, or to discuss my sexual orientation, or...
> 
> This is some of the justification behind the .ALT TLD proposal
> (http://tools.ietf.org/html/draft-wkumari-dnsop-alt-tld-00) -- create
> a special label to be used to denote that this is not actually a name
> in the DNS context. By reserving it as a special use name:
> A: It creates a "safe" namespace, secure from collision for people to
> root namespaces that have no meaning in a DNS context.
> B: when one of these names *does* leak (as they will), iterative
> resolvers will be authoritative, with an empty zone, so
> the-bieb-is-cool.onion.alt only gets seen by the iterative and goes no
> further.
> C: When one does go further (as they will), the root can delegate to
> AS112, while can squash it.
> D: 4 years from now, when someone comes along and says "I created a
> shiny new directory system. I used something that looks like DNS
> names, and I placed it under .pony. Please reserve that for me" the
> IESG can at least say "But we told you not to do that..." They can
> also a: reserve it, b: not, or c: we can have another thread about
> this all again, but now at least we can nod knowingly and feel all
> superior...
> 
> W
> P.S: Note: I did *not* say what should happen with the current
> pseudo-TLDs / colliding names. They can move under .ALT or they can
> not. The IESG can reserve them, or not, or bury them in peat, or paint
> them purple and dress them in wellies. I have views on what I think
> makes sense, but that's a separate mail.....
> 
> 
> 
> 
> 
> 
> 
> >
> > Joe
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dn
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop