[DNSOP] draft-bortzmeyer-dname-root-00.txt

George Michaelson <ggm@algebras.org> Wed, 06 April 2016 16:41 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id CACA312D5E7 for <dnsop@ietfa.amsl.com>; Wed, 6 Apr 2016 09:41:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id IW4SzbROKyjc for <dnsop@ietfa.amsl.com>; Wed, 6 Apr 2016 09:41:42 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFC6E12D162 for <dnsop@ietf.org>; Wed, 6 Apr 2016 09:41:41 -0700 (PDT)
Received: by mail-oi0-x236.google.com with SMTP id w85so65605480oiw.0 for <dnsop@ietf.org>; Wed, 06 Apr 2016 09:41:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to; bh=fkGHaNDXZvOXW7tekgmuXd3u8Y8pyTRV1lO6mvHhiTM=; b=hbzorkrnvFqmSr4dr4X/YiYBbdkMUSn2oYZHJdW8RCxIjXFgtFBeUixg/tH5B2SUxH qtrjZEVhcxi0yHnaaTYAaj8Psgy75yQ6W7wuuhkQbONvk7+Q4j0ZHyzE7tu2L37eUXzz W/qXwg7ct2GtEspVohcgZIKOqHU4E61zc/2tCbrIqMwVhWMRJRJQhCBNeqRjYLY1AADM FennjRR6UNIEAMFjO677dW0B/gFOhtdoEHlcreKqOKO96PaqTVO6pNdOAghVWRS4om2S dDbH93ZOh4/HibeX3PQrYxnf6ZitbdNAAk+YbLETJwea/UhSRo4OAusRl1nyz7K3smDP TYzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=fkGHaNDXZvOXW7tekgmuXd3u8Y8pyTRV1lO6mvHhiTM=; b=DlkheNY4OKVrtUxu75BmkD+Q8SuenFmkaUSgP69IGRxNSzfep94LNsW94n9rJnjImC xqDaVWtAgXNgdFSU7DZH74VH2QRpESrlto1t832g2OkqF0zl+ooeArvlo3ywrlY9eYBH FlbJdPld61zlkI8WiVqunDNepK7qLcQ3fLu5jIPXAu0FKYt4twXJ4H9qbgW9KJ01PR/u MfO8QfatE6ibYsrhrwOBdGWzn7SVvPOu5A6J0hHOWinu8ARNqZvD2eV6Y/gILcJMYfCY dCbZcYXmcaGcv1iidXUkOHjux+ZTtclsk5bDLTrEBl7PDtUVBqfLm2oH/7EtPK2ygZ4X 2LAw==
X-Gm-Message-State: AD7BkJKS9v6i/jxUutwvNzDqmgYhYGajuxeD+WvYGiXB70eWgVckkcZML12A21t2pk9UO5Sob4sbvNfThqXAWA==
MIME-Version: 1.0
X-Received: by with SMTP id o8mr18129992otd.148.1459960901055; Wed, 06 Apr 2016 09:41:41 -0700 (PDT)
Received: by with HTTP; Wed, 6 Apr 2016 09:41:40 -0700 (PDT)
X-Originating-IP: [2001:67c:370:176:b4f8:7317:a69b:2ca9]
Date: Wed, 6 Apr 2016 13:41:40 -0300
Message-ID: <CAKr6gn3rLUWD+qbKzOpqJ4a8RkA20HHmcQZ7jyNqbB5n+a5N=w@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
To: dnsop WG <dnsop@ietf.org>, Stephane Bortzmeyer <bortzmeyer@nic.fr>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/JsPNz66aQE3-r3toawCV_ajoCNo>
Subject: [DNSOP] draft-bortzmeyer-dname-root-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2016 16:41:46 -0000

I'd like to make a brief comment to this document.

I see some utility in having DNSSEC apply over special use names,
because authenticated non-existence is a strong proof of intent, and
would make a 'not in this domainspace' switch have a robust basis.

On that understanding, how would DNAME redirection work for returning
sigs over the NX? Rays sign-on-the-fly model which we know works,
could be used to generate signed denial of almost anything, which I
have felt could be applied under ALT quite nicely to ensure a formally
non-existent state is declared.

Another view, is that having true delegations permits some to be
formally denied to exist while others can be allocated for use if the
special-use delegation actually has to exist eg a mapping into a local
anycast bound on 127/8 is the desired target.

Basically, if we did DNSSEC, could we somehow not only say 'doesn't
exist' but specifically say (somehow) "we've signed that this is an
exit label, and isn't simply a declaration it hasn't yet been
delegated" ? Maybe I'm over-thinking it, but it feels like we could do
something tricky here to make it NX but also make it clear we know it
exists as a label, in denying it.