IETF Logo Mail Archive

[DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS

Ted Lemon <mellon@fugue.com> Tue, 17 June 2025 17:03 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E556D360EAED for <dnsop@mail2.ietf.org>; Tue, 17 Jun 2025 10:03:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="qJboaeEk"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="ebUvWz/j"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nO0AQi09WRUU for <dnsop@mail2.ietf.org>; Tue, 17 Jun 2025 10:03:13 -0700 (PDT)
Received: from fout-a5-smtp.messagingengine.com (fout-a5-smtp.messagingengine.com [103.168.172.148]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8C622360EAE1 for <dnsop@ietf.org>; Tue, 17 Jun 2025 10:03:13 -0700 (PDT)
Received: from phl-compute-06.internal (phl-compute-06.phl.internal [10.202.2.46]) by mailfout.phl.internal (Postfix) with ESMTP id 7D5821380446; Tue, 17 Jun 2025 13:03:13 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-06.internal (MEProxy); Tue, 17 Jun 2025 13:03:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1750179793; x=1750266193; bh=5LDr+z3k28ryQd4Xgcz/UVJZ0Jcwh1JEsBKKybZk+Ug=; b= qJboaeEk0FenGvEGLTrkDV2PMTlsLkEdfgMlzQp6DXGqJHSiEA1rfo3IlLVjbGTY 1y7do1CDRFiqawakIyBthGdUoyC7MetKGW4m4TPS8d0wQs34CYVL2qhbsw/MEzrP Xm0UpUtXktbGPXHyCv0CKhySiYVeAk8AOJb1s8stNSY9RSQmiOhmSNkR9WxnI00K iNZpqhRh6jRDbZM5FgrkIFgzfi9XHfdiDKrL2BRKKQPzb1YfPcNBngQ0NANpt4QM BOqdxup3r5YqVLoEwuV6wmbJBVwvw4cnm+adYckkNpq8ShRPNociqTfSluXwQKbR aDrCAACPmPSjvJNN+AaxgQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1750179793; x= 1750266193; bh=5LDr+z3k28ryQd4Xgcz/UVJZ0Jcwh1JEsBKKybZk+Ug=; b=e bUvWz/jCtuGa9v1Olgfx3SzvA5o88hKxdcL19ZiiaqKOxfzB+pkbRcWYT2GvySj+ l/J/oxw3YVcpmRzLwEOeMgORwyrGkp6B5j66OSISeOHmHVzlOWtzRuKSbyVzOZ6r 440HyvHJnsR3e2mfgqek5Jyqn3WUCKVFjJbj75R0LWDeJvookWmVFN0cs2PFlFtc nzWMtQzlA5SgZmRh5WhE/1J/ww5Owd1WjDS9t//A4oWqNmRKVMX8RQhhI/ll/aMq KNNx/AI2OSwLRTIGOfmN4AMefC4LITu7i0ph2immROCQjnuFZ59LUdGdN/vQzodi p6I5NOkSolVZDagSG4/2g==
X-ME-Sender: <xms:0Z9RaH25ZT5CmnZhBzxOolr6eeJF7DBA2itkV0VolbZzQA09Z0YBxA> <xme:0Z9RaGFkKKOL564KbPuzvgF_GiCm1F4LjUlR6NTpLGSaAo-ADoHnMJFzTLg8_lk8G ifKSRHTE3RJY2CYM0A>
X-ME-Received: <xmr:0Z9RaH47LmGIoeOh25DcaZUGdkyB2EDZpD5LgRpcbyk-uA_wXhzM_85tCBa9eyr8oDj8PqE5I_s7A_eUyWlMZvBKxfsLexBMYi2HgxKRTkBaFcQbaA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdejfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpegtggfuhfgjffevgffkfhfvofesthhqmhdthhdtvden ucfhrhhomhepvfgvugcunfgvmhhonhcuoehmvghllhhonhesfhhughhuvgdrtghomheqne cuggftrfgrthhtvghrnhepudfhieeugfdtteelveetieevudejhefgieeileeujeeigeei vdfgteevhfehueetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepmhgvlhhlohhnsehfuhhguhgvrdgtohhmpdhnsggprhgtphhtthhopedvpdhm ohguvgepshhmthhpohhuthdprhgtphhtthhopehjrggslhgvhiesshhtrhgrnhgukhhiph drnhhlpdhrtghpthhtohepughnshhophesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:0Z9RaM30LUuxcReTHpddClNDR-3AHp3LyHn-25V7pB_h1v_IZLi4Rg> <xmx:0Z9RaKEtwfs_oRI1pobXBaQAQHmEbv6APzNSxAA2yywxZjAG-VPq5w> <xmx:0Z9RaN-vke99QykZ3elqBvNkmDK0LhYj0DDIInI-oGGmF52HzN_b4Q> <xmx:0Z9RaHnNO9u2zuFRzqytLF1c8VqWSYxI-d_QxJ9oZXP32XWBMLc51w> <xmx:0Z9RaHchl-CWiw73E9rKVKUV0cjIu_9w4EvDe_PDbiyi_-h7OdIw9ez7>
Feedback-ID: i1136489e:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 17 Jun 2025 13:03:12 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3856.100.4\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <09B4AA94-A98A-43FC-8CB6-2132296FD915@strandkip.nl>
Date: Tue, 17 Jun 2025 19:03:01 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <72D49F73-DA85-46C4-8D71-9B657A7F1A20@fugue.com>
References: <761F6D32-25FE-4742-9682-819A338C8EC9@strandkip.nl> <86992F96-FC07-4F86-89C8-C6C6183EA484@fugue.com> <09B4AA94-A98A-43FC-8CB6-2132296FD915@strandkip.nl>
To: Joe Abley <jabley@strandkip.nl>
X-Mailer: Apple Mail (2.3856.100.4)
Message-ID-Hash: OZNZV34OYOAHVJK6S5ZLRTKGE6UM4NYJ
X-Message-ID-Hash: OZNZV34OYOAHVJK6S5ZLRTKGE6UM4NYJ
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/L74KQBjgkpBSKUog3Jb_ZWqsfVQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

It's possible that for .local it's not needed. The other RFCs are actually for DNS-protocol uses that are locally-served and hence can't have secure delegations. That means that the secure delegation mechanism you propose here won't work for those domains, but that's okay. I also don't see any urgency to this, since AS112 works, but if this is better than AS112, maybe we should switch.

> On 17 Jun 2025, at 18:51, Joe Abley <jabley@strandkip.nl> wrote:
> 
> Hi Ted,
> 
> On 17 Jun 2025, at 18:45, Ted Lemon <mellon@fugue.com> wrote:
> 
>> This looks good.
> 
> Glad you like it!
> 
>> we'll do some A/AAAA queries to root, but presumably these will be negative cached so it won't be a huge load?
> 
> Both certainly seem possible. This is the Wes-science placeholder that I alluded to, earlier. I don't actually know what he has found, yet, since I had to get on a plane.
> 
>> If this really is better, then we should consider also updating RFC6303, RFC8375 and RFC9665, and also adding a similar delegation for .local. RFC6762 doesn't address this at all.
> 
> As currently written, this would not be applicable to .LOCAL or .ALT or .ONION or anything that acts as an anchor for non-DNS resolution protocols.
> 
> The thinking here was that (a) the resolution switch in those examples happens in or very close to the application, so there are other ways for applications to know those names exist and (b) those names really shouldn't exist in the DNS as well as those other name resolution protocols, kind of by definition, and introducing that kind of ambiguity would be a bit of a regression.
> 
> Quite possibly we have missed some potential benefit, though.
> 
> 
> Joe
>

v2.36.0 | Report a Bug | By Email | System Status