IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Mark Andrews <marka@isc.org> Wed, 08 February 2017 22:41 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D3F71294A4 for <dnsop@ietfa.amsl.com>; Wed, 8 Feb 2017 14:41:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z0WFKgt1nX2V for <dnsop@ietfa.amsl.com>; Wed, 8 Feb 2017 14:41:39 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6608B129DB7 for <dnsop@ietf.org>; Wed, 8 Feb 2017 14:41:39 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id CED913494F5; Wed, 8 Feb 2017 22:41:36 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B9358160077; Wed, 8 Feb 2017 22:41:36 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A8A5A160076; Wed, 8 Feb 2017 22:41:36 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id mIWqvq51wRGN; Wed, 8 Feb 2017 22:41:36 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 22D32160054; Wed, 8 Feb 2017 22:41:36 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 256CC635E87D; Thu, 9 Feb 2017 09:41:31 +1100 (EST)
To: Ted Lemon <mellon@fugue.com>
From: Mark Andrews <marka@isc.org>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <CAH1iCipKwcOsMQY3kjvSZ42LMK37GLD6GP2AVtnWK0c83k-RiA@mail.gmail.com> <20170207040552.8BDCC632F192@rock.dv.isc.org> <3581BE55-B178-4298-8EE8-73FD16B4216D@gmail.com> <D4C0D518-A3ED-4555-93DA-2EA12D82A662@fugue.com> <CAHw9_iK7Vt+ZNw8=E-b+w9gGhwB9fZNqHYp2pqKqT__RgcDttQ@mail.gmail.com> <5CA637EE-C0B6-4E5C-A446-A84431176D0C@fugue.com> <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <FB835756-2C46-40A9-88ED-2F8ADF812BA6@fugue.com> <20170208052544.862956356F33@rock.dv.isc.org> <FFAFD844-824C-44EA-A4B1-1AD28B4FE95C@fugue.com> <20170208060208.8C8E1635864D@rock.dv.isc.org> <E0A42577-0984-4ADD-8658-91413CBE783D@fugue.com> <20170208194208.DB02C635DD72@rock.dv.isc.org> <00767076-FA43-42C0-A4AF-39F4E1087F11@fugue.com> <20170208203018.CF0B5635DFA1@rock.dv.isc.org> <A6839264-7054-4A08 -828B-66BFA6C94352@fugue.com>
In-reply-to: Your message of "Wed, 08 Feb 2017 16:12:57 -0500." <A6839264-7054-4A08-828B-66BFA6C94352@fugue.com>
Date: Thu, 09 Feb 2017 09:41:31 +1100
Message-Id: <20170208224131.256CC635E87D@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LCLpMK3F8vCMhaQP4fQkSbrqxvs>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Feb 2017 22:41:44 -0000

In message <A6839264-7054-4A08-828B-66BFA6C94352@fugue.com>, Ted Lemon writes:
>
> On Feb 8, 2017, at 3:30 PM, Mark Andrews <marka@isc.org> wrote:
> > And if the service has the same privacy issues as .onion has?
> >
> > So we leak names until every recursive server in the world is
> > validating (what % is that today?) and supports agressive negative
> > caching (still a I-D).
>
> I feel like I am arguing with a wall, so if this doesn't work I will just
> give up.   But if it's okay for us to ask resolvers to make a chance, it
> is okay for us to ask resolvers to make the right change.   And if they
> don't, yes, it's possible that some queries will leak.   There is nothing
> we can do to prevent that other than harden caching servers and stub
> resolvers; if we are going to do that, we might as well do it right, by
> caching the full proof of nonexistence, rather lying about what's in the
> root zone.

Actually we can do something that doesn't require that validation
be enabled.  We don't have to create that linkage.  It's not like
the names are not supposed to exist.  They do/will exist and not
as in they are/will be squatted upon.

Oh sorry, you can't have privacy unless you validate.  And only
because people are too scared to ask for changes to the root
zone to add a delegation.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email