Re: [DNSOP] ALT-TLD and (insecure) delgations.
Warren Kumari <warren@kumari.net> Wed, 01 February 2017 22:38 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA3491295EC for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 14:38:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOV_NCZxljme for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 14:38:20 -0800 (PST)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EA2D129608 for <dnsop@ietf.org>; Wed, 1 Feb 2017 14:38:20 -0800 (PST)
Received: by mail-qt0-x22a.google.com with SMTP id w20so216375093qtb.1 for <dnsop@ietf.org>; Wed, 01 Feb 2017 14:38:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=KsgDQuXEEG6uWQw5DZf8NzhaUdfVvvcCv6gNknDbKKw=; b=nbSNnrzxhBh12C47fEpjMWLpYriGQiqII1KN2qub+u/xWn0hoRaTsNnj1CHVoB1+oF KVXe+ibl4ZuFpRzTHejQUBebUSgGVka19RhIrJCTL2zyC5AguuG0ROEWlfucI5Gh5pLQ tWoNczETa03c5faaQzkNgMfLfzYSyGzi6Bu+mLR++OG5c7BH0B/U+rN9F/h7i9a3Tklu 12p5BlwlCqmj4u73QWzfbxzLQVqQmeEFSbhZNMCyi0M0DgGp/758QlwwACHuv7OSiCmW BMtzsjrUDaomn2QJxUkmcPI4fRrHJo0dE43RJQRUWdptoATrKdHK3mN1TbK6N06ZL4bY Bguw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KsgDQuXEEG6uWQw5DZf8NzhaUdfVvvcCv6gNknDbKKw=; b=N/nJvJz4RFWHLBPWcTmFAh4h2sN2z5QzksOHnekfVFjp3GMykISCtwD08ztXPB8YIZ hx09xux9CahUBt+laGVtHlkE8ed7b94P6IaqNE/Iec7/9Qd3lrxBU6DP4XEcQrG8nPGq yFaZsHBc5NhJBcLx2YpPeSvZQU0F/qoS0IU9khtai/1ALNI5KvJvbVZ9Ae2ZXpd0zgKk UoBsqg4F5A1Ron3M5kQqrB/j+nR7lkB2fMlfwyabUnFqfS4wfZ4JzhbQgdvcJ4kv77vV iZEDMU067gHXulk+w2ys2VUv6bjKddGzgvNO1orfkdxndyQMsZKNZyeMSNytYtzvZaD7 WiZA==
X-Gm-Message-State: AMke39lLvqLJVmLpD7s6omd5ui8DFSXM7b0uOS+8wqChKGdiyPPMRr6/R1U5DuKFNK3AkXEEJ53I/JM4b5KGQ83L
X-Received: by 10.55.212.157 with SMTP id s29mr5628089qks.240.1485988698769; Wed, 01 Feb 2017 14:38:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.179.19 with HTTP; Wed, 1 Feb 2017 14:37:48 -0800 (PST)
In-Reply-To: <20170201204455.6nymmjlj5lzq2ect@mycre.ws>
References: <CAHw9_i+8PA3FQx8FqW-xQ_96it7k-g5UrMB7fxARUi1gwQ++hw@mail.gmail.com> <20170201204455.6nymmjlj5lzq2ect@mycre.ws>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 01 Feb 2017 17:37:48 -0500
Message-ID: <CAHw9_iL4F6Kk1CpRT53NyeE-oh7qmeG_W=2GRAsTETYM_SKJfQ@mail.gmail.com>
To: Robert Edmonds <edmonds@mycre.ws>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LEOuOTLk4tId37hxzT47wDcZBog>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2017 22:38:22 -0000
I'm sorry, I apparently did some overly aggressive editing of my mail before sending it (or I'm completely confused, which is ALWAYS a possibility). In order to try and stop leaks, the draft requests that the domain be added to the "Locally Served Zones" registry. This means that, when a validating stub A goes off and queries it's recursive server B for 'foo.alt', it will get back an (authoritative) answer from B, saying that there is nothing under .alt -- e.g: # dig foo.alt @204.194.23.4 ; <<>> DiG 9.11.0-P2 <<>> foo.alt @204.194.23.4 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36039 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 0797210975d60eb10da3940d58926228926455130e02e825 (good) ;; QUESTION SECTION: ;foo.alt. IN A ;; AUTHORITY SECTION: alt. 604800 IN SOA alt. alt. 1 604800 86400 2419200 604800 ;; Query time: 0 msec ;; SERVER: 204.194.23.4#53(204.194.23.4) ;; WHEN: Wed Feb 01 17:33:12 EST 2017 ;; MSG SIZE rcvd: 100 I **think** (perhaps incorrectly!), that when the validating stub (A) tries to validate this, it will see that there is an NSEC at the root which says that there is nothing between 'alstom' and 'am'. This makes it look like someone has tried to make .alt sprint into existence -- I had thought that the correct error for that is SERVFAIL, not NXD, but it is entirely possible that I'm wrong.... W On Wed, Feb 1, 2017 at 3:44 PM, Robert Edmonds <edmonds@mycre.ws> wrote: > Warren Kumari wrote: >> The largest outstanding issue is what to do about DNSSEC -- this is >> (potentially) a problem for any / all 6761 type names. >> The root is signed, so if a query leaks into the DNS (as they will), >> an (unaware) validating resolver will try resolve it, and will expect >> either a signed answer, or proof of an insecure delegation; without >> this things will look bogus, and so resolvers will SERVFAIL. >> >> Clearly, a signed answer isn't feasible, so that leaves 2 options - 1: >> simply note that validation will fail, and that SERVFAIL will be >> returned in many case (to me this seems "correct"), or 2: request that >> the IANA insert an insecure delegation in the root, pointing to a: >> AS112 or b: an empty zone on the root or c" something similar. > > Hi, Warren: > > I'm kind of confused. If a .ALT query leaks into the DNS, and there's > neither a secure or insecure delegation in the root, isn't the result a > signed NXDOMAIN, not a SERVFAIL? > > ; <<>> DiG 9.11.0-P1 <<>> +dnssec foo.alt > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36917 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 > > -- > Robert Edmonds -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Robert Edmonds
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. George Michaelson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Olafur Gudmundsson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John R Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ólafur Gudmundsson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Jim Reid
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ólafur Gudmundsson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Tony Finch
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Woodworth, John R
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer