IETF Logo Mail Archive

Re: [DNSOP] Alternative Special-Use TLD problem statement draft

"Adrien de Croy" <adrien@qbik.com> Thu, 07 April 2016 01:44 UTC

Return-Path: <adrien@qbik.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCEBD12D121 for <dnsop@ietfa.amsl.com>; Wed, 6 Apr 2016 18:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JMI1c4KNbr4e for <dnsop@ietfa.amsl.com>; Wed, 6 Apr 2016 18:44:47 -0700 (PDT)
Received: from smtp.qbik.com (smtp.qbik.com [122.56.26.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF39E12D111 for <dnsop@ietf.org>; Wed, 6 Apr 2016 18:44:46 -0700 (PDT)
Received: From [192.168.1.146] (unverified [192.168.1.146]) by SMTP Server [192.168.1.3] (WinGate SMTP Receiver v8.5.6 (Build 4877)) with SMTP id <0000692730@smtp.qbik.com>; Thu, 07 Apr 2016 13:44:44 +1200
From: Adrien de Croy <adrien@qbik.com>
To: David Conrad <drc@virtualized.org>
Date: Thu, 07 Apr 2016 01:44:44 +0000
Message-Id: <emd2f2d460-e339-4109-8281-eac232cc7cd6@bodybag>
In-Reply-To: <31B0EB50-A8EB-42DE-BDFE-CF0972A40C30@virtualized.org>
User-Agent: eM_Client/6.0.24928.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MBDBA06E28-A30E-4747-AB0A-921D0A8FA288"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/LqMncMF1IKyrOjVp1bdd5Cses5w>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] Alternative Special-Use TLD problem statement draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Adrien de Croy <adrien@qbik.com>
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 01:44:50 -0000


OK, if we look at those 1 at a time.

RFC1918 defines private IP address ranges.

Stating that a reverse lookup for a private IP should never be encoded 
onto a DNS packet and sent to a DNS server flies in the face of 
practice, and there are many many useful scenarios where this is done.

I don't think we are being precise enough when we say "shouldn't hit the 
DNS".  PTR lookups for private IPs is a case where we do it all the time 
on private networks - use DNS to query a local DNS server for the name 
associated with a private IP.  If we took this to heart and prevented 
this by special casing such lookups in our DNS resolver code, we would 
break a lot of legitimate stuff.

It gets more blurred when your ISP assigns you a private IP address.  In 
this case PTR lookups for addresses in the subnet may well be legitimate 
against the ISP's name server.


Looking then at 2606

the top level reserved names

.test
.example
.invalid
.localhost

and

example.com
example.net
example.org

It's clear that the reservation of the second level domains is not 
behaving as we intend with 6761, since I can do a resolution of these 
names with DNS, and connect to the servers with HTTP.

As for the top level ones, localhost is about the only one where you 
typically see actual special code in resolvers AFAICT.

It's one thing to reserve a TLD.  It's another thing to actually use it 
for something non-DNS.

I don't have a problem with necessarily reserving TLDs to never be used. 
  But DNS resolvers should not be making decisions about that, and as 
soon as you reserve one, and then start using it you have these leakage 
problems that TOR is seeing.

I'm also not convinced that there is an "Internet namespace" that's 
usefully different to and a superset of the DNS namespace.  It seems a 
bit of a logical paradox to have the universe being bigger than the tree 
but also being in the tree.  Or is "Internet namespace" the new name for 
the DNS namespace and DNS namespace has been demoted to only being the 
part of the tree that is left after you add these other TLDs.  Seems a 
bit circular to me.

So, we're left with the 1 single TLD that is the problem and that's 
.onion, and regardless of the problems that is demonstrating, we wish to 
roll out more of these.

Adrien



------ Original Message ------
From: "David Conrad" <drc@virtualized.org>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Sent: 7/04/2016 1:19:58 p.m.
Subject: Re: [DNSOP] Alternative Special-Use TLD problem statement draft

>Adrien,
>
>>  I think we still need to answer the question about whether DNS 
>>namespace should be polluted for non-DNS resolution.
>
>I believe your question is wrong.
>
>The "DNS namespace" can't be polluted for non-DNS resolution because 
>the DNS namespace is, by definition, only comprised of names that can 
>be resolved via the DNS.  The "Internet namespace" is larger than that. 
>  Even before RFC 6761, there were names that should never hit the DNS, 
>specified in RFCs 2606 and 1918. RFC 7686 added "onion". A number of 
>folks want to add more.
>
>In my view, the real question here is what is the distinguishing 
>characteristic(s) and processes by which an "Internet name" is 
>categorized as a "DNS name" (which, at least at the top level, 
>presumably falls under ICANN community-defined policies) and those fall 
>under a different categorization.
>
>Regards,
>-drc
>(speaking only for myself)
>
>
>

v2.23.0 | Report a Bug | By Email