IETF Logo Mail Archive

Re: [DNSOP] followup and proposed actions: RFC 6761 interim and next steps

Francisco Obispo <fobispo@uniregistry.com> Tue, 26 May 2015 19:49 UTC

Return-Path: <fobispo@uniregistry.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 724311A0010 for <dnsop@ietfa.amsl.com>; Tue, 26 May 2015 12:49:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eXlOcGer3bnl for <dnsop@ietfa.amsl.com>; Tue, 26 May 2015 12:48:56 -0700 (PDT)
Received: from zimbra1.uniregistry.com (zimbra1.uniregistry.com [162.221.214.42]) by ietfa.amsl.com (Postfix) with ESMTP id 95C911A005B for <dnsop@ietf.org>; Tue, 26 May 2015 12:48:56 -0700 (PDT)
Received: from zimbra1.uniregistry.com (localhost [127.0.0.1]) by zimbra1.uniregistry.com (Postfix) with ESMTP id 02C63884A27; Tue, 26 May 2015 19:48:54 +0000 (UTC)
Received: from zimbra1.uniregistry.com (localhost [127.0.0.1]) by zimbra1.uniregistry.com (Postfix) with ESMTP id B7110884A2C; Tue, 26 May 2015 19:48:53 +0000 (UTC)
Received: from [64.96.164.20] (unknown [64.96.164.20]) by zimbra1.uniregistry.com (Postfix) with ESMTPSA id 2BB92884A27; Tue, 26 May 2015 19:48:52 +0000 (UTC)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Content-Type: multipart/signed; boundary="Apple-Mail=_B3E86AA3-08D6-4088-B7C4-147024F36FEF"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.5b6
From: Francisco Obispo <fobispo@uniregistry.com>
In-Reply-To: <F28C4DE3-12CF-462D-BB55-5A02CA364173@interisle.net>
Date: Tue, 26 May 2015 12:48:49 -0700
Message-Id: <47EE9472-3E0C-4FA8-A058-8A288675C936@uniregistry.com>
References: <0CB7A66E-B6C9-4FE7-8452-172A5CF48895@gmail.com> <F28C4DE3-12CF-462D-BB55-5A02CA364173@interisle.net>
To: Lyman Chapin <lyman@interisle.net>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Mx0WFWD_p496y-w-B4tYHtiBbeM>
Cc: Suzanne Woolf <suzworldwide@gmail.com>, dnsop WG <dnsop@ietf.org>, Mark McFadden <mark@mcfaddencentral.com>
Subject: Re: [DNSOP] followup and proposed actions: RFC 6761 interim and next steps
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 19:49:00 -0000

> 
> On May 26, 2015, at 11:50 AM, Lyman Chapin <lyman@interisle.net> wrote:
> 
> Hi Suzanne -
> 
>> HOME/CORP/MAIL (draft-chapin-additional-reserved-tlds-02):
>> 
>> * This is the most controversial of the RFC 6761 drafts and the one most driven by policy concerns
> 
> It is not driven by policy concerns; it is driven by operational concerns, and I have heard almost no one in the WG discussion argue that these three names should *not* be withdrawn/reserved (and I say "almost" just to be safe, as I haven't checked thoroughly enough to omit it).
> 

I’m against withdrawing/reserving these names.


>> * The draft assumes that these names are commonly being used in local DNS contexts and often “leak” into the public internet. Specific uses are not documented.
> 
> The draft does not "assume" this, it "recognizes" or "observes" it. "Assumes" suggests that the authors of the draft weren't really sure about the local-context usage of these names, and so just "assumed" that it was was a problem. Specific uses are of course documented in great detail in the name collision study report (https://www.icann.org/en/system/files/files/name-collision-02aug13-en.pdf), which is 197 pages long and presumably would not be welcome as a cut-and-paste addition to a document intended only to follow the rules established by RFC 6761 for adding names to the special-use names register.
> 

It makes a lot of assumptions. As a TLD operator, I have not seen any operational problems with the names that were under names collision. This does not mean there there aren’t any.

Taking an excerpt fromR RFC6761:

   Now, suppose a
   developer were to use this special "guaranteed nonexistent" name,
   "knowing" that it's guaranteed to return NXDOMAIN, and suppose also
   that the user's DNS server fails to return NXDOMAIN for this name.
   The developer's software then fails.  Who do the user and/or
   developer complain to?  ICANN?  The IETF?  The DNS server operator?
   If the developer can't depend on the special "guaranteed nonexistent"
   name to always return NXDOMAIN, then the special name is worthless,
   because it can't be relied on to do what it is supposed to.


How is the IETF supposed to “guarantee nonexistence” ? how is ICANN going to do it?

In my opinion, defining it in “Protocol” won’t fix it, because we’re talking about “private” networks not “intended” to be connected to the Internet leaking traffic to the outside world, this is going to happen regardless of what the IETF does or does not do.

I believe there is a bigger security risk when I can’t register the name and not have a full top-down DNSSEC validation chain for my users. What is the message that we want to send?,

“… sure use .HOME for local networks because it’s guaranteed that you’ll never receive an address there, so you can trust that the IP that you are receiving comes from your intranet.."


>> * The most commonly used justification for this reservation was the risk of name collision if ICANN delegates these names in the production root zone.
> 
> More specifically, with respect to why this matters to the IETF, the justification was the risk of operational instability when names that were chosen to anchor local domain name trees precisely because they "will never resolve in the global DNS" are actually resolved by the global DNS.

Those names were resolving (in some cases) before the new GTLD program started, NX Redirection is not new within ISPs.

How do we measure the real Risk? how do we balance risk vs. benefits? I have not seen any hard data on the risk just speculations.

I have seen people implement Intranet names under COM they don’t own, but they used them for their own local network, is there a risk here? is it the same risk?, I personally think there isn’t any, people are free to shoot themselves in the foot at any time, having them wear steel toe shoes won’t solve the problem.

> 
>> * Since ICANN has said that they’re not currently planning to delegate these names, the justification further seems to assume that ICANN’s assurance of this is not a sound basis for believing that risk is contained
> 
> ICANN's decision is in the realm of policy. It is in no way disrespectful of ICANN to say that a policy decision to withhold "for now" the delegation of specific names is not the same as an operational stability decision to permanently reserve those names for local ("special") use.

If they want to be “reserved” for local use, I’m ok with it in the sense that it can be done, lets not waste time then on the assumptions and draft a document that describes those three TLDs as reserved for local use and turn the page.


> 
>> * There were questions about how to quantify name collision risk, or otherwise set a threshold for what operational characteristics of the appearance of a given name in the public internet would justify a conclusion that it should be “protected” by the IETF from delegation in the production root zone
> 
> That's not what our draft was about. Our draft was about following the rules duly established by RFC 6761 to add 3 specific strings to the special-use names registry. Full stop.
> 

If we want to make assumptions, I’ll make one:

I believe the delegation of HOME/CORP/MAIL provides with more benefit than risks, there will be more companies/homes and mail users happy because their names resolve from everywhere, they can validate with DNSSEC, they can opt who can connect to their networks and no longer require domain hacks to get their users to go to the right places.

If the problem is really about the “intent” that those TLDs where meant to be used “locally”, reserving them “forever” seems for a really long time, I would leave enough room to revisit this in the future because the TLD will outlive the systems that were misconfigured, and also the people who are in this forum (including me).

I much rather like to see us work on a transition plan on how to delegate them and not withdraw them in stone “forever”.

Best regards,



> - Lyman
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

Francisco Obispo
CTO - Registry Operations
____________________________

 <http://www.uniregistry.com/>
2161 San Joaquin Hills Road
Newport Beach, CA 92660

Office +1 949 706 2300 x4202
fobispo@uniregistry.link

v2.23.0 | Report a Bug | By Email