Re: [DNSOP] Mitigation of name collisions

"Paul Hoffman" <> Mon, 19 September 2016 02:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 456F112B0B5 for <>; Sun, 18 Sep 2016 19:01:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lc_2o4qeiHTZ for <>; Sun, 18 Sep 2016 19:01:04 -0700 (PDT)
Received: from (Opus1.Proper.COM []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0A3BC12B0AE for <>; Sun, 18 Sep 2016 19:01:03 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.15.2/8.14.9) with ESMTPSA id u8J210io054378 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 18 Sep 2016 19:01:01 -0700 (MST) (envelope-from
X-Authentication-Warning: Host [] claimed to be []
From: Paul Hoffman <>
To: John R Levine <>
Date: Sun, 18 Sep 2016 19:01:00 -0700
Message-ID: <>
In-Reply-To: <alpine.OSX.2.11.1609181816130.6589@ary.lan>
References: <> <alpine.OSX.2.11.1609181816130.6589@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; markup="markdown"
X-Mailer: MailMate (1.9.5r5263)
Archived-At: <>
Subject: Re: [DNSOP] Mitigation of name collisions
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 19 Sep 2016 02:01:06 -0000

On 18 Sep 2016, at 15:21, John R Levine wrote:

>> It is impossible to measure the effectiveness without knowing how 
>> many collision queries are just noise (queries that will cause no 
>> noticeable damage if they started coming back with results).
> Agreed.  I don't see how to find that out in ways that are not hard to 
> back out if it turns out the damage is as bad as we fear.

I do see that, but that's a discussion for a different time and place. 
(Unless this WG re-adopts corp/home/mail, of course.)

>> In the case of mitigation through wildcard-to-localhost, it is safe 
>> to assume that many organizations did in fact mitigate; we simply 
>> can't tell how many or when.
> How come?

Because a few of them told me they did.

> I'm not denying it's possible, but I've never seen any evidence that 
> there were collisions to mitigate.

You of all people should know that "people do dumb things with the DNS". 

> Before the approach, some TLDs tried reserving the names 
> that showed up in DITL snapshots, and those names looked to me totally 
> random, likely generated by something that was trying to see whether 
> some piece of namespace was wildcarded.

As we saw at the collisions workshop 
DITL data is poorly suited for following collisions because you can't 
tell how much is coming from organizational resolvers that are in front 
of a poorly-chosen name and how many are from upstream ISPs.

>> (Disclaimer: I'm now on ICANN staff, but well before I was, I wrote 
>> "Guide to Name Collision Identification and Mitigation for IT 
>> Professionals" for ICANN.)
> A fine document for people who already realize they need to deal with 
> collisions, not so much for people who don't realize they exist or 
> assume they're someone else's problem.

Correct. It has been helpful, though, at least to organizations seeing

--Paul Hoffman