IETF Logo Mail Archive

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

Bob Harold <rharolde@umich.edu> Tue, 18 October 2016 15:15 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 343C112955D for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 08:15:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X302tWrN8xx0 for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 08:15:34 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 185F51295D2 for <dnsop@ietf.org>; Tue, 18 Oct 2016 08:15:33 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id u124so141344023ywg.3 for <dnsop@ietf.org>; Tue, 18 Oct 2016 08:15:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=iGkpIOuDjA+0Jqd8QI0BK8sFakD3V6/Avbf4/hbHCWw=; b=NC6lCg6MCg300/3SRuaZQNsjM0Qs6+OGoa5BMvlbUGfGTOKwJrIUw3xM/afULNUKlM pZBiSXbXW5A0tZSDuKrJXQDiVXqKL6noshDk0ie95UHVR7NsFaCeUF2h53MXbg+xQpDO CC27bFpTgv5ac93SEZceeKDkMYQvVSVittcFtqqo0ZiHSE/WF82O4H406fWiPhvfeYzb y9fz6ZmL7S6t/YX03IBHaCcurYgUQLAO+AdDoNqE9DX1REEdW+psJOZHWNOE47/SN/I+ r4iPXg26KrauxesLyO99H5J7Qe2+B3tCoTrnOHFFeZ/vE/C1LRT1/ovu2Ctsy1aTIj2N g1NA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=iGkpIOuDjA+0Jqd8QI0BK8sFakD3V6/Avbf4/hbHCWw=; b=V+xU1jTxLJGiEWEkx0j4SeI5t2GVDVj51J/aFG27+jKUiaEN9SyXE66BhvQfZyytAD bgdRmmSsDjG1nz32TcqY4ANYIWdztBlpQ6yDsaDkzPpjDgQgBihNnORpbqWTSw0OxskX Jhkm+sXDJDPlATGJZYzsKgAL9Asp3o1QnUM2dbtAzkHQXulBANmBOaWFJVoUi9YmOr1A fwAdn1Z8VBPhl/5P8dvQAsd4pkWTn81icwLCk3m9EPrhiljmD05fs4aRx78V683gDqw2 nS5s7rqa2PZ4ninFw9MjcAiabSG6WiDiPgIjJqS3dxngxz0iF5m2pHcaHaVjUoCp5saL 0Wvg==
X-Gm-Message-State: AA6/9RkdWT2jhS8Y9T+fHyvnAQhYmqSUetMPXie1s0N2SrGkBFLZ2I37bE+s1W3Fdwz0CHGwxwPCJQlXfKZMJZQJ
X-Received: by 10.13.228.132 with SMTP id n126mr1106183ywe.279.1476803733075; Tue, 18 Oct 2016 08:15:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.209.70 with HTTP; Tue, 18 Oct 2016 08:15:32 -0700 (PDT)
In-Reply-To: <20161014195139.12D4656AD777@rock.dv.isc.org>
References: <20161014133135.2n3wuh2n5sb3jqt7@nic.fr> <alpine.LRH.2.20.1610141002540.16905@bofh.nohats.ca> <20161014140905.saqke7xyferwtrig@nic.fr> <alpine.LRH.2.20.1610141146120.21572@bofh.nohats.ca> <20161014195139.12D4656AD777@rock.dv.isc.org>
From: Bob Harold <rharolde@umich.edu>
Date: Tue, 18 Oct 2016 11:15:32 -0400
Message-ID: <CA+nkc8ASvjQkSqqGQuRSnuxZy=TC3LBf+8EyTtM+VkOCWeY-ww@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary="94eb2c035578e9edf0053f25292d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QFFDmip1_r4V_bsOg8iZbPR0pO4>
Cc: dnsop <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 15:15:36 -0000

On Fri, Oct 14, 2016 at 3:51 PM, Mark Andrews <marka@isc.org> wrote:

>
> In message <alpine.LRH.2.20.1610141146120.21572@bofh.nohats.ca>, Paul
> Wouters w
> rites:
> > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote:
> >
> > >     "Using DNAME in the DNS root zone for sinking  of special-use
> TLDs" ?
> > >
> > > On Fri, Oct 14, 2016 at 10:04:21AM -0400,
> > > Paul Wouters <paul@nohats.ca> wrote
> > > a message of 19 lines which said:
> > >
> > >> But by adding delegations in the root to AS112, aren't we making it
> > >> more likely that the queries leak further onto the net?
> > >
> > > That's precisely the point described in section 6, second paragraph.
> >
> > The difference is between "doing the draft and reducing the problem
> > caused" versus "this problem is big enough to not do the draft".
> >
> > I do not know yet where I stand on this. I do feel that since we are
> > talking about "bad old DNS software" that wouldn't already be suppressing
> > special use names, it is most likely that this old software also does
> > not support DNAMEs.
> >
> > Paul
>
> A alternative is to insecurely delegate .local to the root servers
> themselves and to request that recursive servers maintain their own
> empty .local.  The roots will then get just DS queries for .local
> when there is a validating recursive client behind the recursive
> server that is leaking <foo>.local queries into the DNS.
>
> The same solution also works for .onion.
>
> Having a local copy of the root zone still works with this.
>
> This stops leaks of <foo>.local to the root servers which qname
> minimisation doesn't.  The extent of the leak is that you know
> .local is in use when you have a validating recursive client.
>
> Mark
>
>
>
I would think that the best approach might be:
- insecure delegation to 127.x.x.x, so that queries do not leak past the
host of the local resolver.  This is the best we can do for the CPE
equipment and other resolvers that will not be updated until they are
replaced.
- add .local to resolvers that do update, so they don't bother trying to
query 127.x.x.x
- local root is still an option, and reduces queries to the root even more.

This does not cause any additional load on the AS112 servers.

-- 
Bob Harold

v2.31.3 | Report a Bug | By Email | System Status