IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld

Mark Andrews <marka@isc.org> Thu, 01 May 2025 22:40 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7E2BA23D67C0 for <dnsop@mail2.ietf.org>; Thu, 1 May 2025 15:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="cERJ5cks"; dkim=pass (1024-bit key) header.d=isc.org header.b="elhKqH3L"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAsG-GrMuxI7 for <dnsop@mail2.ietf.org>; Thu, 1 May 2025 15:40:17 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id F2AEB23D67BB for <dnsop@ietf.org>; Thu, 1 May 2025 15:40:16 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 053CB3AB377; Thu, 01 May 2025 22:40:16 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 053CB3AB377
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1746139216; cv=none; b=omA9/K7Z6ZlJsGPNWTaxt1mrKuH/+ivhd6zfp7i+sORd8QPx4SoZn0NinXduCoCl6FEjQxb7xJZm2AGyzNVGVLF0JHPgUuC9rzM8LRWzW/gfsnByGdRfOg2wvla0kp/RBwHw6xUlw92V3Igqm/aH+fsvoIcmVcpLB7B0CKlgvzs=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1746139216; c=relaxed/relaxed; bh=dB9RFuIzancoqnKmDFaQm0IJuwgv3q4THgYMogv700U=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=oczk4zdxmX4SZzIMIlYQ1zN/XFM9sBbKk1aETRWrLGBseAPQyT5mU42baW1wuEowg24kNE3iKdyAQpkkjlpTdqG3OTkVfCsJco8CjRazp5jYt4rZdIJBPud/E1RbZEPP5JGUBGRngZTKD0yBJIq3kCFOWdbMdKwzSolgiAh87kw=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 053CB3AB377
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1746139216; bh=eHXRq+qA2dCbobXrrGQ9H7ecGwjRX0yiTrOj2BzclZg=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=cERJ5cksyPtPGlb9cIeDTrphPFkp+TqYD6W/IT4LSNUbjjv8CjCVJExp8eaUax0sd 3qiYmswJ11UjHHpyz2cXe7NQ7Mn7tRQl81t+beZmANkc8t6s5BU61lhoUcPzrNl732 SnBzAQGfG3dla/6wCGNS7/52GA1if1n9i7LDbKVk=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id F357E1381A6C; Thu, 1 May 2025 22:40:15 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id CBDC41388644; Thu, 1 May 2025 22:40:15 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org CBDC41388644
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1746139215; bh=dB9RFuIzancoqnKmDFaQm0IJuwgv3q4THgYMogv700U=; h=Mime-Version:From:Date:Message-Id:To; b=elhKqH3LRVZ2s/ZkiG38mVc2aY96jtZznKx/LMDEG9VAzyNk1otV1eyxzx9bBr5pf PCk5tuQStDcCitf8aSnatUliFdPjz14eX3j2vWjTaZzgWDl8zd8IuGaIb6G5t0Cx1r 3PG2EhwF6vodJGStRKspz81wYHlHRsoFhQnsc6CA=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id VTuIcPhoO1d3; Thu, 1 May 2025 22:40:15 +0000 (UTC)
Received: from smtpclient.apple (n49-187-18-238.bla1.nsw.optusnet.com.au [49.187.18.238]) by zimbrang.isc.org (Postfix) with ESMTPSA id 0EAAB1381A6C; Thu, 1 May 2025 22:40:14 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.10\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <4E28195C-BFF2-470D-BA89-23F6F5B6255C@icann.org>
Date: Fri, 02 May 2025 08:40:02 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <79E4E989-3507-410F-AD8B-F342DEB7C024@isc.org>
References: <m1u5h1G-0000LcC@stereo.hq.phicoh.net> <83666fd3-a51f-46e1-a5ac-0b9a46361480@desec.io> <49E3B1B6-E960-4A46-9C5D-2721FD57132D@depht.com> <3b5fb9e7-8a2b-420f-a2fb-dd6f6a0b88ae@isc.org> <89047B78-A2B1-43F2-A996-94DF1E90538A@depht.com> <cc84f69c-c349-4d91-b942-80221b564a9b@isc.org> <ac48e27d-479f-42f3-b87f-891220ef2fe8@app.fastmail.com> <BE721880-6254-48F4-9F91-567A99E0511B@icann.org> <m1u7asT-0000MtC@stereo.hq.phicoh.net> <01E23110-9A50-4187-8A54-34D514504F9B@strandkip.nl> <3A48CBC3-B55B-4FCF-B713-A7CA4C7BB7CC@strandkip.nl> <8E36C1B8-C67B-4704-9E3B-7143863E2262@icann.org> <87f219df-34f0-48fa-89cf-8cb8300c86c2@app.fastmail.com> <1359A8E4-E436-4EC5-B5C7-E0713A3E8182@icann.org> <B080C29F-9086-4E08-A277-37835AAB8A2D@isc.org> <4E28195C-BFF2-470D-BA89-23F6F5B6255C@icann.org>
To: Paul Hoffman <paul.hoffman@icann.org>
X-Mailer: Apple Mail (2.3731.700.6.1.10)
Message-ID-Hash: ALTWYQ43ZPSCECVGBT2BPAAF67ACYWFW
X-Message-ID-Hash: ALTWYQ43ZPSCECVGBT2BPAAF67ACYWFW
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ted Lemon <mellon@fugue.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QKGDC9RznWw9jWenNLGrVTnm9Fo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


> On 2 May 2025, at 02:04, Paul Hoffman <paul.hoffman@icann.org> wrote:
> 
> On Apr 30, 2025, at 17:59, Mark Andrews <marka@isc.org> wrote:
>> 
>> 
>> 
>>> On 1 May 2025, at 03:34, Paul Hoffman <paul.hoffman@icann.org> wrote:
>>> 
>>> On Apr 30, 2025, at 10:21, Ted Lemon <mellon@fugue.com> wrote:
>>>> 
>>>> The reason to do an insecure delegation is so that the public dns doesn’t securely deny the existence of the zone. If there is a secure denial of existence, a validating stub resolver will not use responses from the local resolver because they will be bogus.
>>> 
>>> This seems to be talking about a validating stub resolver that is configured to also get answers from a particular recursive resolver, yes?
>>> 
>>> 1) Wouldn't the stub get two conflicting NS records for .internal, one from the root itself and the other from the recursive? All attempts for lookups would have a 50% chance of going to the blackhole nameserver.
>> 
>> No. The delegating NS records in the root zone are NOT signed.  
> 
> The latter is true, but that doesn't explain the "No". If a stub resolver gets an NS record from an authoritative source (in this case, the root zone), and it gets a second NS record from a trusted source (in this case, its configured resolver), why wouldn't it use both of those records? I see nothing in any of the DNS standards that says it should not, but I might be missing something.

Recursive servers don’t merge RRsets.  Stub resolvers don’t merge RRsets and even if they did they don’t make iterative queries.  Also if the recursive server is properly configured to know about a private internal zone it will only return answers from that source for internal names sans the DS query response.

>>> 2) Wouldn't having an insecure delegation in the root prevent the recursive from signing .internal itself because the root responds with an NSEC proving there cannot be a DS?
>> 
>> It doesn’t prevent them signing the stub .internal zone.  It prevents the validator validating as secure responses from .internal.
> 
> Yes, that's better wording. So by having an insecure delegation in the root zone, the validating stub resolver will always see what the resolver has for that zone as insecure.
> 
>> Note there is no point
>> in signing the public .internal instance the same way as we don’t sign the public 10.in-addr.arpa instances.
> 
> That may be your preferred security policy, but others might want to have a policy of signing all records they create. I see nothing in our standards that says that cannot or should not sign zones that they create out of thin air.

Did I say one can’t sign the private copy of .internal?  I said there is no point in signing the PUBLIC version of .internal.  If you want to sign the private copy of .internal and distribute trust anchors for it go ahead.  Note there is no protocol for distributing trust anchors so the BYO devices won’t get DNSSEC validation without manual intervention.

>>> Again, I could be missing something, but it seems that both of those would hurt the validating stub resolver. A validating stub resolver could instead easily be configured with the trust anchor for the recursive resolver it is configured for.
>> 
>> Recursive resolvers don’t have trust anchors.  Domain names have trust anchors.  And no it isn’t easy to setup different trust anchor based on location.  We have no protocol for it.  Devices move between sites.
> 
> A recursive resolver might have a trust anchor for zones that it creates from thin air. "isn't easy" is not the same as "prohibited", and some organizations might want validating stub resolvers to validate all those zones. I understand this is not your security model, but unless we have standards saying that such a model is prohibited, I don't think you should be imposing that on others.

Paul, you said "A validating stub resolver could instead easily be configured with the trust anchor for the recursive resolver it is configured for.”  which I answered.  You seem to be arguing about "A validating stub resolver could instead easily be configured with the trust anchors that the recursive resolver it is using has configured been for.”  That is a different question.  If you have full control over the stub resolver and the recursive server then yes.  If you don’t have full control, as with BYO devices, no.

I don’t know what this has to do with deciding if there should be an insecure delegation for .internal.


> --Paul Hoffman


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.31.3 | Report a Bug | By Email | System Status