Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
Warren Kumari <warren@kumari.net> Tue, 18 October 2016 20:54 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCD112987F for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 13:54:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkTpU1o2SIMF for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 13:54:03 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B36712985C for <dnsop@ietf.org>; Tue, 18 Oct 2016 13:54:03 -0700 (PDT)
Received: by mail-qk0-x234.google.com with SMTP id f128so7867519qkb.1 for <dnsop@ietf.org>; Tue, 18 Oct 2016 13:54:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ibIFAFUi7gLZD+NRbQfIFgSsmk8EkDU0OTGcbDWPgGU=; b=UXUYOyjgzCkJOUEPEPgMDN+zJjrME2kBonJB2G22lX+CJr+a5wBgMAK35F3SrrPZPk zAN7pn+k2h5nkytDVa4M5EUv2H6piReEN3+rHED/HkUegub/PwYYj2E7Jqg2DeSsEQJi intQX5LEPZJm9FzEHluBW7z8fA746dlIf1LvvsKvNArmNyGGzAUbPOeXuIT7Xw+ZwZX7 4R1TLye36QiA71+s9ufxKhufIbxx0B9OLuFuzzpOuyHDM1bzVig19/tzgu0jiTYV9UZz moTA6xJyEx/oi7vyUlweHu1ZIH3axcar7gMvCUWZEiN04i5fG37H2SgV1vYkNkqCeMpX YbLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ibIFAFUi7gLZD+NRbQfIFgSsmk8EkDU0OTGcbDWPgGU=; b=cpxvMwTWWzFUlGqJAMUQ8QiuJ9tYkvxIZtsKyKXpsPzeH9UaQXz1YZOC+5p+52piX9 tlSZ+18mOMDPqwgxL21SL3csEqvVp3COIEbKUZFt7yJBci9VWFEstgyO2uk9fBykuTzu OzgX06v+FIgXOVVOi2TptN2ochI6UfqICjsmKI2UQkTKXvrRfH6AMdcXzl/HxVLX3FAr +++tQqiUdg3OA2v1d62Se7p24oRbdGI4mcZR50Bog41EgXSQcv3RLpNyWtS3gqOmYLVC 3Kzhc29QM3PVKdd8r3u3MfSygbRB3wpNxsipPaJD5hBqoOSjGoTmVsJc/ZelpfBe8V0s MDWw==
X-Gm-Message-State: AA6/9RnFqhDBpk5YBIKVPl/gY+FyiYuv8oDGUoCtbEeZJQgw8PirpgvQF+dP05JncQ8/0c2/dpcs/mhm8/HUQEwo
X-Received: by 10.233.237.145 with SMTP id c139mr2475871qkg.29.1476824042357; Tue, 18 Oct 2016 13:54:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.147.196 with HTTP; Tue, 18 Oct 2016 13:53:31 -0700 (PDT)
In-Reply-To: <alpine.LRH.2.20.1610141002540.16905@bofh.nohats.ca>
References: <20161014133135.2n3wuh2n5sb3jqt7@nic.fr> <alpine.LRH.2.20.1610141002540.16905@bofh.nohats.ca>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 18 Oct 2016 16:53:31 -0400
Message-ID: <CAHw9_iJsEuC5W6M9RjRdzLLPgtvX_gmgTT7JK7YgFa99Ai7ugQ@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/R38BjRlgdJm2hbJF-TerEIaseNg>
Cc: dnsop <dnsop@ietf.org>, "as112-ops@dns-oarc.net" <as112-ops@dns-oarc.net>
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 20:54:05 -0000
On Fri, Oct 14, 2016 at 10:04 AM, Paul Wouters <paul@nohats.ca> wrote: > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: > >> draft-bortzmeyer-dname-root >> >> <https://datatracker.ietf.org/doc/draft-bortzmeyer-dname-root/?include_text=1>, >> which proposes to "sink" special-use TLD (may be you've heard of RFC >> 6761 "special use domain names"?) using AS 112, will expire soon. From >> the discussions, the two biggest issues were the "governance" >> difficulties (adding DNAME records in the root...) and the privacy >> issues (sending .local requests to random AS 112 operators). >> >> It seems there is not enough interest for this work, so I was thinking >> of just documenting the current state of the discussion, in case other >> people rediscover the problem. May be an individual RFC? > > > This is tricky. We want DNS resolvers to not send these onto the > internet. But by adding delegations in the root to AS112, aren't > we making it more likely that the queries leak further onto the net? So, back in ~Feb 2014 we had very similar discussion about ALT-TLD, AS112 delegations and DNAME. Initially the ALT-TLD document (https://datatracker.ietf.org/doc/draft-ietf-dnsop-alt-tld/) had .alt being delegated to "new style" AS112 nameservers, but Joe Abley pointed out that this would be a lame delegation. We also discussed using DNAME, but the general view seemed to be that getting this deployed in the root would be an uphill battle; much of this discussion was happening during the new gTLDs process , "the variants problem", bundling, etc. There is also a big difference between "reserving" something and actually getting it delegated, even for a "null" answer. The consensus seemed the be that adding things like .alt to the RFC6303 ( "Locally Served DNS Zones") registry was sufficient. I think that the consensus was correct -- RFC6303 zones come baked into most authoritative resolver packages, and the time to upgrade the majority of "served users" isn't that long (especially if you get this into the registry shortly before a large CVE :-P). Anything which isn't caught by Locally Served Zones simply flows upwards till it hits the root -- which is already handling this garbage anyway... So, back to Stephane's original question -- I think that documenting the current state is useful, or we will have this discussion all over again in a few months.... Below is the .ALT IANA considerations, and extracts of the 6761 "questions": 4. IANA Considerations The IANA is requested to add the ALT string to the "Special-Use Domain Name" registry ([RFC6761], and reference this document. In addition, the "Locally Served DNS Zones" ([RFC6303]) registry should be updated to reference this document. 4.1. Domain Name Reservation Considerations This section is to satisfy the requirement in Section 5 of RFC6761. [SNIP] 4. Caching DNS servers SHOULD recognize these names as special and SHOULD NOT, by default, attempt to look up NS records for them, or otherwise query authoritative DNS servers in an attempt to resolve these names. Instead, caching DNS servers SHOULD generate immediate negative responses for all such queries. 5. Authoritative DNS servers SHOULD recognize these names as special and SHOULD, by default, generate immediate negative responses for all such queries, unless explicitly configured by the administrator to give positive answers for private-address reverse-mapping names. 6. DNS server operators SHOULD be aware that queries for names ending in .alt are not DNS names, and were leaked into the DNS context (for example, by a missing browser plugin). This information may be useful for support or debugging purposes. > > Paul > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] Future of "Using DNAME in the DNS root zo… Stephane Bortzmeyer
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Paul Wouters
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Stephane Bortzmeyer
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Paul Wouters
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Brian Dickson
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Bob Harold
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Stephane Bortzmeyer
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Warren Kumari
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… George Michaelson
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… George Michaelson
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Brian Dickson
- Re: [DNSOP] [as112-ops] Future of "Using DNAME in… Aleksi Suhonen
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine