IETF Logo Mail Archive

Re: [DNSOP] on private use TLDS

Joe Abley <jabley@hopcount.ca> Thu, 28 November 2019 23:58 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE9EB120108 for <dnsop@ietfa.amsl.com>; Thu, 28 Nov 2019 15:58:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1IaurZhNrNw for <dnsop@ietfa.amsl.com>; Thu, 28 Nov 2019 15:58:15 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84D431200C1 for <dnsop@ietf.org>; Thu, 28 Nov 2019 15:58:15 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id w47so26574116qtk.4 for <dnsop@ietf.org>; Thu, 28 Nov 2019 15:58:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=xQyHpoGuZaosq4JaKfAY+GZfKONF6AVFH/Zp4ynyWb8=; b=BWIkemgANLR+AQAnYjT8zWLApN30c5FdFsFgqzHeiY4dK5pX+kB2Ldud5pyIP0p+L+ SWMKT22sEkb3AIRqNXL0T2Ibix9EyA5juY8Z+WEa8YmvU0121aiaUDLlwIPTXSIO0Wbe GFFjk7VqoqIwIlmD56Rh2ayAlzlU/FmMPfSE0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:message-id:in-reply-to:references :subject:mime-version; bh=xQyHpoGuZaosq4JaKfAY+GZfKONF6AVFH/Zp4ynyWb8=; b=MlgAplHZXnREtj7NSwM+uShEZczv7N2Ah3Rkgn6G/RXfSBJ3yJwZ+1ERSSl4zuInfG dv/GhaHD8DxUfdWCVlIc4I6TIzIL8hCOgJNXMr2+wL7Y3yWNWMGb8pqcOgCPkfG+Z9b/ dzq7KAqM4ShfnPU5mwChm3W2JGX/qJB52FdWkCP0xBQlpxjc0kBE163ACJPoM+QMt2d6 /L0obMNDmtI4TbBhNemm0cCiMUaEsvi6nmpQfX9AjPkL552ZF/DQYGqOAQ0K6RyUD+d1 56wjakjce0zNJAVOXN9l1aaFD5NNLJVgB5JN4rnbViBLQkDTZxPjMd4U1s0FU02n3SlY HcZA==
X-Gm-Message-State: APjAAAV73Dxnby3ZqnGWzNpuoTQV4GSfeBqPAmbtyva+Ng9jWSDCI/9H haagv3wA0V7uc5D8H8R6kavEj4EEe3f53bIU
X-Google-Smtp-Source: APXvYqwb0+B2ZL5PadW2p7vzAbQf9O91U6qPRpign37vcZvTMbz1u4Xbf2XKF42egtAR+XhqGrCsPw==
X-Received: by 2002:aed:3bf8:: with SMTP id s53mr33092472qte.373.1574985494125; Thu, 28 Nov 2019 15:58:14 -0800 (PST)
Received: from [2607:f2c0:e784:350b:d039:bc06:70:0] ([2607:f2c0:e784:350b:5052:4fd:6fd4:1d5]) by smtp.gmail.com with ESMTPSA id i35sm10516801qtc.18.2019.11.28.15.58.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 28 Nov 2019 15:58:13 -0800 (PST)
Date: Thu, 28 Nov 2019 18:58:11 -0500
From: Joe Abley <jabley@hopcount.ca>
To: dnsop@ietf.org, Doug Barton <dougb@dougbarton.us>
Message-ID: <527bc48f-b739-4de4-85b7-1d5ea7746829@Canary>
In-Reply-To: <97b59027-2a25-d44f-c9b4-d1287cc211c1@dougbarton.us>
References: <20191128165507.2A60BFDF451@ary.qy> <fb307c7a-348a-03d3-3d8e-8e683cec603d@dougbarton.us> <73256f09-8083-4b36-ad1e-f82f382a0b9c@Canary> <97b59027-2a25-d44f-c9b4-d1287cc211c1@dougbarton.us>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="5de05f14_41a7c4c9_88cd"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Rmzq8CUInlU-H6OXnV-AaPatzgs>
Subject: Re: [DNSOP] on private use TLDS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 23:58:19 -0000

Hi Doug,

I appreciate the response and I don't doubt your experience, but I do think there is some value in a more robust study around some of these questions. Really the prevalence of no-doubt well-informed but largely unsubstantiated opinions (to the level of detail that I was trying to infer) is what I am arguing we need to do better than.

Joe

> On Thursday, Nov 28, 2019 at 17:52, Doug Barton <dougb@dougbarton.us (mailto:dougb@dougbarton.us)> wrote:
> On 11/28/19 2:20 PM, Joe Abley wrote:
> > Hi Doug,
> >
> > I am not suggesting that you are wrong in your final paragraph, and I am
> > not philosophically opposed to reserving a label in the root zone for
> > private use, somehow analogously to RFC1918, but I think it's worth
> > challenging how obvious this really is. (Yours is just a convenient hook
> > to hang this reply to; it's not really directed just at you.)
>
> No worries, but thanks for clarifying. :) (And thanks for your well
> thought out questions as well.)
>
> > I do think the semantic meaning of the label is worth thinking about,
> > and I am wary of particular scripts or languages being chosen
> > arbitrarily. I realise "internal" and "private" are sensible labels to
> > use for this kind of thing if you are English-speaking and used to
> > reading Latin script; I don't know that it's reasonable not to care that
> > they might not be sensible in other contexts. This to me is a much more
> > important conversation than bikeshedding about what regulatory agency
> > has said what about what.
>
> heh, it's funny you mention that. I actually considered raising that in
> my first post, but decided to get over the hump of "let's do this"
> first. I agree that we need to consider this issue. I think the obvious
> choice would be to pick a word that has meaning in private space but no
> value in public, then document several language's worth of it, along
> with guidance not to delegate other translations of the word. This would
> also solve the issue raised previously that "sometimes you need more
> than one."
>
> > It's also perhaps worth mentioning that the mechanics of how to
> > provision (or not provision) such a name with regard to DNSSEC
> > validation by various elements of the wider ecosystem have been a matter
> > of some debate in other venues. I doubt that dnsop is immune to that. I
> > won't fulfill that expectation by saying more in this message. :-)
>
> Agreed, but having names documented for this purpose will make the
> DNSSEC bits easier, not harder.
>
> > So, on the subject of how obvious it is that we need to reserve a
> > top-level label for private namespaces,
> >
> > - has the advice to anchor a private namespace in a registered domain in
> > the private namespace really been received and judged to be
> > insufficient?
>
> Yes.
>
> > Or has it just not been received? Could such advice be
> > delivered in a more effective way?
>
> The market has rejected this advice. I could bore you with examples and
> reasoning, but I have never worked with a client in an enterprise larger
> than a taco stand that didn't have at least one private domains set up.
>
> It's fair to ask the question of do we need it, and it's also fair to
> document answers to most/all of the questions you've raised as part of
> the process. But given how things are in the real world, this is
> something that needs to happen.
>
> > - does the growth in observed query traffic for names with non-existant
> > top-level labels really support the idea that squatting on arbitrary
> > undelegated TLDs is on the rise? Is it possible there are other effects?
> > Have we normalised the observed growth against other known causes of
> > growth? If this phenomenon is actually becoming less common, does it
> > need a solution beyond "wait"?
>
> In my experience the practice is so ubiquitous that while these
> questions are good in the abstract, spending time on them would be a
> waste of effort. That said, ICANN's name collision work is relevant
> here, and I encourage anyone with interest in the topic to review that
> at length. It was really well done, and well documented to boot.
>
> > - what are the possible negative effects of providing a TLD label for
> > use in private namespaces? We know that in the addressing realm, RFC
> > 1918 and similar private-use addresses lead to collisions during M&A,
> > interconnections, etc. Perhaps these are reasonable trade-offs for
> > addresses. Is the same true for names?
>
> This is a good question to address, although the collision risk for
> non-common names in a private TLD is lower than the risk of collisions
> of integers. Two orgs using PRIV might each have a www, but if one of
> them has a naming convention of host-rack-floor.priv for their data
> centers, that's not likely to collide.
>
> That said, the commonly chosen names already have a non-trivial risk for
> collisions. The marginal risk of codifying a set of examples is in the
> noise.
>
> > - does promoting a single anchor for private namespaces concentrate
> > traffic that leaks from those internal contexts to the Internet's DNS?
> > If the leakage of queries that are intended to be private represents a
> > security concern, does the concentration of targets for that traffic on
> > the Internet make the security concern worse?
>
> I don't see how we could make this worse. If you look at ICANN's name
> collision work, the results are already concentrated in CORP, HOME, and
> MAIL, which is why they were indefinitely-but-maybe-not-forever taken
> out of the new gTLD program.
>
> > For the record, I don't personally see any enormous harm from
> > standardising something like Warren's ".internal" (or Roy's ".zzz", to
> > make it clear that I'm not talking about the specific label). But I do
> > think questions like the ones I mentioned are worth putting some effort
> > into answering.
> >
> > Perhaps I've missed some elegant and robust analysis, but to date all
> > I've seen is "nobody likes the advice to register MYCO.COM
> > <http://MYCO.COM> and use that, so obviously we need to do something".
> > If that's really where we are, it seems like it would be comforting to
> > be able to say so more convincingly.
>
> I think the massive volume of queries for non-delegated TLDs hitting the
> roots already makes that case, doesn't it? We know that this is, at
> least, incredibly common; and in my experience nearly ubiquitous. I do
> agree that we should make sure that we're not making anything worse by
> doing it, but the existence of the demand cannot be more obvious.
>
> Doug
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email