Re: [DNSOP] on private use TLDS
Joe Abley <jabley@hopcount.ca> Thu, 28 November 2019 23:58 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE9EB120108 for <dnsop@ietfa.amsl.com>; Thu, 28 Nov 2019 15:58:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1IaurZhNrNw for <dnsop@ietfa.amsl.com>; Thu, 28 Nov 2019 15:58:15 -0800 (PST)
Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84D431200C1 for <dnsop@ietf.org>; Thu, 28 Nov 2019 15:58:15 -0800 (PST)
Received: by mail-qt1-x82e.google.com with SMTP id w47so26574116qtk.4 for <dnsop@ietf.org>; Thu, 28 Nov 2019 15:58:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=date:from:to:message-id:in-reply-to:references:subject:mime-version; bh=xQyHpoGuZaosq4JaKfAY+GZfKONF6AVFH/Zp4ynyWb8=; b=BWIkemgANLR+AQAnYjT8zWLApN30c5FdFsFgqzHeiY4dK5pX+kB2Ldud5pyIP0p+L+ SWMKT22sEkb3AIRqNXL0T2Ibix9EyA5juY8Z+WEa8YmvU0121aiaUDLlwIPTXSIO0Wbe GFFjk7VqoqIwIlmD56Rh2ayAlzlU/FmMPfSE0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:message-id:in-reply-to:references :subject:mime-version; bh=xQyHpoGuZaosq4JaKfAY+GZfKONF6AVFH/Zp4ynyWb8=; b=MlgAplHZXnREtj7NSwM+uShEZczv7N2Ah3Rkgn6G/RXfSBJ3yJwZ+1ERSSl4zuInfG dv/GhaHD8DxUfdWCVlIc4I6TIzIL8hCOgJNXMr2+wL7Y3yWNWMGb8pqcOgCPkfG+Z9b/ dzq7KAqM4ShfnPU5mwChm3W2JGX/qJB52FdWkCP0xBQlpxjc0kBE163ACJPoM+QMt2d6 /L0obMNDmtI4TbBhNemm0cCiMUaEsvi6nmpQfX9AjPkL552ZF/DQYGqOAQ0K6RyUD+d1 56wjakjce0zNJAVOXN9l1aaFD5NNLJVgB5JN4rnbViBLQkDTZxPjMd4U1s0FU02n3SlY HcZA==
X-Gm-Message-State: APjAAAV73Dxnby3ZqnGWzNpuoTQV4GSfeBqPAmbtyva+Ng9jWSDCI/9H haagv3wA0V7uc5D8H8R6kavEj4EEe3f53bIU
X-Google-Smtp-Source: APXvYqwb0+B2ZL5PadW2p7vzAbQf9O91U6qPRpign37vcZvTMbz1u4Xbf2XKF42egtAR+XhqGrCsPw==
X-Received: by 2002:aed:3bf8:: with SMTP id s53mr33092472qte.373.1574985494125; Thu, 28 Nov 2019 15:58:14 -0800 (PST)
Received: from [2607:f2c0:e784:350b:d039:bc06:70:0] ([2607:f2c0:e784:350b:5052:4fd:6fd4:1d5]) by smtp.gmail.com with ESMTPSA id i35sm10516801qtc.18.2019.11.28.15.58.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 28 Nov 2019 15:58:13 -0800 (PST)
Date: Thu, 28 Nov 2019 18:58:11 -0500
From: Joe Abley <jabley@hopcount.ca>
To: dnsop@ietf.org, Doug Barton <dougb@dougbarton.us>
Message-ID: <527bc48f-b739-4de4-85b7-1d5ea7746829@Canary>
In-Reply-To: <97b59027-2a25-d44f-c9b4-d1287cc211c1@dougbarton.us>
References: <20191128165507.2A60BFDF451@ary.qy> <fb307c7a-348a-03d3-3d8e-8e683cec603d@dougbarton.us> <73256f09-8083-4b36-ad1e-f82f382a0b9c@Canary> <97b59027-2a25-d44f-c9b4-d1287cc211c1@dougbarton.us>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="5de05f14_41a7c4c9_88cd"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Rmzq8CUInlU-H6OXnV-AaPatzgs>
Subject: Re: [DNSOP] on private use TLDS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 23:58:19 -0000
Hi Doug, I appreciate the response and I don't doubt your experience, but I do think there is some value in a more robust study around some of these questions. Really the prevalence of no-doubt well-informed but largely unsubstantiated opinions (to the level of detail that I was trying to infer) is what I am arguing we need to do better than. Joe > On Thursday, Nov 28, 2019 at 17:52, Doug Barton <dougb@dougbarton.us (mailto:dougb@dougbarton.us)> wrote: > On 11/28/19 2:20 PM, Joe Abley wrote: > > Hi Doug, > > > > I am not suggesting that you are wrong in your final paragraph, and I am > > not philosophically opposed to reserving a label in the root zone for > > private use, somehow analogously to RFC1918, but I think it's worth > > challenging how obvious this really is. (Yours is just a convenient hook > > to hang this reply to; it's not really directed just at you.) > > No worries, but thanks for clarifying. :) (And thanks for your well > thought out questions as well.) > > > I do think the semantic meaning of the label is worth thinking about, > > and I am wary of particular scripts or languages being chosen > > arbitrarily. I realise "internal" and "private" are sensible labels to > > use for this kind of thing if you are English-speaking and used to > > reading Latin script; I don't know that it's reasonable not to care that > > they might not be sensible in other contexts. This to me is a much more > > important conversation than bikeshedding about what regulatory agency > > has said what about what. > > heh, it's funny you mention that. I actually considered raising that in > my first post, but decided to get over the hump of "let's do this" > first. I agree that we need to consider this issue. I think the obvious > choice would be to pick a word that has meaning in private space but no > value in public, then document several language's worth of it, along > with guidance not to delegate other translations of the word. This would > also solve the issue raised previously that "sometimes you need more > than one." > > > It's also perhaps worth mentioning that the mechanics of how to > > provision (or not provision) such a name with regard to DNSSEC > > validation by various elements of the wider ecosystem have been a matter > > of some debate in other venues. I doubt that dnsop is immune to that. I > > won't fulfill that expectation by saying more in this message. :-) > > Agreed, but having names documented for this purpose will make the > DNSSEC bits easier, not harder. > > > So, on the subject of how obvious it is that we need to reserve a > > top-level label for private namespaces, > > > > - has the advice to anchor a private namespace in a registered domain in > > the private namespace really been received and judged to be > > insufficient? > > Yes. > > > Or has it just not been received? Could such advice be > > delivered in a more effective way? > > The market has rejected this advice. I could bore you with examples and > reasoning, but I have never worked with a client in an enterprise larger > than a taco stand that didn't have at least one private domains set up. > > It's fair to ask the question of do we need it, and it's also fair to > document answers to most/all of the questions you've raised as part of > the process. But given how things are in the real world, this is > something that needs to happen. > > > - does the growth in observed query traffic for names with non-existant > > top-level labels really support the idea that squatting on arbitrary > > undelegated TLDs is on the rise? Is it possible there are other effects? > > Have we normalised the observed growth against other known causes of > > growth? If this phenomenon is actually becoming less common, does it > > need a solution beyond "wait"? > > In my experience the practice is so ubiquitous that while these > questions are good in the abstract, spending time on them would be a > waste of effort. That said, ICANN's name collision work is relevant > here, and I encourage anyone with interest in the topic to review that > at length. It was really well done, and well documented to boot. > > > - what are the possible negative effects of providing a TLD label for > > use in private namespaces? We know that in the addressing realm, RFC > > 1918 and similar private-use addresses lead to collisions during M&A, > > interconnections, etc. Perhaps these are reasonable trade-offs for > > addresses. Is the same true for names? > > This is a good question to address, although the collision risk for > non-common names in a private TLD is lower than the risk of collisions > of integers. Two orgs using PRIV might each have a www, but if one of > them has a naming convention of host-rack-floor.priv for their data > centers, that's not likely to collide. > > That said, the commonly chosen names already have a non-trivial risk for > collisions. The marginal risk of codifying a set of examples is in the > noise. > > > - does promoting a single anchor for private namespaces concentrate > > traffic that leaks from those internal contexts to the Internet's DNS? > > If the leakage of queries that are intended to be private represents a > > security concern, does the concentration of targets for that traffic on > > the Internet make the security concern worse? > > I don't see how we could make this worse. If you look at ICANN's name > collision work, the results are already concentrated in CORP, HOME, and > MAIL, which is why they were indefinitely-but-maybe-not-forever taken > out of the new gTLD program. > > > For the record, I don't personally see any enormous harm from > > standardising something like Warren's ".internal" (or Roy's ".zzz", to > > make it clear that I'm not talking about the specific label). But I do > > think questions like the ones I mentioned are worth putting some effort > > into answering. > > > > Perhaps I've missed some elegant and robust analysis, but to date all > > I've seen is "nobody likes the advice to register MYCO.COM > > <http://MYCO.COM> and use that, so obviously we need to do something". > > If that's really where we are, it seems like it would be comforting to > > be able to say so more convincingly. > > I think the massive volume of queries for non-delegated TLDs hitting the > roots already makes that case, doesn't it? We know that this is, at > least, incredibly common; and in my experience nearly ubiquitous. I do > agree that we should make sure that we're not making anything worse by > doing it, but the existence of the demand cannot be more obvious. > > Doug > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] on private use TLDS Roy Arends
- Re: [DNSOP] on private use TLDS Jim Reid
- Re: [DNSOP] on private use TLDS Bill Woodcock
- Re: [DNSOP] on private use TLDS Ted Lemon
- Re: [DNSOP] on private use TLDS David Conrad
- Re: [DNSOP] on private use TLDS Matthew Pounsett
- Re: [DNSOP] [Ext] on private use TLDS Paul Hoffman
- Re: [DNSOP] [Ext] on private use TLDS Matthew Pounsett
- Re: [DNSOP] [Ext] on private use TLDS Brian Dickson
- Re: [DNSOP] [Ext] on private use TLDS Paul Hoffman
- Re: [DNSOP] [Ext] on private use TLDS Petr Špaček
- Re: [DNSOP] on private use TLDS Doug Barton
- Re: [DNSOP] on private use TLDS Ted Lemon
- Re: [DNSOP] on private use TLDS John Levine
- Re: [DNSOP] on private use TLDS Joe Abley
- Re: [DNSOP] on private use TLDS Paul Vixie
- Re: [DNSOP] on private use TLDS Doug Barton
- Re: [DNSOP] on private use TLDS Doug Barton
- Re: [DNSOP] [Ext] on private use TLDS Paul Hoffman
- Re: [DNSOP] on private use TLDS Joe Abley
- Re: [DNSOP] [Ext] on private use TLDS Doug Barton
- Re: [DNSOP] on private use TLDS Roy Arends
- Re: [DNSOP] on private use TLDS Doug Barton
- Re: [DNSOP] on private use TLDS Doug Barton
- Re: [DNSOP] on private use TLDS Joe Abley
- Re: [DNSOP] on private use TLDS Doug Barton
- Re: [DNSOP] on private use TLDS John R Levine
- Re: [DNSOP] on private use TLDS John R Levine
- Re: [DNSOP] on private use TLDS Doug Barton
- Re: [DNSOP] on private use TLDS Doug Barton
- Re: [DNSOP] on private use TLDS Jaap Akkerhuis
- Re: [DNSOP] on private use TLDS Brian Dickson
- Re: [DNSOP] on private use TLDS Brian Dickson
- Re: [DNSOP] on private use TLDS David Conrad
- Re: [DNSOP] [Ext] on private use TLDS David Conrad