IETF Logo Mail Archive

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

Mark Andrews <marka@isc.org> Wed, 19 October 2016 19:10 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECF301295E9 for <dnsop@ietfa.amsl.com>; Wed, 19 Oct 2016 12:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.332
X-Spam-Level:
X-Spam-Status: No, score=-7.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05WVtYCF2ddd for <dnsop@ietfa.amsl.com>; Wed, 19 Oct 2016 12:10:52 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BE361295DE for <dnsop@ietf.org>; Wed, 19 Oct 2016 12:10:52 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 7F79B3493D1; Wed, 19 Oct 2016 19:10:50 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 4FD53160042; Wed, 19 Oct 2016 19:10:50 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 3219416005C; Wed, 19 Oct 2016 19:10:50 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id lAgy8V7DF8ON; Wed, 19 Oct 2016 19:10:50 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id DEC37160042; Wed, 19 Oct 2016 19:10:49 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 5325956F599C; Thu, 20 Oct 2016 06:10:47 +1100 (EST)
To: John Levine <johnl@taugh.com>
From: Mark Andrews <marka@isc.org>
References: <20161019140954.31332.qmail@ary.lan>
In-reply-to: Your message of "19 Oct 2016 14:09:54 -0000." <20161019140954.31332.qmail@ary.lan>
Date: Thu, 20 Oct 2016 06:10:47 +1100
Message-Id: <20161019191047.5325956F599C@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Rxca3yeLkWwQhhYL2ATC7fkODQ4>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 19:10:54 -0000

In message <20161019140954.31332.qmail@ary.lan>, "John Levine" writes:
> >You may not care that validating stub resolvers that ask for
> >example.local get back answers that can be validated as NXDOMAIN
> >without leaking queries to the root but I do.  Just adding the zone
> >locally without having the insecure delegation results in just that
> >condition.
> 
> It just occurred to me that we seem to disagree about what problem
> we're solving here.
> 
> If we see a DNS query for .local or .onion, an application is trying
> to use mDNS or Tor on a machine that doesn't implement them.  On
> machines that do implement mDNS and Tor, neither does DNSSEC
> signatures, so there is no reason to provide answers that the
> application is not looking for.
> 
> So a cache stub that provides unsigned answers to .local and .onion
> queries is just fine.  If the client treats that as SERVFAIL or
> whatever it does with unverified answers, that's fine too.

SERVFAIL is a temporary error.
NXDOMAIN is a permanent error which is cachable.

SERVFAIL is not "fine".

> R's,
> John
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email