Re: [DNSOP] ALT-TLD and (insecure) delgations.

Brian Dickson <> Wed, 08 February 2017 23:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D931E12941D for <>; Wed, 8 Feb 2017 15:05:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Mr7kWfWp2Dd2 for <>; Wed, 8 Feb 2017 15:05:51 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5306712A0A5 for <>; Wed, 8 Feb 2017 15:05:51 -0800 (PST)
Received: by with SMTP id j18so3409544ioe.2 for <>; Wed, 08 Feb 2017 15:05:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=8mJNbQGtKJqlZyycQCuII7hYO1rf1f8cEmWn/INitjY=; b=o4IS215+wejOSmwFy5MGz+qC14Oi4LUg1OZC9XKF79569Rkz6Ag2F/bRuUm7co1BsX QshtvSYQnYCBbQ8RrNE85AYO9Yc77iSk1mnmMe4FJBXCmuKkSN8S7KIuYYtQW3Fj2mAR kt0de7jEXHkrXldsFQdF23uV/0vgE00I5yP7q4SVbFIDuvPw4mKTGv1P+sewABDKCa12 CM2as/hD8ITf8OzaiDXQ3goR2l29n5BMPLiV6yqcsJFARpLnr6Ya05SZAkfL/GymhYWm O628ORob7rrqk+5qxrv553LO6zdqGBTz+NnxDo2d3etIdLFyz+Ebk9F296oY4v/GEibq 3GQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=8mJNbQGtKJqlZyycQCuII7hYO1rf1f8cEmWn/INitjY=; b=SlNIeVvU0W7w60fU6B6xTsXJ4R6H29llmOhGVYLxNBPa1BW5yWTSWNWOfE5CZ/+EIK sCmxUcwP2zn2vVtGvi1tw5HnzkHRl/Shjq6LjLpARuzmHOScSVJaBA2Jx9VSFJTDINFW bigCopgLPFgVFd18DmlIYhMOu/c6Hvm6idVEKaXtcNYTS+RlmW3yqsiGcOC+OX9lM3yD fPE4arWkNqujBCtUr9wf3C5jo0RjolRfmkLodvbVq/LlYIqH2Loo0vVnACYKPaoaQ9Rx Dn9KouK7lLFDcH2dGHNT1w5FJdStB9t1tol0SRxj4gBWfVCIeSqIjOYgryO7LUkkpfTj DZJQ==
X-Gm-Message-State: AMke39l3hoP41n0N2nHd/2KiRAedG8oS0oPnHrezZ6pZ/MecSJkNONcMhAqC8DYNaTGXpWJZpTNVcis2km69/g==
X-Received: by with SMTP id n98mr672507ioi.39.1486595150634; Wed, 08 Feb 2017 15:05:50 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Wed, 8 Feb 2017 15:05:49 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Brian Dickson <>
Date: Wed, 08 Feb 2017 15:05:49 -0800
Message-ID: <>
To: Mark Andrews <>
Content-Type: multipart/alternative; boundary="001a113ec5f4e0f12b05480ce78e"
Archived-At: <>
Cc: " WG" <>, Ted Lemon <>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Feb 2017 23:05:53 -0000

On Wed, Feb 8, 2017 at 2:41 PM, Mark Andrews <> wrote:

> In message <>, Ted Lemon
> writes:
> >
> > On Feb 8, 2017, at 3:30 PM, Mark Andrews <> wrote:
> > > And if the service has the same privacy issues as .onion has?
> > >
> > > So we leak names until every recursive server in the world is
> > > validating (what % is that today?) and supports agressive negative
> > > caching (still a I-D).
> >
> > I feel like I am arguing with a wall, so if this doesn't work I will just
> > give up.   But if it's okay for us to ask resolvers to make a chance, it
> > is okay for us to ask resolvers to make the right change.   And if they
> > don't, yes, it's possible that some queries will leak.   There is nothing
> > we can do to prevent that other than harden caching servers and stub
> > resolvers; if we are going to do that, we might as well do it right, by
> > caching the full proof of nonexistence, rather lying about what's in the
> > root zone.
> Actually we can do something that doesn't require that validation
> be enabled.  We don't have to create that linkage.  It's not like
> the names are not supposed to exist.  They do/will exist and not
> as in they are/will be squatted upon.

I'm confused here.

The point of ALT (and/or LCL if a 2nd draft is created), and ONION, is that
they exist ONLY within their own (local) scope, if they exist at all.

>From the viewpoint of the global DNS, they do not exist, and the point of
those I-Ds/RFCs is to enforce that non-existence, in the global scope.

My problem with what you are proposes, is that it removes the mechanism for
that enforcement.

Here's a thought - for any/all validating stubs, use CD=1 for names in the
set of "things that are meant to be local", and turn off validation of
That *should*, if I understand 4035's directives for CD=1, prevent
validation by the recursive resolver in use by the client, and will return
whatever answers are present, with or without DNSSEC records.

Or, perhaps the organizations that represent the requestor of the 6761
names, could establish something like a "distrust anchor" - a trust anchor
which is only to be used for signing negative assertions about the TLD
name, or assertions about its insecure status to enable local service of
the TLD name, and which can be published to the community, along with a
static DNS zone file to be served by the <name>-aware resolvers?

Again, just to reiterate, in the global root zone, and for any resolvers
which are not yet onion-aware, onion does not exist and must not exist.

For onion-aware resolvers, everything related to onion is just an
optimization; avoiding leakage for privacy reasons might be an issue for
some folks, but IMHO must not tread on the previous requirement - that
onion must not exist in the root, and must not appear to exist to any
onion-unaware resolvers.

If you want to find a way to fix that, without resulting in BOGUS or
SERVFAIL, there may be ways that aren't easy, but the one way not permitted
by the published RFCs is, an unsigned delegation in the root.

I'm not sure why you disagree with this, it is clear as day in the relevant


> Oh sorry, you can't have privacy unless you validate.  And only
> because people are too scared to ask for changes to the root
> zone to add a delegation.
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: