Re: [DNSOP] additional special names Fwd: I-D Action: draft-chapin-additional-reserved-tlds-00.txt
joel jaeggli <joelja@bogus.com> Mon, 03 March 2014 09:51 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49E211A0C12 for <dnsop@ietfa.amsl.com>; Mon, 3 Mar 2014 01:51:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Level:
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8l9U69CaXY-w for <dnsop@ietfa.amsl.com>; Mon, 3 Mar 2014 01:51:42 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id 0B7081A0DAF for <dnsop@ietf.org>; Mon, 3 Mar 2014 01:51:42 -0800 (PST)
Received: from dhcp-bc23.meeting.ietf.org (dhcp-bc23.meeting.ietf.org [31.133.188.35]) (authenticated bits=0) by nagasaki.bogus.com (8.14.7/8.14.7) with ESMTP id s239pU5t085335 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 3 Mar 2014 09:51:31 GMT (envelope-from joelja@bogus.com)
Message-ID: <531450A1.8010507@bogus.com>
Date: Mon, 03 Mar 2014 09:51:29 +0000
From: joel jaeggli <joelja@bogus.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:27.0) Gecko/20100101 Thunderbird/27.0
MIME-Version: 1.0
To: Norbert Bollow <nb@bollow.ch>, Warren Kumari <warren@kumari.net>
References: <20140129055438.2402.qmail@joyce.lan> <97E20887-2B9C-4EAD-826B-043306605F88@fl1ger.de> <54BE75D7-E70B-46AB-93C1-042E655BB5E7@apple.com> <D0AC0015-63C3-4C03-A8D0-888C435D2775@virtualized.org> <20140226100311.E73CA1069B39@rock.dv.isc.org> <8FEAF0FC-2AC3-4F39-9825-7068AAA6E40D@hopcount.ca> <CAHw9_iJa_OhzHVCQ4L0Aj+m=zAp6w=mJpAV-_ueh9iukhb3bnA@mail.gmail.com> <20140303102535.6f276963@quill>
In-Reply-To: <20140303102535.6f276963@quill>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="8EISQLh25ggHxMSWpg5FXgRqRai27Gw8D"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (nagasaki.bogus.com [147.28.0.81]); Mon, 03 Mar 2014 09:51:33 +0000 (UTC)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/St5pxdnMp4VZ2bmBT2kd4P1QUaY
Cc: Stuart Cheshire <cheshire@apple.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Joe Abley <jabley@hopcount.ca>, David Conrad <drc@virtualized.org>
Subject: Re: [DNSOP] additional special names Fwd: I-D Action: draft-chapin-additional-reserved-tlds-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Mar 2014 09:51:45 -0000
On 3/3/14, 9:25 AM, Norbert Bollow wrote: > Warren makes a strong argument in favor of .alt I think. yeah... anything that has the potential to result in additional leakage seems like a recipe for additional pain. > Another related aspect is that if something like onion.notreallydns.org > is used, with notreallydns.org registered for the specific purpose of > providing a home for one or more non-resolving dns-like names, it > is very non-trivial to guarantee that whoever has registered the > notreallydns.org name will continue paying the yearly fees forever. If > the registration lapses, an attacker could become the new holder of the > notreallydns.org domain and use it to snoop and/or serve malware... > > Greetings, > Norbert > > > Am Sun, 2 Mar 2014 22:20:48 +0000 > schrieb Warren Kumari <warren@kumari.net>: > >> On Wed, Feb 26, 2014 at 2:34 PM, Joe Abley <jabley@hopcount.ca> wrote: >>> >>> On 26 Feb 2014, at 5:03, Mark Andrews <marka@isc.org> wrote: >>> >>>> In message <D0AC0015-63C3-4C03-A8D0-888C435D2775@virtualized.org>, >>>> David Conrad writes: >>>> >>>>> On Feb 25, 2014, at 9:51 AM, Stuart Cheshire <cheshire@apple.com> >>>>> wrote: >>>>>> If we have *some* pseudo-TLDs reserved for local-use names, >>>>> >>>>> I would think = >>>>> http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#User-assigned_code_element= >>>>> s would be appropriate for this purpose. >>>>> >>>>> Regards, >>>>> -drc >>>> >>>> Whatever is used needs to be insecurely delegated so that in app >>>> validation will work. >>> >>> I still don't see why we need a TLD, or a delegation/reservation >>> under ARPA. >>> >>> There are many, many TLDs under which an application/protocol >>> implementer can reserve some namespace for their exclusive use at >>> low cost ($10/year, say). Why is this approach not preferred for a >>> new application/protocol? It seems far simpler. >> >> Yes, and it is -- but it means that leakages hit more folk. >> >>> >>> Perhaps all that is missing is some guidance that says "you >>> shouldn't hijack namespaces that you don't control, even for >>> non-DNS applications; register a domain instead". >> >> Because for some things, people specifically do *not* want it to hit / >> go through the DNS -- this is why they have done this, and *not* just >> registered e.g onion.com... >> >> For example, I'm a *huge* Justin Beiber fan. I, and a bunch of my >> fellow closet Bieberites hang out on the-bieb-is-cool.onion. (you >> don't really think we want everyone to know that we obsess over every >> little antic, do you?) >> >> Last week I emailed my friend a link to >> http://www.the-bieb-is-cool.onion/Justins_New_Shoes.html. >> Unfortunately, he was just *so* excited to see that the Bieb has new >> sneakers that he clicked on the link from his phone (which doesn't >> have the ToR interceptor software installed). This, of course, means >> that the "DNS like" name, which should not really be used in a DNS >> context suddenly hit the DNS. Only his recursive and the root saw >> this, and that's embarrassing enough, thank you. >> >> This is bad enough, but if people built stuff like this under >> .onion.eff.org (or foo.onion.arpa), there would now be many more >> people in the list who knew our shameful little secret. >> >> Obviously this is a somewhat contrived example (after all, who >> wouldn't want to make it widely known that they *love* Justin >> Bieber!), but lets instead pretend I'm using an overlay network as a >> political dissident, or to discuss my sexual orientation, or... >> >> This is some of the justification behind the .ALT TLD proposal >> (http://tools.ietf.org/html/draft-wkumari-dnsop-alt-tld-00) -- create >> a special label to be used to denote that this is not actually a name >> in the DNS context. By reserving it as a special use name: >> A: It creates a "safe" namespace, secure from collision for people to >> root namespaces that have no meaning in a DNS context. >> B: when one of these names *does* leak (as they will), iterative >> resolvers will be authoritative, with an empty zone, so >> the-bieb-is-cool.onion.alt only gets seen by the iterative and goes no >> further. >> C: When one does go further (as they will), the root can delegate to >> AS112, while can squash it. >> D: 4 years from now, when someone comes along and says "I created a >> shiny new directory system. I used something that looks like DNS >> names, and I placed it under .pony. Please reserve that for me" the >> IESG can at least say "But we told you not to do that..." They can >> also a: reserve it, b: not, or c: we can have another thread about >> this all again, but now at least we can nod knowingly and feel all >> superior... >> >> W >> P.S: Note: I did *not* say what should happen with the current >> pseudo-TLDs / colliding names. They can move under .ALT or they can >> not. The IESG can reserve them, or not, or bury them in peat, or paint >> them purple and dress them in wellies. I have views on what I think >> makes sense, but that's a separate mail..... >> >> >> >> >> >> >> >>> >>> Joe >>> _______________________________________________ >>> DNSOP mailing list >>> DNSOP@ietf.org >>> https://www.ietf.org/mailman/listinfo/dn >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- Re: [DNSOP] additional special names Fwd: I-D Act… John Levine
- Re: [DNSOP] additional special names Fwd: I-D Act… Paul Hoffman
- [DNSOP] additional special names Fwd: I-D Action:… Suzanne Woolf
- Re: [DNSOP] additional special names Fwd: I-D Act… Stephane Bortzmeyer
- Re: [DNSOP] additional special names Fwd: I-D Act… Stuart Cheshire
- Re: [DNSOP] additional special names Fwd: I-D Act… George Michaelson
- Re: [DNSOP] additional special names Fwd: I-D Act… John Levine
- Re: [DNSOP] additional special names Fwd: I-D Act… Jim Reid
- Re: [DNSOP] additional special names Fwd: I-D Act… Paul Hoffman
- Re: [DNSOP] additional special names Fwd: I-D Act… Paul Hoffman
- Re: [DNSOP] additional special names Fwd: I-D Act… John R Levine
- Re: [DNSOP] additional special names Fwd: I-D Act… Lyman Chapin
- Re: [DNSOP] additional special names Fwd: I-D Act… Stuart Cheshire
- Re: [DNSOP] additional special names Fwd: I-D Act… Stuart Cheshire
- Re: [DNSOP] additional special names Fwd: I-D Act… John Levine
- Re: [DNSOP] additional special names Fwd: I-D Act… Paul Hoffman
- Re: [DNSOP] additional special names Fwd: I-D Act… Ralf Weber
- Re: [DNSOP] additional special names Fwd: I-D Act… Paul Hoffman
- Re: [DNSOP] additional special names Fwd: I-D Act… Ralf Weber
- Re: [DNSOP] additional special names Fwd: I-D Act… Joe Abley
- Re: [DNSOP] additional special names Fwd: I-D Act… Ralf Weber
- Re: [DNSOP] additional special names Fwd: I-D Act… Mark Andrews
- Re: [DNSOP] additional special names Fwd: I-D Act… Ted Lemon
- Re: [DNSOP] additional special names Fwd: I-D Act… Stephane Bortzmeyer
- Re: [DNSOP] additional special names Fwd: I-D Act… Paul Hoffman
- Re: [DNSOP] additional special names Fwd: I-D Act… Joe Abley
- Re: [DNSOP] additional special names Fwd: I-D Act… Mark Andrews
- Re: [DNSOP] additional special names Fwd: I-D Act… Joe Abley
- Re: [DNSOP] additional special names Fwd: I-D Act… Ted Lemon
- Re: [DNSOP] additional special names Fwd: I-D Act… Andrew Sullivan
- Re: [DNSOP] additional special names Fwd: I-D Act… jonne.soininen
- Re: [DNSOP] additional special names Fwd: I-D Act… George Michaelson
- Re: [DNSOP] additional special names Fwd: I-D Act… Ted Lemon
- Re: [DNSOP] additional special names Fwd: I-D Act… George Michaelson
- Re: [DNSOP] additional special names Fwd: I-D Act… John Levine
- Re: [DNSOP] additional special names Fwd: I-D Act… Andrew Sullivan
- Re: [DNSOP] additional special names Fwd: I-D Act… Ted Lemon
- Re: [DNSOP] additional special names Fwd: I-D Act… George Michaelson
- Re: [DNSOP] additional special names Fwd: I-D Act… Andrew Sullivan
- Re: [DNSOP] additional special names Fwd: I-D Act… Ted Lemon
- Re: [DNSOP] additional special names Fwd: I-D Act… Ted Lemon
- Re: [DNSOP] additional special names Fwd: I-D Act… jonne.soininen
- Re: [DNSOP] additional special names Fwd: I-D Act… Paul Vixie
- Re: [DNSOP] additional special names Fwd: I-D Act… Andrew Sullivan
- Re: [DNSOP] additional special names Fwd: I-D Act… John Levine
- Re: [DNSOP] additional special names Fwd: I-D Act… Patrik Fältström
- Re: [DNSOP] additional special names Fwd: I-D Act… Jim Reid
- Re: [DNSOP] additional special names Fwd: I-D Act… Stephane Bortzmeyer
- Re: [DNSOP] additional special names Fwd: I-D Act… Stephane Bortzmeyer
- Re: [DNSOP] additional special names Fwd: I-D Act… Stephane Bortzmeyer
- Re: [DNSOP] additional special names Fwd: I-D Act… Andrew Sullivan
- Re: [DNSOP] additional special names Fwd: I-D Act… Joe Abley
- Re: [DNSOP] additional special names Fwd: I-D Act… Paul Ferguson
- Re: [DNSOP] additional special names Fwd: I-D Act… Suzanne Woolf
- Re: [DNSOP] additional special names Fwd: I-D Act… John Levine
- Re: [DNSOP] possibly quite a lot of additional sp… John Levine
- Re: [DNSOP] additional special names Fwd: I-D Act… joel jaeggli
- Re: [DNSOP] additional special names Fwd: I-D Act… Ted Lemon
- Re: [DNSOP] additional special names Fwd: I-D Act… Stuart Cheshire
- Re: [DNSOP] additional special names Fwd: I-D Act… Mark Andrews
- Re: [DNSOP] additional special names Fwd: I-D Act… Stuart Cheshire
- Re: [DNSOP] additional special names Fwd: I-D Act… Mark Andrews
- Re: [DNSOP] additional special names Fwd: I-D Act… David Conrad
- Re: [DNSOP] additional special names Fwd: I-D Act… Mark Andrews
- Re: [DNSOP] additional special names Fwd: I-D Act… Joe Abley
- Re: [DNSOP] additional special names Fwd: I-D Act… Paul Hoffman
- Re: [DNSOP] additional special names Fwd: I-D Act… David Conrad
- Re: [DNSOP] additional special names Fwd: I-D Act… John Levine
- Re: [DNSOP] additional special names Fwd: I-D Act… Mark Andrews
- Re: [DNSOP] additional special names Fwd: I-D Act… Mark Andrews
- Re: [DNSOP] additional special names Fwd: I-D Act… Paul Hoffman
- Re: [DNSOP] additional special names Fwd: I-D Act… Mark Andrews
- Re: [DNSOP] additional special names Fwd: I-D Act… David Conrad
- Re: [DNSOP] additional special names Fwd: I-D Act… Mark Andrews
- [DNSOP] DNSSEC, additional special names & draft-… Jim Reid
- Re: [DNSOP] DNSSEC, additional special names & dr… Mark Andrews
- Re: [DNSOP] DNSSEC, additional special names & dr… Jim Reid
- Re: [DNSOP] DNSSEC, additional special names & dr… Tony Finch
- Re: [DNSOP] DNSSEC, additional special names & dr… Tony Finch
- Re: [DNSOP] DNSSEC, additional special names & dr… Jim Reid
- Re: [DNSOP] DNSSEC, additional special names & dr… Tony Finch
- [DNSOP] admin note Re: additional special names F… Suzanne Woolf
- Re: [DNSOP] DNSSEC, additional special names & dr… John Levine
- Re: [DNSOP] DNSSEC, additional special names & dr… Joe Abley
- Re: [DNSOP] DNSSEC, additional special names & dr… John R Levine
- Re: [DNSOP] DNSSEC, additional special names & dr… Andrew Sullivan
- Re: [DNSOP] additional special names Fwd: I-D Act… Stephane Bortzmeyer
- Re: [DNSOP] additional special names Fwd: I-D Act… Stuart Cheshire
- Re: [DNSOP] additional special names Fwd: I-D Act… Warren Kumari
- Re: [DNSOP] additional special names Fwd: I-D Act… Norbert Bollow
- Re: [DNSOP] additional special names Fwd: I-D Act… joel jaeggli
- Re: [DNSOP] additional special names Fwd: I-D Act… Jelte Jansen
- Re: [DNSOP] additional special names Fwd: I-D Act… Joe Abley
- Re: [DNSOP] additional special names Fwd: I-D Act… Ted Lemon
- Re: [DNSOP] additional special names Fwd: I-D Act… Joe Abley
- Re: [DNSOP] additional special names Fwd: I-D Act… Ted Lemon
- Re: [DNSOP] additional special names Fwd: I-D Act… Tony Finch
- Re: [DNSOP] additional special names Fwd: I-D Act… Ted Lemon
- Re: [DNSOP] additional special names Fwd: I-D Act… Jelte Jansen
- Re: [DNSOP] additional special names Fwd: I-D Act… Andrew Sullivan
- Re: [DNSOP] additional special names Fwd: I-D Act… Olafur Gudmundsson
- Re: [DNSOP] additional special names Fwd: I-D Act… Jelte Jansen
- Re: [DNSOP] additional special names Fwd: I-D Act… Warren Kumari
- Re: [DNSOP] additional special names Fwd: I-D Act… Joe Abley
- Re: [DNSOP] additional special names Fwd: I-D Act… Warren Kumari
- Re: [DNSOP] additional special names Fwd: I-D Act… Warren Kumari
- Re: [DNSOP] additional special names Fwd: I-D Act… Joe Abley
- Re: [DNSOP] additional special names Fwd: I-D Act… Stephane Bortzmeyer
- Re: [DNSOP] additional special names Fwd: I-D Act… Warren Kumari
- Re: [DNSOP] additional special names Fwd: I-D Act… Tim Wicinsku
- Re: [DNSOP] additional special names Fwd: I-D Act… Suzanne Woolf