IETF Logo Mail Archive

Re: [DNSOP] Question about usage of ip6.arpa and in-addr.arpa

Ted Lemon <mellon@fugue.com> Tue, 13 March 2018 15:22 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0AEF126DC2 for <dnsop@ietfa.amsl.com>; Tue, 13 Mar 2018 08:22:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bINmOL89muSP for <dnsop@ietfa.amsl.com>; Tue, 13 Mar 2018 08:22:27 -0700 (PDT)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82181126C22 for <dnsop@ietf.org>; Tue, 13 Mar 2018 08:22:27 -0700 (PDT)
Received: by mail-qk0-x232.google.com with SMTP id z184so14234857qkc.1 for <dnsop@ietf.org>; Tue, 13 Mar 2018 08:22:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=OsSfjJi0OXdNuBaCGK7oV65xNx0jslL9DgezbKUDv20=; b=zDN8GUhyzuVV2ypWDOZoMG6qE7vuNIB2kiDMYOmGVGY4qpxcht+zGhslGZaOAOsOaa bC0rZTNy8yCoSQiSgeapGLcfPrtHfl64NPoy8DkAb4h73Yd4TEdHrIQwTwJ8u4JdS+O8 IOiM/H6dzoUEDjbihVbq2UjwGGGCGrlePgVccCBGQdggkB8p/8/Iql/AYwtHRAVV6Tzu LTTBxog8bNY2DNMTOhQmn1wSBxqjQXlyJ/L7dPv9lLUSXD1NW401/2CLpEuE6wQ9ERjx 1I1V4q0mJdfJA6lVo/fmmZiJ2oK0rILG6GMgO9UZBgzfdEmEGFkJEDK1SINJe46BHJFF +cVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=OsSfjJi0OXdNuBaCGK7oV65xNx0jslL9DgezbKUDv20=; b=Uhn7u/KAv3a//YIOsh6YVZ/fseFBdmfuKfuS4yBJqngogu57HCNr6zhIoxeCkqTJg6 936Ul93hnvTI0vi8FDLPYFaY9xZ0APke1w8Ij+3siafMVVbEvbCGbF6nLTdNAd3UIMOD qC3enMffzAsMkbmRH6DFEloJnTtmjUF5Fe3XgGHlLv0LS+OPCHpU1enieQKOvcfI4rU8 Ce2bUrEvL7pREO1ErQPMjQP8cEpyXQf8rGQQWomOkqXvJ8KyrstYlVVGkUQgHc0wf6Rd wj9tKMI9nS3JnqbUeCWRC5QNTa96dhLzNYbLmstT3VkKYyqOwZLJXhDGXbgubeSTGRpO Vcvw==
X-Gm-Message-State: AElRT7EUAmZ74m0Gh7LjigBtiw1q7cXgnYLh6L6fxtEJxddO/rk/xi7k XaopX7G1hgbASBKeHjmCrpUdaQ==
X-Google-Smtp-Source: AG47ELt/BLSGRcUNFNgiRg3nhVBSyz1ro0Fh+XV+XxHW2IUhTJoDUtGfOKirQyTUI6UcPABtNKJ8sg==
X-Received: by 10.55.139.193 with SMTP id n184mr1364636qkd.299.1520954546531; Tue, 13 Mar 2018 08:22:26 -0700 (PDT)
Received: from cavall.lan (c-24-60-163-103.hsd1.nh.comcast.net. [24.60.163.103]) by smtp.gmail.com with ESMTPSA id y35sm369515qth.31.2018.03.13.08.22.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Mar 2018 08:22:25 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <21FCA497-026E-4602-85CA-8A823084961F@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B4E0C6FD-62A8-49B4-B130-5D6B6D5244FD"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Tue, 13 Mar 2018 11:22:24 -0400
In-Reply-To: <62E857A4-6184-4F1A-A6E2-16AC5C16F574@90.212.199.in-addr.arpa>
Cc: Roland Bracewell Shoemaker <roland@letsencrypt.org>, dnsop@ietf.org
To: Joe Abley <jabley@90.212.199.in-addr.arpa>
References: <B7531E71-AC04-4D40-86B0-74F2DCA92446@letsencrypt.org> <62E857A4-6184-4F1A-A6E2-16AC5C16F574@90.212.199.in-addr.arpa>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/T3POlxmGNCIrkkplPvLa111WaU0>
Subject: Re: [DNSOP] Question about usage of ip6.arpa and in-addr.arpa
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2018 15:22:30 -0000

On Mar 13, 2018, at 11:16 AM, Joe Abley <jabley@90.212.199.in-addr.arpa> wrote:
> 
> I think that if Tony can be dot@dotat.at <mailto:dot@dotat.at>, surely I can be jabley@90.212.199.in-addr.arpa <mailto:jabley@90.212.199.in-addr.arpa>.
> 
> A zone is a zone. ARPA is only special by convention, not by protocol.

Yup.

Thinking through the threat model here, when would this even work?   It would certainly work in principle for stable servers that have reverse delegations.   For servers that move around a lot, it seems like a really crappy solution.   Why do you trust a server that's moving around a lot?   Presumably because you've already established trust with it OOB.   So why do you need ACME in this case?

For the case of a server that's not moving around a lot, why is it useful?   How did your resolver know to contact that particular server?

I don't see anything in the document describing the motivating use case.   Did I miss that from some other document?

v2.23.0 | Report a Bug | By Email