IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 10 February 2017 17:08 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C09AC129A57 for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 09:08:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=OThijt1X; dkim=pass (1024-bit key) header.d=yitter.info header.b=WsZj7aij
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1m7QuA7_1RY8 for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 09:08:02 -0800 (PST)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8791D129A50 for <dnsop@ietf.org>; Fri, 10 Feb 2017 09:08:02 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id E0777BD554 for <dnsop@ietf.org>; Fri, 10 Feb 2017 17:08:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1486746481; bh=iDtM8goTzH5zVo+hSW/S8uEg3ukn7FZjQYYbG9JE6cA=; h=Date:From:To:Subject:References:In-Reply-To:From; b=OThijt1X2eQHFRWnNlMMjGxm/UjPhCbLzuFaVtiPYYcDG9rSfm38TUbEg7kKw6tG3 2gzjMiBM/T8k+ipcJo4Fert4T62Vs7vkVUuMBtanL+Yl+iTp4xRxzqSRInetDD9RyD CxGuoGy9obizcf+rPvFI8rGIRjmQdZOxnGYrb/O0=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yxg2lHfF4kP7 for <dnsop@ietf.org>; Fri, 10 Feb 2017 17:08:00 +0000 (UTC)
Date: Fri, 10 Feb 2017 12:07:58 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1486746480; bh=iDtM8goTzH5zVo+hSW/S8uEg3ukn7FZjQYYbG9JE6cA=; h=Date:From:To:Subject:References:In-Reply-To:From; b=WsZj7aijKbZBmuodw476mP3COuQoYbwzTVPO+uc/e0CL3Izmq2vc0v6Rd+xlRNsNN 5dXRSjcthU0sY9xQnbw/zv6tqAzPVraP9aQWRV6w5zbwaSGqbGmGqqmg5I2U0sIHd/ 0amih7zt3cjZ3HbGTLA76YEBJG1sNXQYWfPMZ6bQ=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20170210170758.GD91545@mx4.yitter.info>
References: <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <FB835756-2C46-40A9-88ED-2F8ADF812BA6@fugue.com> <20170208052544.862956356F33@rock.dv.isc.org> <FFAFD844-824C-44EA-A4B1-1AD28B4FE95C@fugue.com> <20170208060208.8C8E1635864D@rock.dv.isc.org> <E0A42577-0984-4ADD-8658-91413CBE783D@fugue.com> <20170208194208.DB02C635DD72@rock.dv.isc.org> <CAH1iCipA5nvWJqjdGUwJeeT_eU8EH8VYJU2hX1hJoiTb617K8Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAH1iCipA5nvWJqjdGUwJeeT_eU8EH8VYJU2hX1hJoiTb617K8Q@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/T7uFuL6KwPHhZKoHS_MqQC9FwaI>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 17:08:04 -0000

On Wed, Feb 08, 2017 at 12:36:23PM -0800, Brian Dickson wrote:

> So, while technically the instruction (SHOULD NOT) applies to full .onion
> names,
> it is a SHOULD NOT, not a MUST NOT.

Note also that the original request was that it be a MUST NOT, and
some of us tried to explain that RFCs do not actually determine what
people may do and it's the Internet, and so you couldn't make a
requirement in one RFC that would be guaranteed to be implemented by
those who don't implement that RFC.  Which means that the restricton
is a stupid one.  The result was a compromise in which it says "SHOULD
NOT".  In this case, the pretty good reason not to implement the
restriction is that the Internet doesn't work the way the people who
wanted onion to work thought it did.

Any name under alt -- which is, rememeber, _supposed_ to be the
protocol switch in the way Warren and I originally were thinking --
should never get looked up in the global DNS.  If it does, that's
because someone is trying to use a name that contains right in itself
an indication that it needs an alternative resolution context, and not
having that resolution context available.  It might be that such a
computer will erroneously fall back on the global DNS.  That's not a
reason for us to do contortions in the specification.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.30.2 | Report a Bug | By Email | System Status