Re: [DNSOP] ALT-TLD and (insecure) delgations.
Bob Harold <rharolde@umich.edu> Fri, 03 February 2017 20:19 UTC
Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EECDD1298BB for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 12:19:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F8hkIo01EO4g for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 12:19:28 -0800 (PST)
Received: from mail-yw0-x242.google.com (mail-yw0-x242.google.com [IPv6:2607:f8b0:4002:c05::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD6B81298BA for <dnsop@ietf.org>; Fri, 3 Feb 2017 12:19:28 -0800 (PST)
Received: by mail-yw0-x242.google.com with SMTP id u68so2700386ywg.0 for <dnsop@ietf.org>; Fri, 03 Feb 2017 12:19:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tL5J5GaWTiJxFilLEwGJoeXYniMtyvqeNtAiVwwz3LE=; b=aR+bKH8q0cOC6WYCecIMqilB/wveu4pGjD3Hfli/+SkJfNm5TIGEQY0r75znD0pSia 0VeyFePxG/xPyyV5glaVNCYuZtYychjjXwPVchmcJu0Iq4DsZDbrfwopq5pQJEQflzn7 kkXhrPFvb2aYBLpQ+jGvNEW2YkcUxLEazYRpJW7oHGI+qo5YS+8RYaP3AEaXdG2Sjv8L 7ECPYtCbgB9RhPVfa3Mec1RaWpE1kumuZVDE5skQx814lzYWMLwBrwzE1W2b5ukoDTPu xr2IY/gAEDZKOcENcB8nTEcEIlSLJOysg/bhUeXNKx2sa4TOA+l2cpOi1GEDe/9pFXqs wIJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tL5J5GaWTiJxFilLEwGJoeXYniMtyvqeNtAiVwwz3LE=; b=RpjPvkMOwBAji6XIj+LRVWldgOPVoYjDVJ06h0aACOAFU3CGv3DpDBoqajbBg/q6Po kBMShB5CATE/JxmW9Z7rGgGIy3EqMI2amJP17nXYJj88NXmTaVyFrnJpeUzh68H63TcB EhTfE0crGobIA4pyl2JGJQLaSiw9YNvjIw/OcAJbnYkM3lDcDWMO8bJAJkP4kZktAkOb bRfYvYwRKgwB7kvPm+uhGnwWJXiSm7INo/rpvNAnoEIEnkhJ4BMoPlcvSQMZCJGWOGOb VDJ0bNcPTb+BDRq++ZpaA5rR2nvxdSj3PGLq89QEfDEKZrjaFiN915TQ39YNRSgRVv5J I2hQ==
X-Gm-Message-State: AIkVDXJlrY6GlV8fRHMA4OqjdbObxjTg9fFg4ddPVarSDHsgg/x4S/lWZtgMI5QXtGs4TjUV67lxh5IXKUi0OZmy
X-Received: by 10.129.81.12 with SMTP id f12mr10811806ywb.80.1486153167832; Fri, 03 Feb 2017 12:19:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.237.68 with HTTP; Fri, 3 Feb 2017 12:19:27 -0800 (PST)
In-Reply-To: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
Date: Fri, 03 Feb 2017 15:19:27 -0500
Message-ID: <CA+nkc8DRCWqDTb+XKNbqaw8vQhdidUcdNLiG7f0_rCMuMhwtxA@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Content-Type: multipart/alternative; boundary="001a11463018a6d14f0547a5ff9f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TQ1ar9Q09IWCGIxLRP3goozD0KU>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2017 20:19:31 -0000
On Fri, Feb 3, 2017 at 3:02 PM, Brian Dickson <brian.peter.dickson@gmail.com > wrote: > Stephane wrote: > >> On Wed, Feb 01, 2017 at 03:28:29PM -0500, >> Warren Kumari <warren at kumari.net> wrote >> a message of 103 lines which said: >> >> > or 2: request that the IANA insert an insecure delegation in the >> > root, pointing to a: AS112 or b: an empty zone on the root or c" >> > something similar. >> >> Here, people may be interested by draft-bortzmeyer-dname-root (expired >> but could be revived). The main objection was the privacy issue >> (sending user queries to the "random" operators of AS112.) >> >> > My opinion on these issues are as follows, roughly: > > - I am in favor of AS112 for ALT > - For AS112, I prefer the AS112++ method (DNAME) > - I do not see why the DNAME would/should not be DNSSEC signed > - Any local use of ALT can be served locally and signed using an > alternative trust anchor > - I don't think there is any issue with having both the NXD from the > root, and the local assertion of existence, both present (in cache and in > authoritative data respectively) > - Maybe there are issues with specific implementations? > - If anyone knows of such problems, it would be helpful to identify > them along with the implementation and version > - For AS112 privacy, perhaps someone should write up a recommendation > to set up local AS112 instances, to provide privacy, as an informational > RFC? > - Even simply through resolver configurations, without a full AS112 > "announce routes"? > - Do any resolver packages offer such a simple AS112 set-up? > - Maybe the efforts for privacy should start there (implement > first, then document)? > - Do any stub resolver packages include host-local AS112 > features/configurations? > > Overall, I'm obviously in favor of use of ALT, and for signing whatever is > done for ALT, and for use of DNAME for ALT. > > Brian "DNAME" Dickson > > I would prefer an UNsigned delegation. If someone wants a signed zone, they can add a trust anchor, I assume. But if they want an unsigned zone there needs to be a way to get that. -- Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Steve Crocker
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Steve Crocker
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Steve Crocker
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Patrik Fältström
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. william manning
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mukund Sivaraman
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Tony Finch
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Tony Finch
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Woodworth, John R
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Brian Dickson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] solving a problem by creating a worse… Suzanne Woolf
- Re: [DNSOP] solving a problem by creating a worse… John Levine