IETF Logo Mail Archive

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

Mark Andrews <marka@isc.org> Tue, 18 October 2016 22:14 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDD821298C0 for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 15:14:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.332
X-Spam-Level:
X-Spam-Status: No, score=-7.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNzsZs7tDGTS for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 15:14:48 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4570612989D for <dnsop@ietf.org>; Tue, 18 Oct 2016 15:07:21 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id CFF3134940C; Tue, 18 Oct 2016 22:07:18 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 933BE16007B; Tue, 18 Oct 2016 22:07:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 6F60E16007C; Tue, 18 Oct 2016 22:07:18 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6P-6pW3v7cC4; Tue, 18 Oct 2016 22:07:18 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 2B13916007B; Tue, 18 Oct 2016 22:07:18 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 2A18956F019C; Wed, 19 Oct 2016 09:07:16 +1100 (EST)
To: John R Levine <johnl@taugh.com>
From: Mark Andrews <marka@isc.org>
References: <20161018175340.26608.qmail@ary.lan> <20161018211145.0DA0456EF21C@rock.dv.isc.org> <alpine.OSX.2.11.1610181740070.35115@ary.qy>
In-reply-to: Your message of "18 Oct 2016 17:44:29 -0400." <alpine.OSX.2.11.1610181740070.35115@ary.qy>
Date: Wed, 19 Oct 2016 09:07:16 +1100
Message-Id: <20161018220716.2A18956F019C@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/T_Sfa3QkgNLTrMd9NJr2pe9z2I0>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 22:14:50 -0000

In message <alpine.OSX.2.11.1610181740070.35115@ary.qy>, "John R Levine" writes:
> >> If we're going to ask people to change their software, how about
> >> asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in
> >> their caches?  Those deal with .local and .onion leaks at the same time
> >> they do other useful stuff.
> >
> > No.  They slow the leaks.  They do not STOP the leaks.  They depend on
> > leaks to work.
> 
> With a 24 hour TTL on the root zone, it ain't going to leak very much.

The practical TTL is 3 hours.
 
> Or if you get to hack on your cache, you can just do what unbound already 
> did and put in dummy stub zones, no new code needed.

But dummy stub zones (which is what is being I'm requesting) require
changes in the root zone to add a insecure delegation to not break
other things.  That requires IANA to be instructed to do so.

You may not care that validating stub resolvers that ask for
example.local get back answers that can be validated as NXDOMAIN
without leaking queries to the root but I do.  Just adding the zone
locally without having the insecure delegation results in just that
condition.

For all the zones in RFC 6303 that is what we instructed IANA to
do.  I had to open a few trouble ticket with IANA to get them all
installed but there was the documentation there to back up the
trouble tickets.  We then had to do this for 100.64/10 with RFC
7793 which was required co-ordinatation between IANA and ARIN.

Mark

> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.31.3 | Report a Bug | By Email | System Status