Re: [DNSOP] solving a problem by creating a worse problem, ALT-TLD and (insecure) delgations.

Suzanne Woolf <suzworldwide@gmail.com> Fri, 10 February 2017 18:41 UTC

Return-Path: <suzworldwide@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A091129A6A for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 10:41:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PMvxR6a2EdYR for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 10:41:08 -0800 (PST)
Received: from mail-qt0-x231.google.com (mail-qt0-x231.google.com [IPv6:2607:f8b0:400d:c0d::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4C9E12958B for <dnsop@ietf.org>; Fri, 10 Feb 2017 10:41:08 -0800 (PST)
Received: by mail-qt0-x231.google.com with SMTP id v23so43166494qtb.0 for <dnsop@ietf.org>; Fri, 10 Feb 2017 10:41:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ATRbMOUBVtSSPihqQqOcZ6+fe2Iy3N+cocu+extz3OQ=; b=Z0mIH64J0Sua7emRtuKNj1EVEsrY77Ufo7jpkOtP04Yq9Z+3A7xrvxwpkj3m25mdjJ g2X/KtnOvyTtG9c2/HCqzTiY1KMOL6av8xvPfRRZmYuOrcn0gkpXIprRk7jeubVEJcGE VIR9UN7ltrfCCyIYorTWb4PSTFZJ3DYLOaaldbPCa0UQjFjBAyIG0LbwOqySQLmd74d6 87NK2h6sXqhfxM35Us2StjtvAsTIuCgAwWFxaJ34oLG67qwQke28Bv3RtWXXxjzY3IE/ RuxytjbKK14jtJnrG2FeV9msYmUBDDM7yj+Plpso9sZYFAuHbRBBca/PhURUjOImSyrh SjQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ATRbMOUBVtSSPihqQqOcZ6+fe2Iy3N+cocu+extz3OQ=; b=jc+lCVYN+stYPc7I0jPakivwZ7mZrgzfHNfj+qyk9oA9kgx2SYNyusX4k8hS6o6QXm S27z4Y+rQjtRja2MLPcAu/clMtBPHR4IgbIbEWJ5UCWr4rPTZ/hq9SPj5lDbUJAyTjU9 1c/wUaP6cHtRtIEyPwa/cXHlSyGHW73aMxf/5SHTDRkwmAxu3omeXZxP8Yu65quuZnZ4 3ykzCGFN58zVNM+6fHR3stgq6m39m+AQCUDyDbmxcnqfTLUq4RZc0XnIYWOyVrHQDPcQ qWlwUark41DKsUanBzicebHpnf6skb5t/o48Z6bG0iPV35iv+j8bJXmvTVkd0eutQnIj GBHw==
X-Gm-Message-State: AMke39mfgPqkfbFEh8VLz31t8qCicloqnVwFgQpIOl6aNwVYLXrqkTF2iFHYtdf3aNPwpA==
X-Received: by 10.237.42.69 with SMTP id k5mr9190344qtf.214.1486752067673; Fri, 10 Feb 2017 10:41:07 -0800 (PST)
Received: from ?IPv6:2601:181:c381:c20:1df9:8cfe:58cb:dd3c? ([2601:181:c381:c20:1df9:8cfe:58cb:dd3c]) by smtp.gmail.com with ESMTPSA id p7sm2126915qtf.47.2017.02.10.10.41.07 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 10 Feb 2017 10:41:07 -0800 (PST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Suzanne Woolf <suzworldwide@gmail.com>
In-Reply-To: <20170210182528.24266.qmail@ary.lan>
Date: Fri, 10 Feb 2017 13:41:05 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <8B15DBEA-8E72-421F-A2D2-9EE5B35D8E35@gmail.com>
References: <20170210182528.24266.qmail@ary.lan>
To: John Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VkSytu-SMkZczCeSqQgPBjcv7FA>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] solving a problem by creating a worse problem, ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 18:41:10 -0000

Hi,

The editors hold the token on text for this, but it seems to me that the discussion has started going in circles.

A number of arguments have been made, and in some cases repeated. Let’s assume the editors have heard them and try to restrict followups to new observations, questions, or arguments.

> On Feb 10, 2017, at 1:25 PM, John Levine <johnl@taugh.com> wrote:
> 
>> This is part of why I don't want to extend alt this way, and the more
>> I think about it the less desirable it seems to me.  We have a
>> particular problem: non-DNS-protocol switching for applications that
>> want to use a DNS-compatible domain name slot (see RFC 5890).
> 
> Agreed.  Say that you can do anything you want with .ALT (duh) but you
> SHOULD NOT resolve .ALT names via the DNS protocol because of the
> DNSSEC problems.  To minimize leakage, we can use the tools we already
> have: qname minimization, local mirrors of the root, and special
> casing in DNS caches as many now do for .onion.

This sounds reasonable to me.


Suzanne