Re: [DNSOP] solving a problem by creating a worse problem, ALT-TLD and (insecure) delgations.

Suzanne Woolf <> Fri, 10 February 2017 18:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0A091129A6A for <>; Fri, 10 Feb 2017 10:41:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PMvxR6a2EdYR for <>; Fri, 10 Feb 2017 10:41:08 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c0d::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B4C9E12958B for <>; Fri, 10 Feb 2017 10:41:08 -0800 (PST)
Received: by with SMTP id v23so43166494qtb.0 for <>; Fri, 10 Feb 2017 10:41:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ATRbMOUBVtSSPihqQqOcZ6+fe2Iy3N+cocu+extz3OQ=; b=Z0mIH64J0Sua7emRtuKNj1EVEsrY77Ufo7jpkOtP04Yq9Z+3A7xrvxwpkj3m25mdjJ g2X/KtnOvyTtG9c2/HCqzTiY1KMOL6av8xvPfRRZmYuOrcn0gkpXIprRk7jeubVEJcGE VIR9UN7ltrfCCyIYorTWb4PSTFZJ3DYLOaaldbPCa0UQjFjBAyIG0LbwOqySQLmd74d6 87NK2h6sXqhfxM35Us2StjtvAsTIuCgAwWFxaJ34oLG67qwQke28Bv3RtWXXxjzY3IE/ RuxytjbKK14jtJnrG2FeV9msYmUBDDM7yj+Plpso9sZYFAuHbRBBca/PhURUjOImSyrh SjQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ATRbMOUBVtSSPihqQqOcZ6+fe2Iy3N+cocu+extz3OQ=; b=jc+lCVYN+stYPc7I0jPakivwZ7mZrgzfHNfj+qyk9oA9kgx2SYNyusX4k8hS6o6QXm S27z4Y+rQjtRja2MLPcAu/clMtBPHR4IgbIbEWJ5UCWr4rPTZ/hq9SPj5lDbUJAyTjU9 1c/wUaP6cHtRtIEyPwa/cXHlSyGHW73aMxf/5SHTDRkwmAxu3omeXZxP8Yu65quuZnZ4 3ykzCGFN58zVNM+6fHR3stgq6m39m+AQCUDyDbmxcnqfTLUq4RZc0XnIYWOyVrHQDPcQ qWlwUark41DKsUanBzicebHpnf6skb5t/o48Z6bG0iPV35iv+j8bJXmvTVkd0eutQnIj GBHw==
X-Gm-Message-State: AMke39mfgPqkfbFEh8VLz31t8qCicloqnVwFgQpIOl6aNwVYLXrqkTF2iFHYtdf3aNPwpA==
X-Received: by with SMTP id k5mr9190344qtf.214.1486752067673; Fri, 10 Feb 2017 10:41:07 -0800 (PST)
Received: from ?IPv6:2601:181:c381:c20:1df9:8cfe:58cb:dd3c? ([2601:181:c381:c20:1df9:8cfe:58cb:dd3c]) by with ESMTPSA id p7sm2126915qtf.47.2017. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 10 Feb 2017 10:41:07 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Suzanne Woolf <>
In-Reply-To: <20170210182528.24266.qmail@ary.lan>
Date: Fri, 10 Feb 2017 13:41:05 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <20170210182528.24266.qmail@ary.lan>
To: John Levine <>
X-Mailer: Apple Mail (2.2104)
Archived-At: <>
Cc: dnsop <>
Subject: Re: [DNSOP] solving a problem by creating a worse problem, ALT-TLD and (insecure) delgations.
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 10 Feb 2017 18:41:10 -0000


The editors hold the token on text for this, but it seems to me that the discussion has started going in circles.

A number of arguments have been made, and in some cases repeated. Let’s assume the editors have heard them and try to restrict followups to new observations, questions, or arguments.

> On Feb 10, 2017, at 1:25 PM, John Levine <> wrote:
>> This is part of why I don't want to extend alt this way, and the more
>> I think about it the less desirable it seems to me.  We have a
>> particular problem: non-DNS-protocol switching for applications that
>> want to use a DNS-compatible domain name slot (see RFC 5890).
> Agreed.  Say that you can do anything you want with .ALT (duh) but you
> SHOULD NOT resolve .ALT names via the DNS protocol because of the
> DNSSEC problems.  To minimize leakage, we can use the tools we already
> have: qname minimization, local mirrors of the root, and special
> casing in DNS caches as many now do for .onion.

This sounds reasonable to me.