Re: [DNSOP] A conversational description of sentinel.
Warren Kumari <warren@kumari.net> Fri, 02 February 2018 15:46 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70411127863 for <dnsop@ietfa.amsl.com>; Fri, 2 Feb 2018 07:46:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fyQgVD9H4Fk4 for <dnsop@ietfa.amsl.com>; Fri, 2 Feb 2018 07:46:11 -0800 (PST)
Received: from mail-wm0-x243.google.com (mail-wm0-x243.google.com [IPv6:2a00:1450:400c:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5F40126C25 for <dnsop@ietf.org>; Fri, 2 Feb 2018 07:46:10 -0800 (PST)
Received: by mail-wm0-x243.google.com with SMTP id r78so13311186wme.0 for <dnsop@ietf.org>; Fri, 02 Feb 2018 07:46:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=fS6yvBX/q1UiaPs9E3im//b/i6hkUiagbMVJnB1Iq3s=; b=EYZiNYYQxUHDmF2I/orn4RXSXORHZrSlZHjXNX+riIyD7nXXhGIoubnaFtOuLLs3ck 4AW4E7IQuwFY18nTZq++8wWUjYhIlXef58vqvpVIXRhnlQNpZTv2eyLcVHlVs0T91uw7 b2/NFb3LRafBIxnm3Y4oWP9JTOWCm+PACqH9PRe6JuXwe0tE/affiFTuER+KOkQiyj5d /ONGLRCp83pcchYJ+7f6EwiF/oUSAzpf9AR3D085qZ4/DmrYQKsYnqxLqemYVPX/Hi7q V+2hN/Tlm40kjO0nJizckyEiXwydPa74+DP3DX4UueHhQkH97v3JMq3qs/tMetEN91+U V77w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=fS6yvBX/q1UiaPs9E3im//b/i6hkUiagbMVJnB1Iq3s=; b=J0tsLPyolr0+/LgBe+6PHJJ82LXsP7sCI+XzP9hKgU7Nsr5LGCp6VeWr84AaGZGTRH XJBau6qAu0HOvXpmfvlUMYYCGNe3EDIBC6kMhhUjaUyD1C2672gzedpyefr8nSTxr35M KemeTRPZgi9hWVbi0hFhcremcNOF1DlcbtjWOpnpf0R6qXMWg2J5K2OZFtWW4kcEkuOl w4u3llQ9Cg0/C/4gdXMxbSRd7KCMx1YSYHd4V8y0AiyYfeB93ynqc+CwVosdw1zlfzc7 qHXAVFfl42i6T0JspWv5eWG8C+dGBmsdR+/oGkOov8C42QGQJvmU72WdBGOFZPLG6U69 JlBA==
X-Gm-Message-State: AKwxytea/Dichk4lM7YPXizObIxDD7T1wCL95NRsiYOQa92I8SJOGO0E tFsOsm+pjZIpLOW7ee+6rNptwUSLK5sp1DJoPSODNI1ReM0=
X-Google-Smtp-Source: AH8x2279j3ySa71trISljwM6ze6xh3FQfEqr7w8FaKPN+IJbLt36gy4h6A/ICPRT5yDRYp4Y5UqUfudWZOtewhUHCQI=
X-Received: by 10.28.9.18 with SMTP id 18mr29362631wmj.37.1517586369030; Fri, 02 Feb 2018 07:46:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.223.152.242 with HTTP; Fri, 2 Feb 2018 07:45:28 -0800 (PST)
In-Reply-To: <0c2a4a38-49d7-2b46-1ac8-1dda0812e217@nic.cz>
References: <CAHw9_iKnD4WtTKyof=nm4ChmDZ5mAPqA7a_-m1t_Lauugf4Uow@mail.gmail.com> <alpine.DEB.2.11.1801251505070.5022@grey.csi.cam.ac.uk> <CAHw9_iJ-gwC1ZoWQ3YiJraD3eoUf-9-Ay--rPYzy1zWYUzvYmg@mail.gmail.com> <FDCED4D6-A7CE-465B-8344-CA89753ADF19@vpnc.org> <74C0CA59-6D53-4A60-ACBA-4AF5B51FE3FF@apnic.net> <D5D013D4-1EAD-434B-863A-29CB1BBEF4E4@vpnc.org> <496EFA88-BA70-460B-BFB2-69B2C7BC905D@apnic.net> <4540A279-4A37-4245-AE61-BEE5342E3F72@vpnc.org> <20180202075530.Horde.UWaxe9eenZ7PyxWYFHCFGdN@andreasschulze.de> <e8ac7bd0-26e6-cf97-e2ef-0ead50dc18ce@nic.cz> <88E7D27C-048E-44CB-B317-C892EA603D31@isc.org> <0c2a4a38-49d7-2b46-1ac8-1dda0812e217@nic.cz>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 02 Feb 2018 10:45:28 -0500
Message-ID: <CAHw9_iJ6yL12OaGW5+fm8M3YUkrj46CvC2-ob7Xrc5HEaA_Z1Q@mail.gmail.com>
To: Petr Špaček <petr.spacek@nic.cz>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Wj11nnEohz6M2pk8ayR_xgXwjss>
Subject: Re: [DNSOP] A conversational description of sentinel.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 15:46:13 -0000
On Fri, Feb 2, 2018 at 4:41 AM, Petr Špaček <petr.spacek@nic.cz> wrote: > On 2.2.2018 09:32, Mark Andrews wrote: >> This isn’t about whether name servers load A records with non LDH names >> as they all can. >> >> The real question is do the name lookup api’s in the web browsers barf >> on non IDN, non LDH names since that is the mechanism being proposed >> for people to test this. > > Sure. Given that MS AD users underscore A records in its integrated DNS > server (at least in older versions), it is going to work with DNS > resolver distributed with Windows. This covers 99 % of clients which can > potentially be target of potential ad campaign. > > So, now, we need to test browsers... > For those who would like to test this, while not having to get their hands quite as dirty, I've added: _www IN CNAME ron.kumari.net xm--www IN A 204.194.23.4 to ksk-test.net, and have updated the JavaScript to test these as well. On Chome and Safari on both OS X and IOS I get: These below 2 tests are just for debugging / to understand browser behavior. You: were able to fetch the "underscore" record were able to fetch the "dashdash" record Surprisingly, on Chrome on Android and Samsung Internet (the browser on Samsung Galaxy Note devices) I get: These below 2 tests are just for debugging / to understand browser behavior. You: were **NOT** able to fetch the "underscore" record were able to fetch the "dashdash" record I must admit that I was not expecting this - can others please also test this? I personally don't really care what the labels are -- we could make it I-Heart-KennyG-is-ta-[foo] for all I care[0]. W [0]: Note: anyone who suggests a: an emoticon or b: some cute unicode hack is dead to me. > > Talk is cheap, let's get hands dirty! > > I just tested Firefox 58.0.1 on Fedora 27 > URL http://_test.example > > Result: The Firefox under test issued DNS queries > _test.example. A > _test.example. AAAA > just fine. > > nsswitch.conf: > hosts: files mdns4_minimal [NOTFOUND=return] dns myhostnam > > I do not have other desktop system at hand, so I will defer other > experiments to others. > > Please do experiments and report your results. > Petr Špaček @ CZ.NIC > >> Mark >> >>> On 2 Feb 2018, at 6:50 pm, Petr Špaček <petr.spacek@nic.cz> wrote: >>> >>> On 2.2.2018 07:55, A. Schulze wrote> Paul Hoffman: >>>>> My preference is #1 because, in general, a label starting with _ has >>>>> been meant for infrastructure, and that's what these labels are. >>>>> Others might like #2 so they don't have to add configuration to BIND >>>>> (and maybe other authoritative servers). >>>> >>>> just checked, my NSD and POWERDNS serve A record for _foo.examle. >>>> without noise... >>>> so: #1 >>> >>> For the record, I also like more the underscore variant (#1 above). >>> >>> BIND spits a warning about it and I like it. After all, this whole KSK >>> sentinel bussiness is quite specialized thing to do and should be done >>> only by people who know what they are doing, so warning is appropriate. >>> >>> After all, what is your guess about number of zones containing such >>> names? 10? 20 zones globally? I cannot see more, and most likely vast >>> majority of people who would like to create such zones is following this >>> dicussion. >>> >>> Please do not overcomplicate things. The technology seems okay to me. >>> (I've implemented it including tests, see Knot Resolver 2.0.0.) >>> Could we polish the text and publish it, pretty please? >>> >>> >>> (BTW I have seen underscore names with A records in Microsoft Active >>> Direcotry DNS years ago, so this is not the first time _ A is used.) >>> >>> -- >>> Petr Špaček @ CZ.NIC > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] A conversational description of sentinel. Warren Kumari
- Re: [DNSOP] A conversational description of senti… Joe Abley
- Re: [DNSOP] A conversational description of senti… william manning
- Re: [DNSOP] A conversational description of senti… Joe Abley
- Re: [DNSOP] A conversational description of senti… Ralph Dolmans
- Re: [DNSOP] A conversational description of senti… Warren Kumari
- Re: [DNSOP] A conversational description of senti… Tony Finch
- Re: [DNSOP] A conversational description of senti… Warren Kumari
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… Geoff Huston
- Re: [DNSOP] A conversational description of senti… Andrew Sullivan
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… Geoff Huston
- Re: [DNSOP] A conversational description of senti… Paul Vixie
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… A. Schulze
- Re: [DNSOP] A conversational description of senti… Petr Špaček
- Re: [DNSOP] A conversational description of senti… Mark Andrews
- Re: [DNSOP] A conversational description of senti… Ray Bellis
- Re: [DNSOP] A conversational description of senti… Petr Špaček
- Re: [DNSOP] A conversational description of senti… Warren Kumari
- Re: [DNSOP] A conversational description of senti… Petr Špaček
- Re: [DNSOP] A conversational description of senti… Geoff Huston
- Re: [DNSOP] A conversational description of senti… Vladimír Čunát
- Re: [DNSOP] A conversational description of senti… Ray Bellis
- Re: [DNSOP] A conversational description of senti… Tony Finch
- Re: [DNSOP] A conversational description of senti… Geoff Huston
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… A. Schulze
- Re: [DNSOP] A conversational description of senti… Tony Finch
- Re: [DNSOP] A conversational description of senti… Patrick Mevzek
- Re: [DNSOP] A conversational description of senti… Petr Špaček
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… joel jaeggli
- Re: [DNSOP] A conversational description of senti… Joe Abley
- Re: [DNSOP] A conversational description of senti… Paul Hoffman
- Re: [DNSOP] A conversational description of senti… Petr Špaček
- Re: [DNSOP] A conversational description of senti… Warren Kumari
- Re: [DNSOP] A conversational description of senti… Warren Kumari
- Re: [DNSOP] A conversational description of senti… Benno Overeinder
- Re: [DNSOP] A conversational description of senti… Bob Harold
- Re: [DNSOP] A conversational description of senti… Matt Larson
- Re: [DNSOP] A conversational description of senti… Geoff Huston
- [DNSOP] Risk of using underscores for sentinel (W… Stephane Bortzmeyer
- Re: [DNSOP] Risk of using underscores for sentine… Vladimír Čunát