IETF Logo Mail Archive

[DNSOP] Re: Call for Adoption: draft-davies-internal-tld

Andrew McConachie <andrew@depht.com> Tue, 22 April 2025 11:26 UTC

Return-Path: <andrew@depht.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EB8D71F49623 for <dnsop@mail2.ietf.org>; Tue, 22 Apr 2025 04:26:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=depht.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JSwZ5RZfebVU for <dnsop@mail2.ietf.org>; Tue, 22 Apr 2025 04:26:31 -0700 (PDT)
Received: from mout-b-106.mailbox.org (mout-b-106.mailbox.org [195.10.208.46]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1C82A1F4960B for <dnsop@ietf.org>; Tue, 22 Apr 2025 04:26:30 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-106.mailbox.org (Postfix) with ESMTPS id 4Zhg0z0DjnzDr14; Tue, 22 Apr 2025 13:26:27 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=depht.com; s=MBO0001; t=1745321187; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hqoaDfvKV7LcNAtdp57mZ5YFKMm1PcU5+XqXyr2Ykgg=; b=XoVTk1jEQDijCppDL5R6e6CeACoWemQcoAfMBIavcjoevfpZfyNlqkDqKwhRq3d5SMK1dD lxHBOjeX7txShuRXf3mO9yGVD4sOtsJ05j1wX1FLgvKXHMfwDQEc4SKamqh0UxfrDcVN94 DAWD1ChXLbkF6V0qB+HdugdBTLBB1zeK+ARe4L69h9GObdxmZYrLVfoSJ2v85xpBQ3JI76 WMxgnRQkLJKRlHZNd+GTx8tIupBdMqVhly3HK7klab7a9Ck94ztZjjQGrxYLcuYnOBPqG+ 0Gv3oBdG8nTMlXZh0BoWxYnu0wngS8HbYpwCCnxkbgT59tZHFGMoaVv70UumIg==
From: Andrew McConachie <andrew@depht.com>
To: Peter Thomassen <peter=40desec.io@dmarc.ietf.org>
Date: Tue, 22 Apr 2025 13:26:22 +0200
Message-ID: <49E3B1B6-E960-4A46-9C5D-2721FD57132D@depht.com>
In-Reply-To: <83666fd3-a51f-46e1-a5ac-0b9a46361480@desec.io>
References: <m1u5h1G-0000LcC@stereo.hq.phicoh.net> <83666fd3-a51f-46e1-a5ac-0b9a46361480@desec.io>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4Zhg0z0DjnzDr14
Message-ID-Hash: FFIAXGDCZKCVMKZDMINIDHWKW2TFG4ZX
X-Message-ID-Hash: FFIAXGDCZKCVMKZDMINIDHWKW2TFG4ZX
X-MailFrom: andrew@depht.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Wm8HQP7lk9s0tw-oCi3vFsNWI0Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


On 18 Apr 2025, at 18:18, Peter Thomassen wrote:

> On 4/18/25 10:24, Philip Homburg wrote:
>> The current draft contains the following text:
>> DNSSEC validating resolvers will fail to resolve names ending in 
>> "internal".
>>
>> In my opinion we should not have a specification that leads to DNSSEC
>> validation errors.
>
> I agree this is a problem, and therefore I'm against adopting this 
> draft unless this problem is resolved.
>
> Once it is resolved, I have no position on adopting it: I'm not sure 
> the draft's net benefit is positive (transparency) or negative 
> (burden). I expect it to be minimal either way.
>
>
> How to solve it? An insecure delegation would help.
>
> Although the idea was previously discarded, it's worth reconsidering 
> its implications. Please see below for an analysis.
>
>
> When Mark suggested an insecure delegation at IETF 122, Warren 
> objected [1] that it can't be done because the label won't be 
> delegated, citing the SSAC recommendation:
>
>> 5: Mark Andrews: The Locally Served Zones registry requires that 
>> there is an insecure delegation in the root zone. This is also needed 
>> to make the zone actually work with DNSSEC…
>> W: I'm not at all sure that the first sentence is true - or, at least 
>> I don't really see why it follows.
>> I *do* however fully agree that there really should be an insecure 
>> delegation in order to make DNSSEC work, but unfortunately the SSAC 
>> document[3] which asked for this says: "Recommendation 1: The SSAC 
>> recommends that the ICANN Board ensure a string is identified using 
>> the criteria specified in Section 4.1 and reserved at the top level 
>> for private use. This particular string must never be delegated."
>
> The SSAC recommendation is just a recommendation; when following it 
> (which the ICANN Board is not obliged to), reasonable action would be 
> to not execute it by the letter, but by its intention.
>
> However, the constraining document, is not the SSAC report, but really 
> the ICANN Board's resolution [2]:
>
>> Resolved (2024.07.29.06), the Board reserves .INTERNAL from 
>> delegation in the DNS root zone permanently to provide for its use in 
>> private-use applications. The Board recommends that efforts be 
>> undertaken to raise awareness of its reservation for this purpose 
>> through the organization's technical outreach.
>
> Note that the action ("reserves .INTERNAL from delegation") is 
> relative to a purpose, "to provide for its use in private-use 
> applications".
>
> I would therefore argue that "delegation" here implicitly means a 
> "normal delegation" because it would hand over control to some other 
> operator, defeating the purpose.
>

This is an overly creative interpretation of the Board’s resolution. 
It implicitly adds a modifier preceding “delegation” where none 
exists. The Board did not resolve to “reserve[s] .INTERNAL from 
[normal|secure] delegation”. They resolved to “reserve .INTERNAL 
from delegation”. The resolution could not be more clear.

The fact of the matter is that some people want “no delegation” and 
some people want “insecure delegation”. That ship has sailed, and we 
ended up with “no delegation”. DNSOP can’t change that.

My suggestion for the people in the “insecure delegation” camp is to 
petition the SSAC to write a document asking for a different name to be 
insecurely delegated. I see the benefits of both camps, so I’m not 
advocating for one or the other. But for .internal this really can’t 
be changed at this point.

—Andrew

v2.31.3 | Report a Bug | By Email | System Status