IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 10 February 2017 17:31 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64AE6129A64 for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 09:31:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=XVgT5sDF; dkim=pass (1024-bit key) header.d=yitter.info header.b=HVQjynzx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXhp5vJkcjPI for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 09:31:28 -0800 (PST)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F972129A5B for <dnsop@ietf.org>; Fri, 10 Feb 2017 09:31:28 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 80472BD554 for <dnsop@ietf.org>; Fri, 10 Feb 2017 17:31:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1486747887; bh=8LNT99nLpPTub95unaQb4yqCWPgcI5X+3X4yJUsCXYI=; h=Date:From:To:Subject:References:In-Reply-To:From; b=XVgT5sDFbJRgYWTc7HlHE2SBOowheKZZr3UzBEKn6UrnGdvZ1tpViYvFkP5RQeRQT YRW9uaqN4UjM3htOqafELEafwHdF9ozQUyUkxhk7aCrxkeIvrHhCmV30iTrRvAFiUv ChhewKDoxBW5j9oW5OvqWD3LbgE/jTF3MuuMwmaY=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hdc0zMfMwKZ9 for <dnsop@ietf.org>; Fri, 10 Feb 2017 17:31:26 +0000 (UTC)
Date: Fri, 10 Feb 2017 12:31:24 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1486747886; bh=8LNT99nLpPTub95unaQb4yqCWPgcI5X+3X4yJUsCXYI=; h=Date:From:To:Subject:References:In-Reply-To:From; b=HVQjynzxx1ZP6bsk+5C2h3xqSt/Rw2dL2fvAne7ebUOMOEf1+cdV7OJmcKVPcr35a L9vNL+NWybVztoja0KhZbm7n57PTmVBqBAcR7V7HXkfPnzF93Dic/Len72t9f5stFm q0z5Vn2gt1htKFzl+W0F0CLroIJZZSM5ZGFfRCKQ=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20170210173124.GF91545@mx4.yitter.info>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <CAH1iCipKwcOsMQY3kjvSZ42LMK37GLD6GP2AVtnWK0c83k-RiA@mail.gmail.com> <CA+nkc8DGSs+bEEYMerckx3SGV+ZQGgEfd5+4FM4xSfoeG=-SGA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CA+nkc8DGSs+bEEYMerckx3SGV+ZQGgEfd5+4FM4xSfoeG=-SGA@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Xp87Zns7U--ociB8K4smxx4g1-E>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 17:31:29 -0000

On Tue, Feb 07, 2017 at 10:01:23AM -0500, Bob Harold wrote:
> What I envision for the future is an insecure delegation of .alt, and an
> option in future cable modems to enable a local "homenet.alt" domain, which
> would just work, even if some stub resolvers in the house are validating.
> The cable modem is already a recursive resolver or forwarder, and dhcp
> server, so it seems a logical place for the local domain.

No, it won't just work if a stub is validating, because the validating
stub will want to validate the delegation from the parent, and that
will be a proof of non-existence.  Provable non-existence prevents you
from being poisoned through typosquatting, but it means you can't
inject things in the tree without co-operation from the parent.

This is part of why I don't want to extend alt this way, and the more
I think about it the less desirable it seems to me.  We have a
particular problem: non-DNS-protocol switching for applications that
want to use a DNS-compatible domain name slot (see RFC 5890).  This is
problems like onion, local, and so on.  We propose a solution in which
we steal four of the available 255 octets to create a "safe" space
from DNS delegation.  Now anyone can use that space for their non-DNS
protocol, and every resolver library in the world knows that if it
runs into a name in the alt tree it shouldn't need to look it up in
DNS.  If the query leaks to the root and gets a proof of
non-existence, it doesn't matter because it was supposed to be a
different protocol.  Non-existence in the DNS is analytically true.
If a validating resolver gets an answer back from another resolver
that provides NXDOMAIN without the proof of non-existence and treats
the result as bogus instead, who cares?  It was never supposed to
resolve in the DNS anyway.

The homenet case is different, because it _is_ supposed to work with
DNS.  In that case, the missing proofs are a problem for validating
end points.

Best regards,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.30.2 | Report a Bug | By Email | System Status