IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld

Ted Lemon <mellon@fugue.com> Thu, 01 May 2025 21:45 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id E7F4923D22A0 for <dnsop@mail2.ietf.org>; Thu, 1 May 2025 14:45:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="nz+K7qr7"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Y1sTWTXC"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpqfI3accxNd for <dnsop@mail2.ietf.org>; Thu, 1 May 2025 14:45:30 -0700 (PDT)
Received: from flow-a1-smtp.messagingengine.com (flow-a1-smtp.messagingengine.com [103.168.172.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9D96123D2299 for <dnsop@ietf.org>; Thu, 1 May 2025 14:45:30 -0700 (PDT)
Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailflow.phl.internal (Postfix) with ESMTP id 81C7F2007B3; Thu, 1 May 2025 17:45:30 -0400 (EDT)
Received: from phl-imap-10 ([10.202.2.85]) by phl-compute-12.internal (MEProxy); Thu, 01 May 2025 17:45:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1746135930; x=1746143130; bh=xQXOYTDRI0 aF9XKboymN9PnliUttV+jkG+0tH03Z2Bs=; b=nz+K7qr7bqfURRqf1kHr8avS6w S11oxdKLY8tUtfLwflHFYQdU6pwSEBXjXiOz+/1yXb07I0dtGJddkpsgXKvFiGUC XFqP6lE4sOvsY+6AokAPRYG/qojnF2E+SZnmQVS61nCjJPx9M1TA4pBlCZH/C+9z ZHLKv4ugZ07y2T9h81SBpRdVhvoxN2LTSNbMxB1/vDw5E+IlQGO/wdTMWaDjI5y0 gwqs5Mg5KfPAErOLkOy+S6hnLEvQSiyweGu2qQory6lbD/vEtL425qdT7Vo4FHDA TyxRZweDqjxm322cLBPZY+gJA+vpivnEih1r+w0KQPhbOFocN8nuHpO7eVfw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1746135930; x=1746143130; bh=xQXOYTDRI0aF9XKboymN9PnliUttV+jkG+0 tH03Z2Bs=; b=Y1sTWTXCU308L43okEICsfe9++Q5vTMqP5FHxOFBSoxuwXA8ys+ lfdFgPoEMLgiKBzAanhOwUiQjPhDQG1u2oWSfiTIWPP/mdRUsCHEu69+ulvCi35m wV3XJQ6MG8DVjBGyBfTSTxcUDAZ0TkbwoRtikkhp87ndo+yqSIleMuOhqg7UncRt ABnkglJlT3Xy3qHgH36GSLDVgdU1uc11k0BLM56Gi448nerEErdBlK5Pp6slA60U RdcOzshfgZn+HJ9YcM/SxQbvNnNZG/eDgFDd0SjwCxJ1nTlZz7+4rXkWKma6EKHS UfY6GaawyeXF0lNwFndqvdmZlhys5ho3rVQ==
X-ME-Sender: <xms:eusTaHR7zFLB5J_ZYTf6J3otqzNyBXO61c6n2ebjEMIyHVSjqx5VGg> <xme:eusTaIzk4KZaGAuY03JJVCAzVGd67GYi3wJ-2Vr6I0x0U8U5jYMZcKJk_qyejAwIZ uMidzyngXk2Tx5Xv00>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvjedtieelucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhepofggfffhvfevkfgjfhfutgesrgdtreerredt jeenucfhrhhomhepfdfvvgguucfnvghmohhnfdcuoehmvghllhhonhesfhhughhuvgdrtg homheqnecuggftrfgrthhtvghrnhepfeeugfdttdffkeefieejueduieevuefgvddvleel jedvjeejhedvtdfgleevudetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomhepmhgvlhhlohhnsehfuhhguhgvrdgtohhmpdhnsggprhgtphhtthho peefpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehprghulhdrhhhofhhfmhgrnh esihgtrghnnhdrohhrghdprhgtphhtthhopegunhhsohhpsehivghtfhdrohhrghdprhgt phhtthhopehjrggslhgvhiesshhtrhgrnhgukhhiphdrnhhl
X-ME-Proxy: <xmx:eusTaM1vhyvijuiypQlGamibz6jpoSLShxLTwRQUtageeIiscNa55A> <xmx:eusTaHA0_FIiroLgZdy1Xx8S995iRPGjU_rerq-4xLEUkUUTSif0zQ> <xmx:eusTaAi4AqCBN1oBddi1iq20Eyuprc8LzH5fz-bGDIBW8Ry724V2rw> <xmx:eusTaLonxqrdgFPcPPcbORK0WyvHutwFQ99DS5txVNdFZchLBRtLkA> <xmx:eusTaAcK_cLJR_Nu2Atkvbfy1fYg9D_BjEh44xD3o6uldjZ4GqGJjArG>
Feedback-ID: i1136489e:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id 280333C0068; Thu, 1 May 2025 17:45:30 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: Teb8ce65f3fed0dd8
Date: Thu, 01 May 2025 17:45:09 -0400
From: Ted Lemon <mellon@fugue.com>
To: Joe Abley <jabley@strandkip.nl>
Message-Id: <9aaa33b5-d4d9-4263-89b3-b8a1b50249a3@app.fastmail.com>
In-Reply-To: <F3D72198-8F52-4F8B-80A7-2BA014F3CC5F@strandkip.nl>
References: <57d538ec-f6aa-4a20-a9a3-35ba773c389e@app.fastmail.com> <F3D72198-8F52-4F8B-80A7-2BA014F3CC5F@strandkip.nl>
Content-Type: multipart/alternative; boundary="0d09969ebb9e4be6a0a89bd01e3028d1"
Message-ID-Hash: NMVBKBD7ITCJQJAU2EPUC74IVRKVL7ME
X-Message-ID-Hash: NMVBKBD7ITCJQJAU2EPUC74IVRKVL7ME
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Hoffman <paul.hoffman@icann.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Yluf42d_4RhhgOixPhej4sVIX0k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Okay, but if they are not going to the authoritative  servers to get the chain of trust, they are going to the local full-service resolver or some public third-party resolver. And so if there is an insecure delegation, that resolver can make up an answer, and it will “validate” correctly as insecure. But if the delegation is securely denied, that can’t happen. That’s why it’s important for there to be an insecure delegation to a black hole name server. 

On Thu, May 1, 2025, at 5:05 PM, Joe Abley wrote:
> On 1 May 2025, at 22:57, Ted Lemon <mellon@fugue.com> wrote:
> 
> > If validating stubresolvers all go to the root, we get no benefit from caching. That seems bad if at some point they become commonplace, although of course it’s fine now. 
> 
> I think validating stub resolvers need to go to the root in a namespace sense. They need to retrieve sufficient generations of parental data to be able to validate an RRSet attached to a child. This data might well be cached at a node in the resolver graph close to the stub. 
> 
> I don't think validating stub resolvers need to send queries to root servers.
> 
> I think we are overloading the word "root" and the result is some mild confusion.
> 
> 
> Joe

v2.31.3 | Report a Bug | By Email | System Status