Re: [DNSOP] ALT-TLD and (insecure) delgations.

Warren Kumari <> Tue, 07 February 2017 16:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F09FD129D6E for <>; Tue, 7 Feb 2017 08:46:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aM-xXTbNIH2V for <>; Tue, 7 Feb 2017 08:45:58 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 85A9C129D6C for <>; Tue, 7 Feb 2017 08:45:55 -0800 (PST)
Received: by with SMTP id w20so134938492qtb.1 for <>; Tue, 07 Feb 2017 08:45:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uyQyjpKskgasXwJi6LE4bw3SBI9Ke9ie270blrzY1ko=; b=XLS+hKT/DPhc7P9Z21sYQEPfzosD/zyh4912aOh+kPByWddm5+uA0d6MEzu87qDQJ3 h49xoW4ys9EPJKdIi1k4QG5K2ubLefiqrcpbPyL5dweZQp2oli+ga3D5GCL1C9zPK35u 3OUeFcEjUJsrHu3DYd/sJXhBaiY7LTg6Hl3VyQjadQdT/3XHzi1PeQ7dn/Dyvdnxt49w ODDDJ9vCTWS1cimjBjSRbKZyfodvcBZr4qVg/uwEtTGtMQRJm2Mc6NzKxqJ+wWhEezzf xhxDqmwqgc7SWVe4OsXt8DHI5MYn0KA9jUaEBP0rIHbvlixZrEsw+wRi93KskPM8zI8o WfdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uyQyjpKskgasXwJi6LE4bw3SBI9Ke9ie270blrzY1ko=; b=mEFctMF3GoT7QhdNZuRA2Nl1HSvKQSKjHWYfWmptrEV9/YNGNZI8TB5RAsg5W0qeWB AZ2TSijwFwzO9ReWzj0sniSVxQkRIB6UPpA9nTRS1QeG6agra+dbvkrZGt2WfRV8TCld Ii20xNSM26WsoLMLTdcbZLJ4J7lrI5vIBp+qS585hYnZbLk0R5f94hsK/PXklkcZqUGB Y2rWq8mSgtI89OGoq59bt5zVxVwug2hIur/1kaOSF7m69iPUeoOjrQkhvgg46AL33wxx WBAzG35BUiq9lA0W7Tm86RwjoEMkl0iWFoQ0X72fyehhpIs9CoQStyCsr6IboL6SFSOt ReZA==
X-Gm-Message-State: AMke39m8RsvIYeJdsIDxJqBJTOJ+PCZqYMkulFSsVL8HUzbxDDEoOGsBQ+cIhxuMScEamva/lcZ9kLgruGFzhzy/
X-Received: by with SMTP id m4mr14786724qtf.171.1486485954537; Tue, 07 Feb 2017 08:45:54 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Tue, 7 Feb 2017 08:45:23 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <>
From: Warren Kumari <>
Date: Tue, 07 Feb 2017 11:45:23 -0500
Message-ID: <>
To: Ted Lemon <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Cc: " WG" <>, Brian Dickson <>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Feb 2017 16:46:02 -0000

Yay! Centithread!

On Tue, Feb 7, 2017 at 8:06 AM, Ted Lemon <> wrote:
> On Feb 7, 2017, at 12:50 AM, Brian Dickson <>
> wrote:
> I don't think the use cases for most of the sandbox involving alt, and/or
> the homenet use case, requires support for validating stubs.
> If .alt is being used for non-DNS names, you are correct, because non-DNS
> names cannot be validated, and should never enter the validation process.
> However, if it is being used for DNS names, then you have to assume that the
> stub is validating.   Even though that is not the status quo at present,
> that's the direction things are likely to go in the future, and this
> document needs to continue to be correct in the future.

I still believe that .alt should be for non-DNS names only -- if they
happen to leak into the DNS, this is an error / failure -- the purpose
of having .alt as a locally served zone is to preserve the privacy of
the queries, not to over-ride them to some other local DNS name.

For DNS names, I think that there should be a *different* string (and
a different document) -- they have different meanings / behaviors.

I don't think I've seen a good argument for NOT doing the above -- why
(other thabn the sunk time / effort) don't we do two?


> _______________________________________________
> DNSOP mailing list

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.