IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld

Ted Lemon <mellon@fugue.com> Thu, 18 June 2020 17:47 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB32E3A0D85 for <dnsop@ietfa.amsl.com>; Thu, 18 Jun 2020 10:47:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UEojcvZ5onTh for <dnsop@ietfa.amsl.com>; Thu, 18 Jun 2020 10:47:48 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D615C3A0D7C for <dnsop@ietf.org>; Thu, 18 Jun 2020 10:47:47 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id l17so6376887qki.9 for <dnsop@ietf.org>; Thu, 18 Jun 2020 10:47:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=jLICNAAwO47EA52D2aAOOJZGdFaX6WDz9vBuEkavVM4=; b=xNIDOLZSh/FhFPGyryDzE8yOzzX4384QLo5rO7uADT3etnq4mgD46nazcD9IT6aqyl jB5bGcU5eSJpIickaCjNibHR91/MbWfDN33MyINxOvTU8q5eZ8B3Q7uCyPIPKcur0UDT AXhRvRou/DvlOPZ5c4R2v/9vXReXGUXwLaqvM1Tsl6uPwRkPSPGb1CV0VbLRBCJcfIbN 0kTHo7xU+PXzC4XbflQwKvYyVYbm8IIe7Dwgy4AUIrRyFR77m3wkJ0pKTccFnlVYqCR8 tC2e4NXXxMXmNaYY5DbK1rALy8Ps7ERlSG3vrkwYPkTbh4Tgmj1CNaqO6ZyGVCmp29r0 W3uQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=jLICNAAwO47EA52D2aAOOJZGdFaX6WDz9vBuEkavVM4=; b=JdV9tQDqIn9DqQR9oujYoo/SZYI+G7GxpUuRiBqYwoe/liFrry/1matGYxL3zqNSQ5 99NEWYpRJCLB7FkK2M2+9prbV0hHTXEfIbDDQoy+ksTHqb1ijxy2hiVfUjutDLJ/+MNz zy2wQ/IaJ/fjl6biSucLtyxnZIePRnIcMpgKKiDz6IQrUuVmGzTI6i59OMaw98X3Xv35 pbIbD8eYe1qBmsfbsgu7q8NpnbG9ph6FK4xnDkm4ZzsrlPX2niWmP/ZENsUv04fZMsS8 EWnaExsiu28NSqA/nYqdtHUnsutEBR1Fx7HJ2ZQQF2lx8/UWY/fxiDYF9fuZFl0L0oeg nl9A==
X-Gm-Message-State: AOAM5306FUplhcvVsMzXUU9wLk1nP9X8Ct0ZnzEoSxDkzIvK68WHFX9g m5Z3ioGZByKhgnnS2pHnVrygJ001nuw=
X-Google-Smtp-Source: ABdhPJzaIxaGCFHeX7fzSMxzxkvmCby0SnjbzaHlyV/0c7dqy/vTXcsK3hYmFpdO8aBjvutpgtQPlQ==
X-Received: by 2002:a37:7803:: with SMTP id t3mr2304369qkc.358.1592502466461; Thu, 18 Jun 2020 10:47:46 -0700 (PDT)
Received: from ?IPv6:2601:18b:300:36ee:81ac:120e:5e8b:2f8a? ([2601:18b:300:36ee:81ac:120e:5e8b:2f8a]) by smtp.gmail.com with ESMTPSA id k20sm3922437qtu.16.2020.06.18.10.47.45 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 18 Jun 2020 10:47:45 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-29D3AB25-39F3-4AF1-A05C-6306A2989773"
Content-Transfer-Encoding: 7bit
From: Ted Lemon <mellon@fugue.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 18 Jun 2020 13:47:45 -0400
Message-Id: <FE1E6C98-8B6C-49D1-AB17-729EA1B10A6C@fugue.com>
References: <78f0cb84-f1b3-43c1-0798-c2c8ee55e1e6@nic.cz>
Cc: dnsop@ietf.org, Roy Arends <roy@dnss.ec>
In-Reply-To: <78f0cb84-f1b3-43c1-0798-c2c8ee55e1e6@nic.cz>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
X-Mailer: iPad Mail (17F80)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/aPpnjF-7xRRTjUYl-kpvQE_2X1M>
Subject: Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 17:47:50 -0000

It can be solved with a trust anchor as well, but that relies on there being a central validating resolver rather than validating stub resolvers on hosts, and personally I don’t find that deployment model very compelling anymore—I think that stub resolvers should validate.  If I get my way, then we’re going to see these “private” domains start to fail.

Sent from my iPad

> On Jun 18, 2020, at 1:36 PM, Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote:
> 
> 
>> On 6/18/20 7:22 PM, Ted Lemon wrote:
>>> I suspect it will work like every other locally-served domain or every other private namespace that exists today, i.e. just fine with no configuration changes expected or required on dependent (downstream) DNS clients. And if there are new species of resolver that need to be accommodated (e.g. validating, hybrid stub/full service resolvers embedded in applications), whatever configuration or auto-discovery mechanisms are required to support those other locally-served zones can surely be easily extended to these ISO-3166-2 codes if they are used in any particular private network.
>> 
>> What I’m getting at is that the secure denial of existence will mean that a DNSSEC-aware resolver, when asked to look up a name under .xa, for example, will always return NXDOMAIN.
> Yes, but squatting is usually done at root names already, so the issue isn't new.
> 
> Modifying DNS past the last validator is generally troublesome.  Modifying it inside the last validating resolver can be fine, as the implementation can "prioritize" the modifications over validation and aggressive caching (but as an implementor I still find this troublesome).
> 
> --Vladimir

v2.23.0 | Report a Bug | By Email