Re: [DNSOP] Mitigation of name collisions

"John R Levine" <johnl@taugh.com> Sun, 18 September 2016 22:21 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 553C2126D74 for <dnsop@ietfa.amsl.com>; Sun, 18 Sep 2016 15:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=JE1GAA0I; dkim=pass (1536-bit key) header.d=taugh.com header.b=jv1X8/TK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PL_ukt4_W93h for <dnsop@ietfa.amsl.com>; Sun, 18 Sep 2016 15:21:25 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1A6512B018 for <dnsop@ietf.org>; Sun, 18 Sep 2016 15:21:24 -0700 (PDT)
Received: (qmail 63889 invoked from network); 18 Sep 2016 22:21:22 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=f98f.57df1362.k1609; bh=l5pCKcQn/RGJ3kyRglvi3DPOSYYAqE6oN7lqc+8O9mc=; b=JE1GAA0IgUTWpM/uRJRMMbtgQf31YsaWMXRG4fwzk0L8ctJ+i1ycg6JBNpcAilFdH46Jd8terz5GtfP2XdTnvd8q7DgnTNAFKz9emGNProKXBpCPBlMFLJz6k6temKImxmBLExY6ptk2cerK/ihjxXc1diGyB4vShL39wuf+8XriLPItCenXbqoEvh8mv7qGEnw5qpgTshAtzBiYovIXWQ9esIyVnS0YwQOoMpiYgSVu96l3GehKgN76/Dr1SwC+
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=f98f.57df1362.k1609; bh=l5pCKcQn/RGJ3kyRglvi3DPOSYYAqE6oN7lqc+8O9mc=; b=jv1X8/TKYd8MK+m/FCMcQEFtTjT/cpswJnUmND3YfP0fZkrqQZPjwmyRZsy06Q2PhKg2eFqy+QUEQC4wMM2pSyOPtFaqi+6VN9lO0VLOUwrbcTUbhrsuwc6TTXDtfEBQWs/husMdpLockCV3GkLzlZbZtfRkNvUnXWc3zPW/qu8pWKiTUuAw7QQGroFpi9vyoPDAfubvSKyxrnA+ihQZrPKjBCXsw2aXD0ou/QJCHdjxOSGsQacGc3GI6xlbd8CQ
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 18 Sep 2016 22:21:22 -0000
Date: 18 Sep 2016 18:21:23 -0400
Message-ID: <alpine.OSX.2.11.1609181816130.6589@ary.lan>
From: "John R Levine" <johnl@taugh.com>
To: "Paul Hoffman" <paul.hoffman@vpnc.org>
In-Reply-To: <90CF5269-0443-45AB-83BA-BE9F9D03831A@vpnc.org>
References: <90CF5269-0443-45AB-83BA-BE9F9D03831A@vpnc.org>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ashKJWt_3D66fHV0RLghn1a7nSw>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Mitigation of name collisions
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Sep 2016 22:21:26 -0000

> It is impossible to measure the effectiveness without knowing how many 
> collision queries are just noise (queries that will cause no noticeable 
> damage if they started coming back with results).

Agreed.  I don't see how to find that out in ways that are not hard to 
back out if it turns out the damage is as bad as we fear.

> In the case of mitigation through wildcard-to-localhost, it is safe to 
> assume that many organizations did in fact mitigate; we simply can't 
> tell how many or when.

How come?  I'm not denying it's possible, but I've never seen any evidence 
that there were collisions to mitigate.  Before the 127.0.53.53 approach, 
some TLDs tried reserving the names that showed up in DITL snapshots, and 
those names looked to me totally random, likely generated by something 
that was trying to see whether some piece of namespace was wildcarded.

R's,
John

PS:

> (Disclaimer: I'm now on ICANN staff, but well before I was, I wrote "Guide to 
> Name Collision Identification and Mitigation for IT Professionals" for 
> ICANN.)

A fine document for people who already realize they need to deal with 
collisions, not so much for people who don't realize they exist or assume 
they're someone else's problem.