Re: [DNSOP] Question about usage of ip6.arpa and in-addr.arpa

Joe Abley <jabley@90.212.199.in-addr.arpa> Tue, 13 March 2018 15:27 UTC

Return-Path: <jabley@90.212.199.in-addr.arpa>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 705DC127342 for <dnsop@ietfa.amsl.com>; Tue, 13 Mar 2018 08:27:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.487
X-Spam-Level:
X-Spam-Status: No, score=0.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DRUGS_ANXIETY=1.483, RDNS_NONE=0.793, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (OpenSSL error: data too large for key size)" header.d=automagic.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g11N7bgvUFiv for <dnsop@ietfa.amsl.com>; Tue, 13 Mar 2018 08:27:03 -0700 (PDT)
Received: from mail.hopcount.ca (unknown [IPv6:2001:4900:1:392::156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69137126C22 for <dnsop@ietf.org>; Tue, 13 Mar 2018 08:27:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=automagic.org ; s=hopcount; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=Ikb8g3AIaXBDQMDNeInl0oIxTbROPKp70fWrZabMUug=; b=rVfnMILfsXQV4XxepUmsvULnOS t9vtMM7CoU9N4XCQRhwK6Ie7wOTkjqLZNc1JA53qKjM2OT4SgxxKLnNmLGGp+nsvqqmWkBzHEjFi/ Zcvwjl14+fejWIJDbOsDCrJ+bBbrSU85GRGvgO6Cf+5m2wCSPHDSwMiHrvVOn6GAcvnfEPTu1OAzu oGF+9xyDNVnHih7S1MUlm0Kw9j/9oKfG2Zo76On9uHyECN5ufRS2W/wJUyOlIgnqStZvIBXl8wh0f 0BX22bz66sacsvCuY+n381X4quHgQcveckOJ9yrJBBiy5JXZDtDcRruJfb0bPwV3n7GD0Eiu3G/vg tU0gUWRQ==;
Received: from [199.91.196.11] (helo=[10.196.200.90]) by mail.hopcount.ca with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89 (FreeBSD)) (envelope-from <jabley@90.212.199.in-addr.arpa>) id 1evlpN-0009Ki-C6; Tue, 13 Mar 2018 15:27:01 +0000
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Joe Abley <jabley@90.212.199.in-addr.arpa>
In-Reply-To: <21FCA497-026E-4602-85CA-8A823084961F@fugue.com>
Date: Tue, 13 Mar 2018 11:27:00 -0400
Cc: Roland Bracewell Shoemaker <roland@letsencrypt.org>, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <AB681FB4-205C-4B75-8E9D-4AEAC69EF6A6@90.212.199.in-addr.arpa>
References: <B7531E71-AC04-4D40-86B0-74F2DCA92446@letsencrypt.org> <62E857A4-6184-4F1A-A6E2-16AC5C16F574@90.212.199.in-addr.arpa> <21FCA497-026E-4602-85CA-8A823084961F@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-SA-Exim-Connect-IP: 199.91.196.11
X-SA-Exim-Mail-From: jabley@90.212.199.in-addr.arpa
X-SA-Exim-Scanned: No (on mail.hopcount.ca); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/b3SHMWYoFdBGwghvnCwWAjHd8RA>
Subject: Re: [DNSOP] Question about usage of ip6.arpa and in-addr.arpa
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2018 15:27:04 -0000

On 13 Mar 2018, at 11:22, Ted Lemon <mellon@fugue.com> wrote:

> On Mar 13, 2018, at 11:16 AM, Joe Abley <jabley@90.212.199.in-addr.arpa> wrote:
> 
>> I think that if Tony can be dot@dotat.at, surely I can be jabley@90.212.199.in-addr.arpa.
>> 
>> A zone is a zone. ARPA is only special by convention, not by protocol.
> 
> Yup.
> 
> Thinking through the threat model here, when would this even work?

The canonical service that is difficult to use (or at least bootstrap) by name rather than address is the DNS. If we imagine the intersection of the DNS and TLS to be non-zero, there's your use case. This was Paul's point.

DNS resolvers are normally referred to by address. This does imply a need for address stability, and a lack of the kind of agility that is possible in other services. People who have renumbered popular resolvers whose failure has real end-user impact are nodding right now. And possibly checking their pockets for valium.


Joe