IETF Logo Mail Archive

Re: [DNSOP] solving a problem by creating a worse problem, ALT-TLD and (insecure) delgations.

"John Levine" <johnl@taugh.com> Fri, 10 February 2017 18:25 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65564129A88 for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 10:25:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EWg0jwnQ80aD for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 10:25:51 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0233A129A80 for <dnsop@ietf.org>; Fri, 10 Feb 2017 10:25:50 -0800 (PST)
Received: (qmail 65252 invoked from network); 10 Feb 2017 18:25:50 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 10 Feb 2017 18:25:50 -0000
Date: Fri, 10 Feb 2017 18:25:28 -0000
Message-ID: <20170210182528.24266.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <20170210173124.GF91545@mx4.yitter.info>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bw3mEmmRHKfobDMDX5G4w4CWcKk>
Cc: ajs@anvilwalrusden.com
Subject: Re: [DNSOP] solving a problem by creating a worse problem, ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 18:25:52 -0000

>> What I envision for the future is an insecure delegation of .alt, and an
>> option in future cable modems to enable a local "homenet.alt" domain, which
>> would just work, even if some stub resolvers in the house are validating.
>> The cable modem is already a recursive resolver or forwarder, and dhcp
>> server, so it seems a logical place for the local domain.
>
>No, it won't just work if a stub is validating, because the validating
>stub will want to validate the delegation from the parent, and that
>will be a proof of non-existence. ...

Yeah.  It seems to me that if we want DNSSEC to work for locally
served DNS subtrees, we need some way to distribute trust anchors for
the subtrees to those cable modems.  While that is probably not an
insoluble problem, it is not one that I would plan to solve any time
soon, so it's one I would prefer to address separately.

>This is part of why I don't want to extend alt this way, and the more
>I think about it the less desirable it seems to me.  We have a
>particular problem: non-DNS-protocol switching for applications that
>want to use a DNS-compatible domain name slot (see RFC 5890).

Agreed.  Say that you can do anything you want with .ALT (duh) but you
SHOULD NOT resolve .ALT names via the DNS protocol because of the
DNSSEC problems.  To minimize leakage, we can use the tools we already
have: qname minimization, local mirrors of the root, and special
casing in DNS caches as many now do for .onion.

R's,
John

v2.23.0 | Report a Bug | By Email