Re: [DNSOP] DNSSEC, additional special names & draft-chapin-additional-reserved-tlds-00.txt

Jim Reid <> Thu, 27 February 2014 12:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 14F151A026F for <>; Thu, 27 Feb 2014 04:15:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.447
X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SigNEDYBt-Ck for <>; Thu, 27 Feb 2014 04:15:35 -0800 (PST)
Received: from ( [IPv6:2001:4b10:100:7::25]) by (Postfix) with ESMTP id B51931A0210 for <>; Thu, 27 Feb 2014 04:15:35 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 7A7D624212ED; Thu, 27 Feb 2014 12:15:33 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Jim Reid <>
In-Reply-To: <>
Date: Thu, 27 Feb 2014 12:15:31 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <20140129055438.2402.qmail@joyce.lan> <> <> <> <> <> <> <> <> <> <> <>
To: Mark Andrews <>
X-Mailer: Apple Mail (2.1510)
Cc: DNSOP WG <>, David Conrad <>
Subject: Re: [DNSOP] DNSSEC, additional special names & draft-chapin-additional-reserved-tlds-00.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 27 Feb 2014 12:15:37 -0000

On 27 Feb 2014, at 11:55, Mark Andrews <> wrote:

> In message <>om>, Jim Reid writes:
>> On 27 Feb 2014, at 07:42, Mark Andrews <> wrote:
>>> DNSSEC will eventually be on by default and squatting like this will
>> have negative consequences.
>> Er, no. Vendors who pluck domain names out of the ether and use them in
>> their products will by definition not have the DNS clue required for
>> deploying a viable DNSSEC. Besides, in the case of CPE, they won't even
>> *need* DNSSEC because the offending domain names (router.home or
>> whatever) get looked up on the internal net. Most likely those names will
>> be used by web browsers that do not have a validating resolver and are
>> already relying on the CPE for DNS. Those lookups will almost never go to
>> the outside, far less validate a signed referral for .whatever from the
>> root.
> And the moment you have a validating brower / app they *will* break.

And this is a problem because... ?

I doubt there will ever be validating browsers/apps for accessing CPE from the inside. They have no need for DNSSEC because everything's on the local net. But let's assume they do. The Netgear app could have a TA for .netgear (say) embedded in it. A more likely scenario is the software hard-wires a locally scoped IP address to the device and doesn't bother with DNS at all. Most CPE is already doing that as a fall-back in case local (unsigned) DNS is broken.

> reserved indefinitely != insecurely delegated

Not delegated at all == ???

> is insecurely delegated deliberately to prevent DNSSEC
> breakages.

Sure. But that's in a part of the name space where end client behaviour is known, stable and predictable.

Are you suggesting IANA has to insert provably insecure delegations for every possible string that someone, somewhere might be informally using as a TLD? Good luck with that.