IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Mark Andrews <marka@isc.org> Sat, 04 February 2017 13:29 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8EC5129A65 for <dnsop@ietfa.amsl.com>; Sat, 4 Feb 2017 05:29:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.002
X-Spam-Level:
X-Spam-Status: No, score=-5.002 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZL6D2CkpQYiT for <dnsop@ietfa.amsl.com>; Sat, 4 Feb 2017 05:29:49 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD6AC129A61 for <dnsop@ietf.org>; Sat, 4 Feb 2017 05:29:49 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 21FF23493BC; Sat, 4 Feb 2017 13:29:47 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 101AE160043; Sat, 4 Feb 2017 13:29:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id E3B1916006E; Sat, 4 Feb 2017 13:29:46 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6muzbGkJZcvl; Sat, 4 Feb 2017 13:29:46 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 44D56160043; Sat, 4 Feb 2017 13:29:46 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 45609618F1BA; Sun, 5 Feb 2017 00:29:43 +1100 (EST)
To: Andrew Sullivan <ajs@anvilwalrusden.com>
From: Mark Andrews <marka@isc.org>
References: <CAHw9_i+8PA3FQx8FqW-xQ_96it7k-g5UrMB7fxARUi1gwQ++hw@mail.gmail.com> <20170201204455.6nymmjlj5lzq2ect@mycre.ws> <CAHw9_iJ50jWgsAe+hRKUtubfAtpt7+GEeCKEASzypcf86+4nYA@mail.gmail.com> <20170204015158.GB67739@mx2.yitter.info> <5BB1A3F5-5EFB-4164-9720-68E262E58636@fugue.com> <20170204021353.GF67739@mx2.yitter.info>
In-reply-to: Your message of "Fri, 03 Feb 2017 21:13:53 -0500." <20170204021353.GF67739@mx2.yitter.info>
Date: Sun, 05 Feb 2017 00:29:43 +1100
Message-Id: <20170204132943.45609618F1BA@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/c1_3jQBIAPIqfm3uSUEPnBUpigo>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Feb 2017 13:29:50 -0000

In message <20170204021353.GF67739@mx2.yitter.info>, Andrew Sullivan writes:
> On Fri, Feb 03, 2017 at 08:54:59PM -0500, Ted Lemon wrote:
> > On Feb 3, 2017, at 8:51 PM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
> > > If the resolver "has a local zone for alt" -- I think this means it is
> > > authoritative for that zone -- why would it ask the root about it at
> > > all?
> > 
> > As long as the stub resolver isn't validating, it's no problem. If it is validating, t
> hen the recursive resolver can't fool the stub resolver if there's a secure denial of ex
> istence.
> > 
> 
> Right, that's always been the problem with using this _for the DNS_.
> Homenet has no choice in that, because the whole point of the homenet
> name is precisely to enable in-homenet DNS without reference to the
> global DNS.  I think you're quite correct that we need to decide
> whether alt is to be used for those purposes.  I'm not convinced
> that's so useful.

It's a problem for ALL special names.  BOGUS / SERVFAIL isn't the
response leaked names should get.  Its bad engineering.
 
> A
> 
> -- 
> Andrew Sullivan
> ajs@anvilwalrusden.com
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.46.0 | Report a Bug | By Email | System Status