IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-rfc6598-rfc6303-01

Mark Andrews <marka@isc.org> Thu, 14 August 2014 23:36 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B07E51A8986 for <dnsop@ietfa.amsl.com>; Thu, 14 Aug 2014 16:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.569
X-Spam-Level:
X-Spam-Status: No, score=-7.569 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U87aCr7ZMpko for <dnsop@ietfa.amsl.com>; Thu, 14 Aug 2014 16:36:37 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70AD61A8983 for <dnsop@ietf.org>; Thu, 14 Aug 2014 16:36:37 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP id 4040A3493BA; Thu, 14 Aug 2014 23:36:35 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 6DC95160066; Thu, 14 Aug 2014 23:47:27 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 3F2BA160058; Thu, 14 Aug 2014 23:47:27 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 457201CCFF9F; Fri, 15 Aug 2014 09:36:27 +1000 (EST)
To: Joe Abley <jabley@hopcount.ca>
From: Mark Andrews <marka@isc.org>
References: <20140814001610.3124D1CC688D@rock.dv.isc.org> <86AC48C0-4DFF-4286-A9B1-2A6BE3D14BDC@hopcount.ca> <20140814160453.1C7931CCE03D@rock.dv.isc.org> <7EA38D42-3915-403E-AFE3-C0A8E4A391BF@hopcount.ca>
In-reply-to: Your message of "Thu, 14 Aug 2014 12:19:51 -0400." <7EA38D42-3915-403E-AFE3-C0A8E4A391BF@hopcount.ca>
Date: Fri, 15 Aug 2014 09:36:27 +1000
Message-Id: <20140814233627.457201CCFF9F@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/c4F0XD07OQFmyLFOJ7uMDhN67u0
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-ietf-dnsop-rfc6598-rfc6303-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Aug 2014 23:36:38 -0000

In message <7EA38D42-3915-403E-AFE3-C0A8E4A391BF@hopcount.ca>, Joe Abley writes:
>
> On 14 Aug 2014, at 12:04, Mark Andrews <marka@isc.org> wrote:
>
> > The assignements go:
> >
> > 	0.0.0.0/0 IANA		(IN-ADDR.ARPA)
> > 	100.0.0.0/8 ARIN	(100.IN-ADDR.ARPA)
> > 	100.64.0.0/10 IANA	(64.100.IN-ADDR.ARPA through
> > 				 127.100.IN-ADDR.ARPA)
> >
> > The 100.64/10 address range is assigned to IANA.  IANA has not yet
> > setup IN-ADDR.ARPA zones and servers for this range.
>
> Since there is no secure delegation in place right now, anybody who wants
> to set up their own reverse DNS (and e.g. point their resolvers at it
> through resolver configuration) can do so, right? So there's no current
> problem?

The last delegation in the current chain is a secure delegation from
IN-ADDR.ARPA to 100.IN-ADDR.ARPA so there is a problem currently.
No one can safely setup their own reverse zones validation is now
starting to be done in stub resolvers and to do so would result in
validation failures.

> Are you reacting to some other suggestion that one or both of ARIN and
> IANA are keen to insert a secure delegation for each of those 64 zones?

I'm saying that there needs to be a delegation and that the delegation
needs to be insecure.  There currently isn't a delegation at this level.

> It seems to me that no delegation is a perfectly reasonable steady state,
> so long as ARIN doesn't mind the NXDOMAIN load from leaked queries. An
> alternative to a delegation (if they do care) would be a DNAME
> redirection to EMPTY.AS112.ARPA once that is available.

Given that IN-ADDR.ARPA -> 100.IN-ADDR.ARPA is a secure delegation
there is currently no way to safely intercept the queries.  I also
don't think that ISP's that deploy 100.64/10 should be unable to
safely add reverse zones for that range.

> Joe

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.30.2 | Report a Bug | By Email | System Status