IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld

Ted Lemon <mellon@fugue.com> Wed, 30 April 2025 17:22 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9241923396AB for <dnsop@mail2.ietf.org>; Wed, 30 Apr 2025 10:22:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="WRfrk7bi"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="N+OkhalZ"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TEDue28uPDju for <dnsop@mail2.ietf.org>; Wed, 30 Apr 2025 10:22:17 -0700 (PDT)
Received: from flow-b7-smtp.messagingengine.com (flow-b7-smtp.messagingengine.com [202.12.124.142]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 99EB523396A4 for <dnsop@ietf.org>; Wed, 30 Apr 2025 10:22:17 -0700 (PDT)
Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailflow.stl.internal (Postfix) with ESMTP id 494CD1D41E29 for <dnsop@ietf.org>; Wed, 30 Apr 2025 13:22:17 -0400 (EDT)
Received: from phl-imap-10 ([10.202.2.85]) by phl-compute-12.internal (MEProxy); Wed, 30 Apr 2025 13:22:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1746033737; x=1746040937; bh=HBghyYh7dN uOFnJh6vhXE7O/4xCjktU3gIft1bVfsrc=; b=WRfrk7bi4FUPtnFEBQcvgeyrSj 59giv6p0m20QUhKLMAmF/hHeuALPNA6/PqQnf98dgg+Fj6Fkx2M/ktnnpwW724u9 NzwWpwU3sVzhbx/MgqyAT4bf1lcAjc4p+phOj6nwUxWKbYBph3MmJxLZttnUC+Tg Pb5Zqa4Vq+avJiBJYfPOW3N1B8UMATIW4cwlQLlys0/90V40n2EHvfhZY8w8tE2h efIkEaWDBZnbu5lBaFv9MODBEZQwXSh9BpCm4WQwjvIYqAjTcbV5Ah7fwjMBAfFh rdyIqMF7ymZ49EiHCTeBBGbxIlO/8lHnZDkbKgTtLF5BiMRI7o9md2EMmcSA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1746033737; x=1746040937; bh=HBghyYh7dNuOFnJh6vhXE7O/4xCjktU3gIf t1bVfsrc=; b=N+OkhalZauzzGtfBGQ4q8joYVa4NkQa5368fHDOJO1KDrRmexJM 2mSlj43GlTYudaN15+a9Ql7lNI5a1cBEdpQKhKxF2uzb/ooN/sV6YoJLmJOmBo19 rrHNj9S91mnwCOA+qg6skcorq3rFQqJuhMBlbOAV9IJ/6YqGfuyxVMxE4kILyCT4 Kklc92/h9nyAUC+kJnzld6/zmXwlzBD//xZMyu0WNspeZcS1MPUjZIjdsQj7Xdeq TpvbTzOTFXnS+Ssq14RMlIEBqt62F67BNzTnEO9f7b7TzD1GUtG/MIrhObNWgFwS hptdlhARRNUAlGZNHlhIfXatXuqi4NvTxmg==
X-ME-Sender: <xms:SFwSaPtIjL_FAq6pFLFAoakJDpcMJCxXdmRJiGNoXr_VB4xcpYYYvg> <xme:SFwSaAexptFN2TihAEs7iUdPe4wFsdqW8flQEWw2knxj-VvdwomopLwoQ4QIi3pw6 ctn9XQIqovIBCI8Xdo>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvieejvdekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefogg ffhffvkfgjfhfutgesrgdtreerredtjeenucfhrhhomhepfdfvvgguucfnvghmohhnfdcu oehmvghllhhonhesfhhughhuvgdrtghomheqnecuggftrfgrthhtvghrnhepleelueeute ejkefhteelleffgeelveelheeiiefgveeuvddutddvkeethedugeefnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhgvlhhlohhnsehfuhhguh gvrdgtohhmpdhnsggprhgtphhtthhopedupdhmohguvgepshhmthhpohhuthdprhgtphht thhopegunhhsohhpsehivghtfhdrohhrgh
X-ME-Proxy: <xmx:SVwSaCwC2kK6oa-X_HfjdwjaaLncDUIYOCEwFhayQZ3p11hTVfJOPA> <xmx:SVwSaOPgOcLsYiLFFCazBXLXy8LYC_TMWnvPTKvSVQCjI2tjTNA0kw> <xmx:SVwSaP92OBphMB2JOgcOBPB4qjL8QtO96tMfY8NFW74FjRPRPIsAvw> <xmx:SVwSaOVg7jr16l-PEZ6iT1TcAZLGEVlJb296oKfkyRK8P6njZl3BMQ> <xmx:SVwSaCYeqsi8b6pSevbB7QcrSswqiGIX64QHdlOymko28Ru65Qz0nB8F>
Feedback-ID: i1136489e:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id D422A3C0068; Wed, 30 Apr 2025 13:22:16 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: Teb8ce65f3fed0dd8
Date: Wed, 30 Apr 2025 13:21:56 -0400
From: Ted Lemon <mellon@fugue.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Message-Id: <87f219df-34f0-48fa-89cf-8cb8300c86c2@app.fastmail.com>
In-Reply-To: <8E36C1B8-C67B-4704-9E3B-7143863E2262@icann.org>
References: <m1u5h1G-0000LcC@stereo.hq.phicoh.net> <83666fd3-a51f-46e1-a5ac-0b9a46361480@desec.io> <49E3B1B6-E960-4A46-9C5D-2721FD57132D@depht.com> <3b5fb9e7-8a2b-420f-a2fb-dd6f6a0b88ae@isc.org> <89047B78-A2B1-43F2-A996-94DF1E90538A@depht.com> <cc84f69c-c349-4d91-b942-80221b564a9b@isc.org> <ac48e27d-479f-42f3-b87f-891220ef2fe8@app.fastmail.com> <BE721880-6254-48F4-9F91-567A99E0511B@icann.org> <m1u7asT-0000MtC@stereo.hq.phicoh.net> <01E23110-9A50-4187-8A54-34D514504F9B@strandkip.nl> <3A48CBC3-B55B-4FCF-B713-A7CA4C7BB7CC@strandkip.nl> <8E36C1B8-C67B-4704-9E3B-7143863E2262@icann.org>
Content-Type: multipart/alternative; boundary="aaeaa2f8af9043fd9376dfc283eda38e"
Message-ID-Hash: X7OINMAUAX47JWFL35TUG5J6CZIULK6P
X-Message-ID-Hash: X7OINMAUAX47JWFL35TUG5J6CZIULK6P
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cBDsXyAgIbkg6ezAQnoPhHEFDEc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

The reason to do an insecure delegation is so that the public dns doesn’t securely deny the existence of the zone. If there is a secure denial of existence, a validating stub resolver will not use responses from the local resolver because they will be bogus. 

On Wed, Apr 30, 2025, at 12:49 PM, Paul Hoffman wrote:
> Coming back to the topic of insecure delegation, because some people here have said that is the reason they want the draft to be adopted in this WG.
> 
> Can anyone say who benefits from insecure delegation of .internal, and how? This might be a lack of creativity on my part, but I cannot think of any party in the DNS that would be helped by insecure delegation of .internal, and I can think of one (validating stub resolvers) that would in fact be hurt by it.
> 
> --Paul Hoffman
> 
> On Apr 24, 2025, at 09:50, Joe Abley <jabley@strandkip.nl> wrote:
> > 
> > Replying to myself, hooray,
> > 
> > On 23 Apr 2025, at 18:16, Joe Abley <jabley@strandkip.nl> wrote:
> > 
> >> I was a member of SSAC at the time SSAC made its recommendation to the ICANN board, but I was not one of the people who contributed significantly to the document as far as I remember, so be aware (as usual!) that everything I say may be nonsense.
> >> 
> >> I think the SSAC document does not discuss or propose an insecure delegation from the root zone in order to avoid the advice to the board being complicated by conflicts with existing root zone management (both in the general sense and in the sense of RZM, the software used to manage delegations from the root zone).
> > 
> > Some kind people reminded me of events of the past, so in case it's interesting...
> > 
> > It turns out that the SSAC work party responsible for that document did indeed decide not to recommend an insecure delegation for the reason above, and so it's definitively not the case that people didn't think of it or think that it was a good idea to recommend it.
> > 
> > I was one of the people that thought it was better not to include that specific recommendation, for the reason above, and in fact I said so loudly and stubbonly at the time. I had just forgotten.
> > 
> > I still think this was a reasonable recommendation to drop, and I still think that the resulting resolution shouldn't stand in the way of any particular technical implementation of the document's overall recommendation. People shouldn't read too much into the word "delegation" just because they're used to seeing it through a DNS lens. It definitely has other meanings in the context of the policies surrounding root zone management.
> 
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status