IETF Logo Mail Archive

Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa

Paul Vixie <paul@redbarn.org> Mon, 11 December 2017 09:10 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A1801200F3 for <dnsop@ietfa.amsl.com>; Mon, 11 Dec 2017 01:10:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PVH0GkD8IWlx for <dnsop@ietfa.amsl.com>; Mon, 11 Dec 2017 01:10:21 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5C6C1287A3 for <dnsop@ietf.org>; Mon, 11 Dec 2017 01:10:21 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc] (unknown [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id A6A7661FA2; Mon, 11 Dec 2017 09:10:21 +0000 (UTC)
Message-ID: <5A2E4B7C.50509@redbarn.org>
Date: Mon, 11 Dec 2017 01:10:20 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
CC: dnsop@ietf.org
References: <20171211090051.qjoruin7nkdjsnvd@nic.fr>
In-Reply-To: <20171211090051.qjoruin7nkdjsnvd@nic.fr>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cJ0Iffa3h2TD3dG9SmwWktIcASg>
Subject: Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2017 09:10:26 -0000


Stephane Bortzmeyer wrote:
...
> Does it mean the privacy problem is solved? Or simply overlooked? Can
> we delegate RFC 6761 special-use domains such as .internal to AS 112?

any AS112 operator can tell you that the world doesn't care about 
privacy, based on the amount of organizationally sensitive information 
that's leaked in queries for PTR in RFC 1918 address blocks. so, privacy 
was never my concern.

rather, AS112 has no authoritative operator registry. we don't know who 
is running these servers, and we have no way to assure that they hear a 
request that they add more secondary DNS zones to such servers. so if we 
delegate more zones that way, there will be a lot of SERVFAIL except for 
servers who send REFUSED. either way we have to consider the matter.

i think as long as we keep the traffic away from the ARPA and root 
servers, we should not care what response is received -- should be 
NXDOMAIN but could be pretty much anything. ideally we'd sign all of 
these zones with DNSSEC and put DS RR's into the delegations, to assure 
that poison wasn't getting believed by modern validating resolvers.

but we should concern ourselves with the question: did the AS112 
operators realize that we'd be adding zones over time, and will they see 
the new RFC and/or announcements here/elsewhere and know to update their 
configs? and will any of them consider this an imposition?

-- 
P Vixie

v2.23.0 | Report a Bug | By Email