Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa
Paul Vixie <paul@redbarn.org> Mon, 11 December 2017 09:10 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A1801200F3 for <dnsop@ietfa.amsl.com>; Mon, 11 Dec 2017 01:10:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PVH0GkD8IWlx for <dnsop@ietfa.amsl.com>; Mon, 11 Dec 2017 01:10:21 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5C6C1287A3 for <dnsop@ietf.org>; Mon, 11 Dec 2017 01:10:21 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc] (unknown [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id A6A7661FA2; Mon, 11 Dec 2017 09:10:21 +0000 (UTC)
Message-ID: <5A2E4B7C.50509@redbarn.org>
Date: Mon, 11 Dec 2017 01:10:20 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
CC: dnsop@ietf.org
References: <20171211090051.qjoruin7nkdjsnvd@nic.fr>
In-Reply-To: <20171211090051.qjoruin7nkdjsnvd@nic.fr>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cJ0Iffa3h2TD3dG9SmwWktIcASg>
Subject: Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Dec 2017 09:10:26 -0000
Stephane Bortzmeyer wrote: ... > Does it mean the privacy problem is solved? Or simply overlooked? Can > we delegate RFC 6761 special-use domains such as .internal to AS 112? any AS112 operator can tell you that the world doesn't care about privacy, based on the amount of organizationally sensitive information that's leaked in queries for PTR in RFC 1918 address blocks. so, privacy was never my concern. rather, AS112 has no authoritative operator registry. we don't know who is running these servers, and we have no way to assure that they hear a request that they add more secondary DNS zones to such servers. so if we delegate more zones that way, there will be a lot of SERVFAIL except for servers who send REFUSED. either way we have to consider the matter. i think as long as we keep the traffic away from the ARPA and root servers, we should not care what response is received -- should be NXDOMAIN but could be pretty much anything. ideally we'd sign all of these zones with DNSSEC and put DS RR's into the delegations, to assure that poison wasn't getting believed by modern validating resolvers. but we should concern ourselves with the question: did the AS112 operators realize that we'd be adding zones over time, and will they see the new RFC and/or announcements here/elsewhere and know to update their configs? and will any of them consider this an imposition? -- P Vixie
- [DNSOP] DNS privacy and AS 112: the case of home.… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Paul Vixie
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Paul Vixie
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] [Ext] Re: DNS privacy and AS 112: the… Kim Davies
- Re: [DNSOP] [Ext] DNS privacy and AS 112: the cas… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer