IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 16 June 2020 01:20 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 131833A0F4C for <dnsop@ietfa.amsl.com>; Mon, 15 Jun 2020 18:20:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4dgZesBuPIS for <dnsop@ietfa.amsl.com>; Mon, 15 Jun 2020 18:20:05 -0700 (PDT)
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 837003A0F4B for <dnsop@ietf.org>; Mon, 15 Jun 2020 18:20:05 -0700 (PDT)
Received: by mail-vs1-xe2b.google.com with SMTP id 190so10492076vsr.9 for <dnsop@ietf.org>; Mon, 15 Jun 2020 18:20:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6OAxg0EYvaAff5XsCwpc3h+Dn+pDF6AkntPJTX/F7WI=; b=SnhrILwppRc9PaSAzBxW8mAvdUwjC+w2VAEfXBnk3Rw9Vz/gvoyoUAy6pI88EgT4q2 LJfywYJo6FFvxUOJjEAN2/IOxp9hSvA04OYfWVIGbZJocCuKSlQh4EKl+ZiADuW16S1m 36ruaxi34IEqOVg3XvdkdKEWWZaK4n9Soit8mbRUJxzEj0Na4boJ9glvxlDJCeFD18o8 aPDmx/pZOPAJ8a32Y9LcznojmGJJhcGWootTUYpWm+Mm735LkhgkFiX3iPbVAbOFs9Mm /Fwzqv8AxqviojXx9foUfGl1wimHIMPdR2rSHgmh5WZtGIyYYJAyZkdXpLeCPpO4JMuG d0PQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6OAxg0EYvaAff5XsCwpc3h+Dn+pDF6AkntPJTX/F7WI=; b=eXTSuyWWEwYtnDAju4yNe26mMd41+TM17gz4vQGT/6lAjytyDBWNgURTnJmvwobNCX lVEas1zfir1OMf7oZ8jLqcHghkWnJRxvPIboMDce49alsiuZ8lQV3TYwLb6057kt4ljM LruuT5tJlbI0dqy+EfcX6udpjiJY4kS2PHT28Pn9/da13Uv2oFXUhMjXuMWguwAaKf4Z ubEvyiCyqBPDrCwszPv0FguQkXjsJskogEoZq02/hiTvC3l1iMKB2bcM7ESYpWFM0deb 9P9nK81/Wsc4XCzNAAB/fFOKXm9BH3FXMnPf9DMtIleIE/MNAEr8xNtgGRmtfPKnVqi6 3hbg==
X-Gm-Message-State: AOAM532NViQWGkY+uQRh+L6JT4mw0YQe66+IoBlrHQsxZqG/5XFO6V8v tfysvi+cLxZnfCodjVFUmjPcwusYMdUyO7ZxyZU=
X-Google-Smtp-Source: ABdhPJw/jficmPpGu0+rEGgBfkGVJbhhuzxDDtIHZ0r4ozCmfhnLKFHHym5fJpg/E2tuaqsEscNzqpJs79o/od1sic8=
X-Received: by 2002:a67:d201:: with SMTP id y1mr319626vsi.75.1592270404571; Mon, 15 Jun 2020 18:20:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAH1iCiouFfMRYoREwhhTbQfnNserw3RVUPs8Pzc8CvNEhysYCw@mail.gmail.com> <20200615174753.225EC1ABFFA1@ary.qy> <CADyWQ+Em0Qh+TeGudz2Zgx4cEd4AUqKf9CcivotKYUZWyKPCPA@mail.gmail.com> <2629924.6WoLTOkaPB@linux-9daj> <alpine.DEB.2.20.2006152244380.28941@grey.csi.cam.ac.uk> <CAH1iCioLL1dZtMzsXEVPE9SaHR9Hza8MLRRSnKH1eJ8+EW+KEA@mail.gmail.com> <alpine.DEB.2.20.2006160156000.28941@grey.csi.cam.ac.uk>
In-Reply-To: <alpine.DEB.2.20.2006160156000.28941@grey.csi.cam.ac.uk>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 15 Jun 2020 18:19:53 -0700
Message-ID: <CAH1iCiq9sj-27_=M8Uquby0NAkg4HK+vipcjnzBtQktwgRXdyA@mail.gmail.com>
To: Tony Finch <dot@dotat.at>
Cc: Paul Vixie <paul@redbarn.org>, John Levine <johnl@taugh.com>, dnsop <dnsop@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000d9d72105a82957a4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/d63ryBD2yBn1u86zIfw2uXCGcl4>
Subject: Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2020 01:20:07 -0000

On Mon, Jun 15, 2020 at 5:59 PM Tony Finch <dot@dotat.at> wrote:

> Brian Dickson <brian.peter.dickson@gmail.com> wrote:
>
> > Internal-only use is not only satisfied with non-delegated name spaces,
> it
> > actually is a much better fit for everything.
>
> Yes, I agree, but why does the point of non-delegation have to be a
> squatted collision-prone TLD, rather than a guaranteed collision-free
> subdomain of a properly registered domain?
>

Precisely because you want a non-TLD (we should remember this is NOT an
actual TLD), for a number of reasons:

   - You want to be able to limit the places any leaked traffic goes
      - Currently this would be the Root Servers
      - I think it would make sense for non-TLDs to be DNAME'd to AS112++'s
      empty zone (which generates an NXDOMAIN)
         - Either as specific names, or as a wildcard
      - The typical content of enterprisey internal-only names (the DNS
   queries themselves) are sensitive in nature
      - I have had the opportunity to view DITL data from ISP resolvers,
      and the nature of these kinds of queries was unsettling
      - In addition to leaking information, these names generally should
      not have any presence in DNS caches, which makes them excellent
candidates
      for easy poisoning
   - As I pointed out elsewhere in this thread, collision avoidance without
   revealing information can be done easily enough,
      - E.g. with use of a 12-character random string of letters and digits
      - 36^12 is pretty collision-resistant.
      - Use one of these, enterprise-wide
      - Or even site-wide at a sub-enterprise level if site-site isn't a
      requirement.

You can only squat on a property. This is a non-property, so technically it
is not squatting, appearances notwithstanding.

Brian

v2.23.0 | Report a Bug | By Email