Re: [DNSOP] draft-adpkja-dnsop-special-names-problem-01
"Adrien de Croy" <adrien@qbik.com> Sun, 03 April 2016 21:20 UTC
Return-Path: <adrien@qbik.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 654D312D5FE for <dnsop@ietfa.amsl.com>; Sun, 3 Apr 2016 14:20:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OhNKQw8J2tjN for <dnsop@ietfa.amsl.com>; Sun, 3 Apr 2016 14:20:15 -0700 (PDT)
Received: from smtp.qbik.com (smtp.qbik.com [122.56.26.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75FA312D1D9 for <dnsop@ietf.org>; Sun, 3 Apr 2016 14:20:15 -0700 (PDT)
Received: From [192.168.1.146] (unverified [192.168.1.146]) by SMTP Server [192.168.1.3] (WinGate SMTP Receiver v8.5.6 (Build 4877)) with SMTP id <0000689505@smtp.qbik.com>; Mon, 04 Apr 2016 09:20:12 +1200
From: Adrien de Croy <adrien@qbik.com>
To: Mark Andrews <marka@isc.org>
Date: Sun, 03 Apr 2016 21:20:12 +0000
Message-Id: <em66a8de0e-895d-421e-a73f-289d2eb5b6a4@bodybag>
In-Reply-To: <20160403044720.CBDDA45D1ED9@rock.dv.isc.org>
User-Agent: eM_Client/6.0.24928.0
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/d9M0gqmloFMgeCKRzHG9zMzHbrM>
Cc: Robert Edmonds <edmonds@mycre.ws>, "dnsop@ietf.org" <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] draft-adpkja-dnsop-special-names-problem-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Adrien de Croy <adrien@qbik.com>
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Apr 2016 21:20:18 -0000
------ Original Message ------ From: "Mark Andrews" <marka@isc.org> To: "Adrien de Croy" <adrien@qbik.com> Cc: "Robert Edmonds" <edmonds@mycre.ws>; "dnsop@ietf.org" <dnsop@ietf.org>; "Paul Hoffman" <paul.hoffman@vpnc.org> Sent: 3/04/2016 4:47:20 p.m. Subject: Re: [DNSOP] draft-adpkja-dnsop-special-names-problem-01 > >In message <em8bf94e58-4db5-4277-86ce-c0c5c0dc893f@bodybag>, "Adrien de >Croy" writes: >> >> that's correct. It looks in that document like a quote from the IAB, >> but if you're saying it's not, I then would have to challenge the >> logical conclusion asserted in that second paragraph. >> >> I don't see why it necessarily follows that having a single tree with >>a >> single root creates a requirement for support for multiple resolution >> protocols. > >Because the only other way to be able to distingish between a onion >address and a DNS name would be to have onion use labels with a >wire representaion that are longer that 63 octets or with overall >lengths greater that 255 wire octets It looks like you're talking about making a name that can't be encoded on a DNS packet and so therefore can't be looked up with DNS, but that's not necessarily going to achieve any specific distinction between DNS any any other specific name space, it's just a broken (in a DNS-centric POV) name, rather than onion name specifically. >or you have to prefix all names >with DNS and ONION to identify the resolution namespace. Prefixing with some kind of protocol identifier is what is done with URIs. There's pretty good recognition out there for that kind of thing? > Almost >any string of characters will form a valid DNS name. as long as it's only alphanumerics and -. > >This was my signature back in 1995. Note you had to NAME the >NAMESPACES. > > Mark Andrews, CSIRO Div Maths & Stats > Locked Bag 17, North Ryde, NSW 2113, Australia. > PHONE: +61 2 325 3148 INTERNET: marka@syd.dms.csiro.au > UUCP: ....!uunet!syd.dms.csiro.au!marka > >None of us grey beards want to go back to those days. > >We could have added "*.onion 604800 IN NULL" to the root zone and >fixed all the resolvers to stop searching on NOERROR but that does >not stop the fact that you want to use TOR alone with who you want >to talk to leaking unintentionally. OK this is the nub of it. You want to connect to a global privacy network and from there privately access services. Fundamentally you're still connecting over IP, so you need to resolve an IP address of the network entry point. This is still a DNS name. You then connect to that. Once you're connected, you're talking your own protocol, and then you can resolve names within your system any way you please, even LDAP. I don't see why DNS has to even be involved there. Or is the problem about antispam doing lookups on onion names embedded in emails? What about a URI format? > >> The thousands of authors of other protocols and systems don't seem to >> have had too much trouble so far just using DNS where required, and >> putting resolution into their own protocols outside the tree. Why >>break >> the whole tree for some nebulous result which surely in all cases can >>be >> worked around with a smaller consequence than having to deploy new >>DNS >> to the entire world. >> >> Even a DSL/NAT box does DNS forwarding, do we expect all those cheap >> router box vendors to patch out the firmware for this any time soon? > >No. The expectation is that future boxes that they ship will >implement the protocol and not pass on the leaked name. The >expectation is that any update issued will also address this. I wouldn't be surprised if the people making these boxes are mostly unaware of this added requirement on them. > >The RFC allows DNS only resolvers, proxies and recursive servers >to all generate NXDOMAIN responses in the event of a leak. This >will result in SERVFAIL in some cases as the validation of the >response will fail but it will still prevent the leak spreading. The proposed deployment methods make me uneasy as well. For example. Some smart DNS developer, looks at special use names, sees that there's now a sanctioned mechanism to get new root namespaces into the DNS, and figures hey I should check some central location occasionally for a list of root level domains I should return NXDOMAIN for. Someone hacks that list to include .com Since there is no machine-readable repo for this, vendors will make their own, and those may/will be hackable. Maybe would be better if just the root servers returned NXDOMAIN, but the leak is already occured by that stage. In any case I think it's foolhardy to rely on there being no leak, and TOR would have done better by its customers to whom it is promising privacy, to not rely for privacy/security on changes being made to a system which has a vast inertia. And that inertia means we should avoid at all costs any new feature which means we have to change out all DNS. Not create new mechanisms for it. Adrien > >> Adrien > >-- >Mark Andrews, ISC >1 Seymour St., Dundas Valley, NSW 2117, Australia >PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] draft-adpkja-dnsop-special-names-problem-… Alain Durand
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Bob Harold
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Stephane Bortzmeyer
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Ralph Droms
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… David Conrad
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Ralph Droms
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Alain Durand
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Paul Hoffman
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Andrew Sullivan
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Ralph Droms
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… David Conrad
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Andrew Sullivan
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… David Conrad
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Andrew Sullivan
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Alain Durand
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Ralph Droms
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Suzanne Woolf
- [DNSOP] The right alt string (was Re: draft-adpkj… Andrew Sullivan
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Alain Durand
- Re: [DNSOP] The right alt string (was Re: draft-a… John Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Andrew Sullivan
- Re: [DNSOP] The right alt string (was Re: draft-a… Andrew Sullivan
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… David Conrad
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… David Conrad
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Andrew Sullivan
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Alain Durand
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Ralph Droms
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Alain Durand
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Paul Wouters
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… George Michaelson
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John R Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Andrew Sullivan
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Alain Durand
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Suzanne Woolf
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Andrew Sullivan
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… David Conrad
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… David Conrad
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… joel jaeggli
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… David Conrad
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… George Michaelson
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… joel jaeggli
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Paul Hoffman
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John R Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Jim Reid
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Philip Homburg
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Paul Hoffman
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Alain Durand
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John R Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Philip Homburg
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Andrew Sullivan
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Suzanne Woolf
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… George Michaelson
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John R Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Patrik Fältström
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Philip Homburg
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Paul Hoffman
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Andrew Sullivan
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… David Conrad
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… John Levine
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Ralph Droms
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… David Conrad
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Paul Hoffman
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… str4d
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… George Michaelson
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… str4d
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… joel jaeggli
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Robert Edmonds
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Mark Andrews
- Re: [DNSOP] draft-adpkja-dnsop-special-names-prob… Adrien de Croy