IETF Logo Mail Archive

[DNSOP] Re: [EXTERNAL] Re: Call for Adoption: draft-davies-internal-tld

Roy Arends <roy@dnss.ec> Fri, 02 May 2025 16:30 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id CA7AE2429A81 for <dnsop@mail2.ietf.org>; Fri, 2 May 2025 09:30:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IUJTvlGw6-dQ for <dnsop@mail2.ietf.org>; Fri, 2 May 2025 09:30:19 -0700 (PDT)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 24A072429A75 for <dnsop@ietf.org>; Fri, 2 May 2025 09:30:19 -0700 (PDT)
Received: by mail-qt1-x82a.google.com with SMTP id d75a77b69052e-47664364628so26089091cf.1 for <dnsop@ietf.org>; Fri, 02 May 2025 09:30:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; t=1746203418; x=1746808218; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=popmM1WCNnG+vBTrB0zRE+c3OTfQFQX4Q7J4OcFVN1w=; b=YHVFaSL7Z+Wj5486FAZTLLt6qUOY3DOQqRKmKRI3JRWI+uDOOZSP0Y6KAYkL3pC/kV fnptnOGeIyrFSceXQtfG3/ARHEeItdLKIAiAiWjZnbYtEuqCOvEEqlc5P+aqmfKvWW6g 2VuzRo4ox0EObzRjaKbEGmBU8lqjfCns6ARUc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746203418; x=1746808218; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=popmM1WCNnG+vBTrB0zRE+c3OTfQFQX4Q7J4OcFVN1w=; b=ZzXj8PaTBVTbggL5euKcmxOInMIRD5jkuayC1XTd0Qe9Yys4pb9OYEky9pzH32DEQg UspmUPe88Yxt/LeUu9S/cmCWhh58rZhdjiAwqJPk1EStFIeiJwL+lBHmUmXDAtFb1XJo dXL6buaCjMHrfct95m1ml4MjplFi9B401LhlVUygGGUTOLlAm0SU074+yx1xQE12Cyfu IvHLuEIn8izjP3ViKHNShYoA0dInjJ2MNnjRtPVXUBuWAnupM3r2KjsFgOIREOy+Kplx Vyx2FOIQieUf620x6f6hojqmzSa0/HH7phTdeXUEMVEYTn9O1uElLvPUKalqsLZq02Y9 nWCg==
X-Gm-Message-State: AOJu0YzTtvlLVSugS63aeBFqdh6TmVaxRslskafi+KR+GFOH9GhFNgVq MP08ZsXPn26+1nziAQ+ZIma9FLL5HT9etkfKM7GHchKa8iNmQpLaJYJHCr6k0Tk=
X-Gm-Gg: ASbGncvo4BETejea5wxBlwVCIRLRGyYsgDIumx7lafpDQscQeEkRCpn4YyNELEOvyCe zEcCYt1+1cdzRfMDlUI1vTQsvGDx3+WztJcXlEwhTQEuxgUiTuObMUeS8nEMUaNHggH+sEzAV0X hxvBO4ckCMhk30lLuiTWfV85RUArsWsbORWvNMJJ9XWpdPVawUvzylqf1JWyGpGE3ke1TsyNvro G59056Y4nc3LBPVCAbvNLQIEXp1dgWDp5Nl0HjbW5neI3KNJZU7cfJjREWdo6OWNC1wD1ufF4Qb us4dRhKWsMINNnnO3dZ5ZJO2Csv82CABCc8jh1v9G3kHWAA3X/4=
X-Google-Smtp-Source: AGHT+IFZLVQEEzbT7PhC45pzg+TD1MwV3Ef4oERqN65Bw0O7bY4HCIBmEibPygAkGjtLwCsUd4wHdQ==
X-Received: by 2002:a05:622a:1927:b0:477:1dd0:6d15 with SMTP id d75a77b69052e-48c18a4cec7mr56925161cf.5.1746203418505; Fri, 02 May 2025 09:30:18 -0700 (PDT)
Received: from smtpclient.apple ([88.81.146.121]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-48b98d0fb2dsm19741991cf.77.2025.05.02.09.30.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 May 2025 09:30:17 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.600.51.1.1\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <SA1PR15MB4370BAE2BD669193DDB9AE44B38D2@SA1PR15MB4370.namprd15.prod.outlook.com>
Date: Fri, 02 May 2025 17:30:04 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <A20EE4B8-A4DF-4CCD-8B1B-BE6FAD6CCB3D@dnss.ec>
References: <1C9E8ABA-4399-491B-A9F4-D9ACCB1BA72C@virtualized.org> <C497EC3A-A06B-4DCC-B0C8-382A3424D7D5@strandkip.nl> <SA1PR15MB43700B9B2C9151FB31381082B3BC2@SA1PR15MB4370.namprd15.prod.outlook.com> <866409E5-0D9A-4669-8C6E-C9D1C7BDAA21@dnss.ec> <SA1PR15MB4370BAE2BD669193DDB9AE44B38D2@SA1PR15MB4370.namprd15.prod.outlook.com>
To: Ben Schwartz <bemasc@meta.com>
X-Mailer: Apple Mail (2.3826.600.51.1.1)
Message-ID-Hash: PJU75XKVIFG2UVVAWF4EV2TMFIKSMEAW
X-Message-ID-Hash: PJU75XKVIFG2UVVAWF4EV2TMFIKSMEAW
X-MailFrom: roy@dnss.ec
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Working Group DNSOP <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eOamhh-zu_7vGnEFdjPKsY-Q_uo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

> On 2 May 2025, at 15:12, Ben Schwartz <bemasc@meta.com> wrote:
> 
> We are comparing two options, and two types of deployments:
> 
> Option A: .internal is provably nonexistent at the root
> Option B: .internal is an unsigned delegation at the root
> 
> Type 1: A deployment that controls the stub's DNSSEC configuration
> Type 2: A deployment that cannot customize the client's DNSSEC configuration
> 
> For Type 1, options A and B achieve the same security and functionality.  Either way, the deployment can make use of .internal as a signed or unsigned zone, by configuring stubs with a local positive or negative trust anchor.  
> 
> For Type 2, "A" makes .internal empty for validating stubs, whereas "B" entrusts its contents to the recursive resolver.

Whereas "B" fails the validating stub resolver by allowing .internal to be spoofed. 

> The ICANN SSAC report suggests that one goal of .internal is to support devices that can function "without a priori knowledge of the network environment in which those devices are deployed".  This suggests that the SSAC intends for .internal to be usable in Type 2 deployments.

I prefer not to read between the lines what SSAC did or did not intend.

> I think the working group could reasonably publish a recommendation that "root zone owners" (i.e. ICANN) who are reserving "private-use TLDs" (i.e. .internal) SHOULD use an unsigned self-delegation unless "Type 2" deployments are clearly out of scope, for the sake of compatibility with non-customized validating stub resolvers.

SAC113 has had no practical impact on the root zone. The .internal domain has never existed in the root zone, and since the root has been signed (approximately 15 years ago) it can now be cryptographically proven not to exist.

Given that stub validators exist, mechanisms for adding or removing trust anchors for the root must also exist, especially considering the root key has already been rolled over once. Therefore, it's reasonable to assume a method for deploying negative trust anchors is also available.

In environments where customising a client's DNSSEC configuration isn't possible, there's likely a compelling reason for this restriction, and a software limitation alone shouldn't be considered sufficient justification.

Warmly,

Roy

v2.31.3 | Report a Bug | By Email | System Status