IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld

Joe Abley <jabley@hopcount.ca> Thu, 18 June 2020 17:59 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45FAE3A0DB8 for <dnsop@ietfa.amsl.com>; Thu, 18 Jun 2020 10:59:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ci8UaHCFiiL3 for <dnsop@ietfa.amsl.com>; Thu, 18 Jun 2020 10:59:09 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 724103A0DB6 for <dnsop@ietf.org>; Thu, 18 Jun 2020 10:59:09 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id mb16so7376348ejb.4 for <dnsop@ietf.org>; Thu, 18 Jun 2020 10:59:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=5nL6L5++NUNbwsEfwaD8LR9Y13XJZkIm+p1TL7ECLgw=; b=o7gcPDUxYAEEYGhUHo07YguqeUs934HdPR77XLMEpbEdC75FygKfaIQgE+J3Qo/WHf vXUGqMR8jCk00wahqS9SiZ7K4+fjCQPVZuPfycpgENOLVISm/wayTw7MT8lIvSL7Plc4 dUpPrTgZxEXs1kcwZ9h6uYBVsqFz/bfyYV2MQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=5nL6L5++NUNbwsEfwaD8LR9Y13XJZkIm+p1TL7ECLgw=; b=N7loVX9f8Ke7SgnKSKSJrJfaIQSqByf7RuNyjpW4brt6g2vZ1YdupWLugznJSaMy8t zfMcpV9c1pt1i58UnSG3m++68vDuhhHzmM59Q4mDQPSUNkB0xdB6XwRPsGYBuSEvPVcE 93lDH9cXfMzZngCd73NrZQyIGZca+/THE18XgTHmKy6ExfaEfqYqS1qjLBv+aqm+N4QN bkhd4Cr334Q6mn++dQ9Lw24jwE2T6sPKSjU/72im8ZpeQWbl752xCNf0z+zjl5yL1SwS Zr7kyo7mifNPvzJR39xJbIu+0wDAxZmrQb148GQn4Ax11W6DhFOmsGAhkYrx2DlkPgSG J10g==
X-Gm-Message-State: AOAM533iK/vwPZkSa4ZUmvNClcSLCG5QKP3CypYivZTrbBd5lnPHEv8d l+C6WUw0PB80NB+LQTDOE3bVRrQ+UYQ=
X-Google-Smtp-Source: ABdhPJxucvFMkr5yyKzd46yhrDp6vd35zyqIawP53CmlSJEzZBYBHZH0D01pMcoM9NbD2e1nJcLpIw==
X-Received: by 2002:a17:906:95c2:: with SMTP id n2mr4726381ejy.339.1592503147391; Thu, 18 Jun 2020 10:59:07 -0700 (PDT)
Received: from ?IPv6:2001:980:6aad:1:78ee:ee00:b03:427e? ([2001:980:6aad:1:78ee:ee00:b03:427e]) by smtp.gmail.com with ESMTPSA id f5sm2600694edv.36.2020.06.18.10.59.06 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 18 Jun 2020 10:59:06 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
Date: Thu, 18 Jun 2020 19:59:05 +0200
Message-Id: <99964A5B-FEFF-44DB-A8CC-DEDFFE67B519@hopcount.ca>
References: <78631416-983E-4C33-BF48-28DAC6E7DA23@fugue.com>
Cc: Roy Arends <roy@dnss.ec>, dnsop@ietf.org
In-Reply-To: <78631416-983E-4C33-BF48-28DAC6E7DA23@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: iPad Mail (17F80)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eZvfmGZv3ZAKSvGbOna3uTlLths>
Subject: Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 17:59:11 -0000

On Jun 18, 2020, at 19:22, Ted Lemon <mellon@fugue.com> wrote:

> What I’m getting at is that the secure denial of existence will mean that a DNSSEC-aware resolver, when asked to look up a name under .xa, for example, will always return NXDOMAIN.

I think we're speculating about behaviour in software that has not yet been written, software that will have a natural requirement to deal with the environment it finds itself deployed in.

But it also occurs to me that if we agree that the great root zone KSK roll melodrama illustrated that we have a root zone trust anchor distribution problem, it's not much of a stretch to generalise that statement and say that we have a trust anchor distribution problem.

The root zone and private-use internal zones that anchor private namespaces might all benefit from a robust trust anchor distribution strategy. If validators have the ability to be configured elegantly with all the trust anchors they need without the attention of a knowledgeable administrator (as a validating stub resolver might need with the root zone trust anchor) we might find that the DNSSEC concerns that led to horrors like home.arpa all disappear.


Joe

v2.23.0 | Report a Bug | By Email