IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld

Paul Hoffman <paul.hoffman@icann.org> Tue, 06 May 2025 18:09 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 067CB258A523 for <dnsop@mail2.ietf.org>; Tue, 6 May 2025 11:09:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id am---WQdqoVS for <dnsop@mail2.ietf.org>; Tue, 6 May 2025 11:09:34 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) by mail2.ietf.org (Postfix) with ESMTP id 8389B258A51A for <dnsop@ietf.org>; Tue, 6 May 2025 11:09:34 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa3.lax.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 546I9Vt2007936 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 6 May 2025 18:09:31 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-2.pexch112.icann.org (10.226.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Tue, 6 May 2025 11:09:30 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1544.011; Tue, 6 May 2025 11:09:30 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Ted Lemon <mellon@fugue.com>
Thread-Topic: [Ext] [DNSOP] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld
Thread-Index: AQHbvowxQLetj6UOTkOtyQFCRTJXmbPFop1NgACihgCAAAK1gIAAFG2A
Date: Tue, 06 May 2025 18:09:30 +0000
Message-ID: <C3487997-B656-4A6D-A069-752077629957@icann.org>
References: <1C9E8ABA-4399-491B-A9F4-D9ACCB1BA72C@virtualized.org> <866409E5-0D9A-4669-8C6E-C9D1C7BDAA21@dnss.ec> <SA1PR15MB4370BAE2BD669193DDB9AE44B38D2@SA1PR15MB4370.namprd15.prod.outlook.com> <20250502171756.5AC67C762C3C@ary.qy> <SA1PR15MB43704113DF8B19A8A5A66AD6B38D2@SA1PR15MB4370.namprd15.prod.outlook.com> <4B83E121-9562-449C-A00E-2A31894ADED0@icann.org> <m1uBDWf-0000MlC@stereo.hq.phicoh.net> <9EE8E4CC-04A3-46C7-BDDF-EF538A822AA8@virtualized.org> <m1uBHRs-0000LsC@stereo.hq.phicoh.net> <BE3A5560-740A-47A9-835B-8C8EEF2B50B9@virtualized.org> <m1uCDdk-0000LlC@stereo.hq.phicoh.net> <20250506133721.199BCC803209@ary.qy> <m1uCItL-0000LTC@stereo.hq.phicoh.net> <6d8bc9b1-8729-08b7-bd0c-564ae0dd3a59@taugh.com> <9D0395B7-1157-4569-B2C7-628BBD909887@fugue.com>
In-Reply-To: <9D0395B7-1157-4569-B2C7-628BBD909887@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <29E91B8D07795944A1EF8E24C680A601@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-06_08,2025-05-05_01,2025-02-21_01
Message-ID-Hash: XMJZ3VMGBQNUZDPPX6EDSCAX6VVNO6RE
X-Message-ID-Hash: XMJZ3VMGBQNUZDPPX6EDSCAX6VVNO6RE
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ebz13BG8ZRh2_QRVzOBXW64cdvg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On May 6, 2025, at 09:56, Ted Lemon <mellon@fugue.com> wrote:
> 
> I think that you're trying to solve two different problems here. The first problem is just generally what can you do to avoid causing a validation failure? The second problem is, how can you actually validate locally served domains?
> 
> They are both really interesting questions, and I think that it would be very useful to consider how we would solve the problem of validating locally served domain. 
> 
> However, this is not absolve us of the responsibility to make sure that we don't accidentally cause validation failures where they are inappropriate. We already have prior art on this. We know how to solve this problem. RFCs that solve this problem all solve that and exactly the same way.

...and that way might not work the way we want, and thus should be defined in RFCs before we make recommendations about them. In specific, we don't have any RFCs that deal with insecure delegation for clients that move around.

Assume that a resolver for a corporate network uses .example as a TLD for its internal users. A user starts up their laptop when outside the network, and try to access foo.example.

- If .example is not listed in the root zone, they get a short-lived NXDOMAIN. When they move on to the corporate network after a short period of time, and try again, they get the address for foo.example.

- If .example has an insecure delegation, they get a two-day TTL to a nameserver that will tell them that foo.example doesn't exist.  When they move on to the corporate network after a short period of time, they still believe that foo.example doesn't exist because they believe the nameserver for .example is the one in the insecure delegation at the root.

This can probably be fixed, but we don't currently have such a fix in an RFC. I suspect there will be strong disagreement about what the fix should be (I have no opinion, and probably won't later). Saying "We already have prior art on this" understates what the "this" is.

--Paul Hoffman

v2.31.3 | Report a Bug | By Email | System Status