IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Robert Edmonds <edmonds@mycre.ws> Wed, 01 February 2017 20:44 UTC

Return-Path: <edmonds@mycre.ws>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01C9A12958A for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 12:44:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.101
X-Spam-Level:
X-Spam-Status: No, score=-5.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ypt0NzGgW-S for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 12:44:56 -0800 (PST)
Received: from mycre.ws (mycre.ws [45.33.102.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A24B129431 for <dnsop@ietf.org>; Wed, 1 Feb 2017 12:44:56 -0800 (PST)
Received: by chase.mycre.ws (Postfix, from userid 1000) id EF6EE12C0F11; Wed, 1 Feb 2017 15:44:55 -0500 (EST)
Date: Wed, 01 Feb 2017 15:44:55 -0500
From: Robert Edmonds <edmonds@mycre.ws>
To: Warren Kumari <warren@kumari.net>
Message-ID: <20170201204455.6nymmjlj5lzq2ect@mycre.ws>
References: <CAHw9_i+8PA3FQx8FqW-xQ_96it7k-g5UrMB7fxARUi1gwQ++hw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHw9_i+8PA3FQx8FqW-xQ_96it7k-g5UrMB7fxARUi1gwQ++hw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eoKGLdINUlpPwXXiMrIrO68cH6k>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2017 20:44:58 -0000

Warren Kumari wrote:
> The largest outstanding issue is what to do about DNSSEC -- this is
> (potentially) a problem for any / all 6761 type names.
> The root is signed, so if a query leaks into the DNS (as they will),
> an (unaware) validating resolver will try resolve it, and will expect
> either a signed answer, or proof of an insecure delegation; without
> this things will look bogus, and so resolvers will SERVFAIL.
> 
> Clearly, a signed answer isn't feasible, so that leaves 2 options - 1:
> simply note that validation will fail, and that SERVFAIL will be
> returned in many case (to me this seems "correct"), or 2: request that
> the IANA insert an insecure delegation in the root, pointing to a:
> AS112 or b: an empty zone on the root or c" something similar.

Hi, Warren:

I'm kind of confused. If a .ALT query leaks into the DNS, and there's
neither a secure or insecure delegation in the root, isn't the result a
signed NXDOMAIN, not a SERVFAIL?

    ; <<>> DiG 9.11.0-P1 <<>> +dnssec foo.alt
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36917
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

-- 
Robert Edmonds

v2.29.0 | Report a Bug | By Email | System Status