IETF Logo Mail Archive

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

Mark Andrews <marka@isc.org> Fri, 14 October 2016 19:51 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03779129513 for <dnsop@ietfa.amsl.com>; Fri, 14 Oct 2016 12:51:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.897
X-Spam-Level:
X-Spam-Status: No, score=-9.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLgc7MLFre6i for <dnsop@ietfa.amsl.com>; Fri, 14 Oct 2016 12:51:46 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AD2B129510 for <dnsop@ietf.org>; Fri, 14 Oct 2016 12:51:46 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 349C634956B; Fri, 14 Oct 2016 19:51:43 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 23088160074; Fri, 14 Oct 2016 19:51:43 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 12759160073; Fri, 14 Oct 2016 19:51:43 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id lLJKTaECzSVb; Fri, 14 Oct 2016 19:51:43 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id BE53F160051; Fri, 14 Oct 2016 19:51:41 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 12D4656AD777; Sat, 15 Oct 2016 06:51:39 +1100 (EST)
To: Paul Wouters <paul@nohats.ca>
From: Mark Andrews <marka@isc.org>
References: <20161014133135.2n3wuh2n5sb3jqt7@nic.fr> <alpine.LRH.2.20.1610141002540.16905@bofh.nohats.ca> <20161014140905.saqke7xyferwtrig@nic.fr> <alpine.LRH.2.20.1610141146120.21572@bofh.nohats.ca>
In-reply-to: Your message of "Fri, 14 Oct 2016 11:48:37 -0400." <alpine.LRH.2.20.1610141146120.21572@bofh.nohats.ca>
Date: Sat, 15 Oct 2016 06:51:39 +1100
Message-Id: <20161014195139.12D4656AD777@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/erW_s4LEXiuxTHvh6pqulcGKQBE>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 19:51:48 -0000

In message <alpine.LRH.2.20.1610141146120.21572@bofh.nohats.ca>, Paul Wouters w
rites:
> On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote:
> 
> >     "Using DNAME in the DNS root zone for sinking  of special-use TLDs" ?
> > 
> > On Fri, Oct 14, 2016 at 10:04:21AM -0400,
> > Paul Wouters <paul@nohats.ca> wrote
> > a message of 19 lines which said:
> >
> >> But by adding delegations in the root to AS112, aren't we making it
> >> more likely that the queries leak further onto the net?
> >
> > That's precisely the point described in section 6, second paragraph.
> 
> The difference is between "doing the draft and reducing the problem
> caused" versus "this problem is big enough to not do the draft".
> 
> I do not know yet where I stand on this. I do feel that since we are
> talking about "bad old DNS software" that wouldn't already be suppressing
> special use names, it is most likely that this old software also does
> not support DNAMEs.
> 
> Paul

A alternative is to insecurely delegate .local to the root servers
themselves and to request that recursive servers maintain their own
empty .local.  The roots will then get just DS queries for .local
when there is a validating recursive client behind the recursive
server that is leaking <foo>.local queries into the DNS.

The same solution also works for .onion.
 
Having a local copy of the root zone still works with this.

This stops leaks of <foo>.local to the root servers which qname
minimisation doesn't.  The extent of the leak is that you know
.local is in use when you have a validating recursive client.

Mark

> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email