Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
Mark Andrews <marka@isc.org> Fri, 14 October 2016 19:51 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03779129513 for <dnsop@ietfa.amsl.com>; Fri, 14 Oct 2016 12:51:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.897
X-Spam-Level:
X-Spam-Status: No, score=-9.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLgc7MLFre6i for <dnsop@ietfa.amsl.com>; Fri, 14 Oct 2016 12:51:46 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AD2B129510 for <dnsop@ietf.org>; Fri, 14 Oct 2016 12:51:46 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 349C634956B; Fri, 14 Oct 2016 19:51:43 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 23088160074; Fri, 14 Oct 2016 19:51:43 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 12759160073; Fri, 14 Oct 2016 19:51:43 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id lLJKTaECzSVb; Fri, 14 Oct 2016 19:51:43 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id BE53F160051; Fri, 14 Oct 2016 19:51:41 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 12D4656AD777; Sat, 15 Oct 2016 06:51:39 +1100 (EST)
To: Paul Wouters <paul@nohats.ca>
From: Mark Andrews <marka@isc.org>
References: <20161014133135.2n3wuh2n5sb3jqt7@nic.fr> <alpine.LRH.2.20.1610141002540.16905@bofh.nohats.ca> <20161014140905.saqke7xyferwtrig@nic.fr> <alpine.LRH.2.20.1610141146120.21572@bofh.nohats.ca>
In-reply-to: Your message of "Fri, 14 Oct 2016 11:48:37 -0400." <alpine.LRH.2.20.1610141146120.21572@bofh.nohats.ca>
Date: Sat, 15 Oct 2016 06:51:39 +1100
Message-Id: <20161014195139.12D4656AD777@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/erW_s4LEXiuxTHvh6pqulcGKQBE>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2016 19:51:48 -0000
In message <alpine.LRH.2.20.1610141146120.21572@bofh.nohats.ca>, Paul Wouters w rites: > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: > > > "Using DNAME in the DNS root zone for sinking of special-use TLDs" ? > > > > On Fri, Oct 14, 2016 at 10:04:21AM -0400, > > Paul Wouters <paul@nohats.ca> wrote > > a message of 19 lines which said: > > > >> But by adding delegations in the root to AS112, aren't we making it > >> more likely that the queries leak further onto the net? > > > > That's precisely the point described in section 6, second paragraph. > > The difference is between "doing the draft and reducing the problem > caused" versus "this problem is big enough to not do the draft". > > I do not know yet where I stand on this. I do feel that since we are > talking about "bad old DNS software" that wouldn't already be suppressing > special use names, it is most likely that this old software also does > not support DNAMEs. > > Paul A alternative is to insecurely delegate .local to the root servers themselves and to request that recursive servers maintain their own empty .local. The roots will then get just DS queries for .local when there is a validating recursive client behind the recursive server that is leaking <foo>.local queries into the DNS. The same solution also works for .onion. Having a local copy of the root zone still works with this. This stops leaks of <foo>.local to the root servers which qname minimisation doesn't. The extent of the leak is that you know .local is in use when you have a validating recursive client. Mark > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] Future of "Using DNAME in the DNS root zo… Stephane Bortzmeyer
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Paul Wouters
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Stephane Bortzmeyer
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Paul Wouters
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Brian Dickson
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Bob Harold
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Stephane Bortzmeyer
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Warren Kumari
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… George Michaelson
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… George Michaelson
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Brian Dickson
- Re: [DNSOP] [as112-ops] Future of "Using DNAME in… Aleksi Suhonen
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… Mark Andrews
- Re: [DNSOP] Future of "Using DNAME in the DNS roo… John R Levine