Re: [DNSOP] ALT-TLD and (insecure) delgations.

Ted Lemon <mellon@fugue.com> Fri, 03 February 2017 21:34 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88E29129561 for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 13:34:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OIh-TqDN41T4 for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 13:34:25 -0800 (PST)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06FBF1294ED for <dnsop@ietf.org>; Fri, 3 Feb 2017 13:34:24 -0800 (PST)
Received: by mail-qt0-x229.google.com with SMTP id v23so55759474qtb.0 for <dnsop@ietf.org>; Fri, 03 Feb 2017 13:34:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=ePNdcL8gi7IImuZWiGekEWK6i2pAPuQ6gcasC+NgF3s=; b=hjFLswN6FS5bbaF215eWM0sBav4mBizBj2MZQJrBmtq0oL2acAZ6yW2iW0H7ytQS9q Jh2/PdE4OOJp7lUVruoADupNxYpS7cuaPYcaFNR2OdmlMry2oJ1frnDrauqb2+KuwXx/ kTDiL5JM5fCZhOiO0L5CEkvSOSO6CjKffFKkkxnWknpRVMbXXX3IatcAhM9hdcjjnaLx 0FldG/rnGAqDNI48ULS9bTvaXsBExOR6phFYeM3lT1w6FP704ToYsyLw5/r0QYWmUHaY KswWKzg2YeCFXMR65xXHLhu4V1sptrYO6DTPBA9I+pvD1T5xsLLFEAChK3NmA9uraFHI 3ZpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=ePNdcL8gi7IImuZWiGekEWK6i2pAPuQ6gcasC+NgF3s=; b=UahUiNCH13CC3QgaKPlHoCkEbqMc9bKPg/wR9AdzgZcfwHIczZhAJQQY0+20Lza8Tg UtyEGoqeyH9RdBMeONRgTlgekVyKA1n8ZCSjMwiP6qxXFQ0BiM0ocCnMFEtWOu2VLw6V pGw+RrqntsmNsE+olZyetURPvFM8StOEI9GKIz8vvTsiVIwYZujThcDJXaKIp009k29/ 4sO+rBoy3MFQ3rWkymSeG9NgSDebwXH9BYyx61gVyFyZMib3jKhhcUkvg43XsGYsv43M BaR2Cdssjezjy9XQ6I9DqnjEvIk07YLmM/EaclCTyA3xjERc1/PbCqh+iKQox2dYG29d j/4A==
X-Gm-Message-State: AMke39lXs8wo4SvfjFbxcTkBfWnjCzkcjxWOFuFuHJCvni7pi6oGVuPtPm+7//KoxzSNDg==
X-Received: by 10.55.142.135 with SMTP id q129mr14888198qkd.83.1486157664102; Fri, 03 Feb 2017 13:34:24 -0800 (PST)
Received: from [10.0.20.229] (c-73-167-64-188.hsd1.nh.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id o14sm25563518qtc.46.2017.02.03.13.34.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 03 Feb 2017 13:34:23 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <9B6211A9-20B5-4B15-A8FD-A1390DAD76AE@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7178E45A-240A-46BB-8260-23DBAF0C4D29"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Fri, 3 Feb 2017 16:34:21 -0500
In-Reply-To: <20170203210922.7286C618213C@rock.dv.isc.org>
To: Mark Andrews <marka@isc.org>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/g1cNsC4lyVWb2THzNQ0VIZndFjc>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2017 21:34:26 -0000

On Feb 3, 2017, at 4:09 PM, Mark Andrews <marka@isc.org> wrote:
> You need a insecure delegation for ALT for the purposes we want to
> use ALT for.

I don't think there's consensus on what we want to use ALT for.   I see Ralph arguing that ALT is never used to resolve things using the DNS protocol, and I see you saying that that's one of the uses we have in mind.   We need to figure out which of these we are actually trying to do.

If you are right, we need an insecure delegation in the root, and ALT queries will by default be answered using DNS (in the sense that existing resolvers have no special-case handling for ALT).   If Ralph is right, you can still use the DNS protocol to resolve names in .ALT, but you have to use a specially modified resolver to do it: one that ignores the secure denial of existence from the root.