IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld

Ted Lemon <mellon@fugue.com> Thu, 01 May 2025 20:56 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B54AB23C7B95 for <dnsop@mail2.ietf.org>; Thu, 1 May 2025 13:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="clYUyjBy"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="VvrKo4lK"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hrL56UfXUZyv for <dnsop@mail2.ietf.org>; Thu, 1 May 2025 13:56:22 -0700 (PDT)
Received: from flow-a1-smtp.messagingengine.com (flow-a1-smtp.messagingengine.com [103.168.172.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BB71023C7B8E for <dnsop@ietf.org>; Thu, 1 May 2025 13:56:22 -0700 (PDT)
Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailflow.phl.internal (Postfix) with ESMTP id 4764D2001DB; Thu, 1 May 2025 16:56:22 -0400 (EDT)
Received: from phl-imap-10 ([10.202.2.85]) by phl-compute-12.internal (MEProxy); Thu, 01 May 2025 16:56:22 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1746132982; x=1746140182; bh=1zT0j63Fps bkPa4SrbGi0Vtws4qHxYol3YQbfFk4RG4=; b=clYUyjByOXBek2HeNF7gDEnE07 Iq9feQxOCooQsCVBWRX5Iv/HwIxvVdp64LaatYgdd7BJ9RvL0qAA8kCNsjmOBpL0 EivSV2d7Rf/nVj4HbIOUe47vnXBO7CkXKap5GG2UNQ35oOID6TkbOmOsrEjRiphD TOVJRdVJfQQJcU8LGM24n0OGvF5RNcmGI97nlKnvupmHuRFJacqT5vqs0Fod8BLS aLdMyLHu4yoDCgTI7QQLs6KVKzNuHTEMo0uNMXSHFR8tcCL63ga0GdoSR5NibSfJ sPbhRIQQax1Vy4zWsaHrHWMlnbT1rP9+yvhte4tC2w2SBmbthFzugiym7rnQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1746132982; x=1746140182; bh=1zT0j63FpsbkPa4SrbGi0Vtws4qHxYol3YQ bfFk4RG4=; b=VvrKo4lKkXzW1LE1MjiPYeKUxaMEESJYjKUrkoHahoOkOh+Urnr IKJGsPRt65AMFR2PixiOVTip8aV/wUb90DVLxkyU2CS7OZ4OneSAIBmCPlCpepQb 4gG8pPpCmIV8qPW7ZkiPpIFPrO47JB/AP3VxMYcbenhUy5yeQEPdEDPYdVA5G6Bi bXj7vMCXYgjXFn245M7IIqmdMwX3sgfJXO4LH3EUS27J9xxJAV6vNPjRrHZKv2cF PVp7YZwgqhYQtscTXbKDQi7kiMGLZeGEpfucvvw+c/4gCV9kaRuHsRCdUKrq7mlB RUNdvFDKQFFdotjQPG8A1dxUzA4waJD/QhA==
X-ME-Sender: <xms:9t8TaLrImcmbY4BnMX0WHDp1t3kbMMLdqkdcas9FPDpQTqsha1e_lw> <xme:9t8TaFqvP6BcI4k5ZHhI1ugsNmR3iqUCg_2LDnh6KkjWZqyhotIULB6N06fAuf8dp YOnztG6nS1sqtoo4lI>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvjedtheelucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurhepofggfffhvfevkfgjfhfutgesrgdtreerredt jeenucfhrhhomhepfdfvvgguucfnvghmohhnfdcuoehmvghllhhonhesfhhughhuvgdrtg homheqnecuggftrfgrthhtvghrnhepfeeugfdttdffkeefieejueduieevuefgvddvleel jedvjeejhedvtdfgleevudetnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe hmrghilhhfrhhomhepmhgvlhhlohhnsehfuhhguhgvrdgtohhmpdhnsggprhgtphhtthho pedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehprghulhdrhhhofhhfmhgrnh esihgtrghnnhdrohhrghdprhgtphhtthhopegunhhsohhpsehivghtfhdrohhrgh
X-ME-Proxy: <xmx:9t8TaIPdAB2sl6qxqoR67Ht5O6I_hfkoVA6wJtcFDdjZUKzcpbpo4Q> <xmx:9t8TaO5uCTSsjJtbN184DqnpejY0XLDmq3p7M_0TALMXJnMcgh4r4A> <xmx:9t8TaK7TWYVz4zc389oQbcO3Aer6fOIeYYgJMfW5xYZn-Goj0gPwrQ> <xmx:9t8TaGgRvASiSZdCqoJDZIGy9LoflF9ULSViA-d9ZEGWtsolKnyXBw> <xmx:9t8TaPlSheYRfelW1wUtrod93THHoeyng4Eyd55GUyBhScxSa1DX2F0T>
Feedback-ID: i1136489e:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id ED3C63C0068; Thu, 1 May 2025 16:56:21 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: Teb8ce65f3fed0dd8
Date: Thu, 01 May 2025 16:56:01 -0400
From: Ted Lemon <mellon@fugue.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Message-Id: <57d538ec-f6aa-4a20-a9a3-35ba773c389e@app.fastmail.com>
In-Reply-To: <70480CD5-1299-480B-98F9-5C418940A80C@icann.org>
References: <m1u5h1G-0000LcC@stereo.hq.phicoh.net> <83666fd3-a51f-46e1-a5ac-0b9a46361480@desec.io> <49E3B1B6-E960-4A46-9C5D-2721FD57132D@depht.com> <3b5fb9e7-8a2b-420f-a2fb-dd6f6a0b88ae@isc.org> <89047B78-A2B1-43F2-A996-94DF1E90538A@depht.com> <cc84f69c-c349-4d91-b942-80221b564a9b@isc.org> <ac48e27d-479f-42f3-b87f-891220ef2fe8@app.fastmail.com> <BE721880-6254-48F4-9F91-567A99E0511B@icann.org> <m1u7asT-0000MtC@stereo.hq.phicoh.net> <01E23110-9A50-4187-8A54-34D514504F9B@strandkip.nl> <3A48CBC3-B55B-4FCF-B713-A7CA4C7BB7CC@strandkip.nl> <8E36C1B8-C67B-4704-9E3B-7143863E2262@icann.org> <87f219df-34f0-48fa-89cf-8cb8300c86c2@app.fastmail.com> <1359A8E4-E436-4EC5-B5C7-E0713A3E8182@icann.org> <b5e95596-ffa7-491f-86c5-27a9c98b4336@app.fastmail.com> <31972B9D-D604-43BF-9638-5DC7F36C0FCE@icann.org> <4642026e-81d6-4620-b4c5-6af67d59e6d5@app.fastmail.com> <70480CD5-1299-480B-98F9-5C418940A80C@icann.org>
Content-Type: multipart/alternative; boundary="86c42731d55642178a727ad02cad72e8"
Message-ID-Hash: Z7Y36NJENMISBVGZ4BT3MYAOS3REJLLT
X-Message-ID-Hash: Z7Y36NJENMISBVGZ4BT3MYAOS3REJLLT
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org WG" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/g9a075WU1-nrTf08pUdUfsrfe5c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

If validating stubresolvers all go to the root, we get no benefit from caching. That seems bad if at some point they become commonplace, although of course it’s fine now. 

On Thu, May 1, 2025, at 1:55 PM, Paul Hoffman wrote:
> On May 1, 2025, at 10:32, Ted Lemon <mellon@fugue.com> wrote:
> > 
> > On Thu, May 1, 2025, at 12:07 PM, Paul Hoffman wrote:
> >> 
> >> 
> >> On Apr 30, 2025, at 18:25, Ted Lemon <mellon@fugue.com> wrote:
> >> > 
> >> > The local resolver can safely lie about the delegation, so unless the stub resolver queries the root directly this isn’t an issue.
> >> 
> >> A validating stub resolver would indeed query the root to create the chain of trust. That's the whole point of *validating* stub resolvers.
> > 
> > 
> > The stub resolver queries the chain of trust, but why would it send a packet to a root server?
> 
> It could ask the configured recursive for the chain-building data, but it is more reliable to ask the source zone.
> 
> > Is that what we want it to do?
> 
> Unless we have specified otherwise (and I don't think we have for validating stub resolvers), what we want is irrelevant.
> 
> > Normally I would expect it to query the local network resolver and then validate. I think that’s what our implementation does unless DoH is configured. Is yours different?
> 
> In the cases discussed here (the recursive has a record at foo.internal, and either .internal is missing from the root zone or has an insecure delegation in the root zone), how does your implementation help the validating stub resolver build the chain of trust? And what happens if "DoH is configured"?
> 
> > I’m under the impression that no delegation at the root means the delegation can be proven not to exist. Am I mistaken?
> 
> You are not mistaken: there is no NSEC record for .internal (but there is for .int and .international).
> 
> >> > But this isn’t generally necessary. If you’re doing DNSSEC the only reason not to trust the local resolver is if it doesn’t give enough answers to construct the proofs. 
> >> 
> >> You may feel that way, but that's not the model adopted by the DNSSEC standards.
> > 
> > 
> > Again not my understanding of how existing validating stub resolvers work, but I’m curious to know what your experience with this is. My sample is one at the moment—the one in Apple’s operating systems. 
> > 
> 
> See my question above. The IETF has given no guidance for how a validating stub resolver should be configured, and yet that is quite important for this discussion.
> 
> --Paul Hoffman
> 
>

v2.31.3 | Report a Bug | By Email | System Status