Re: [DNSOP] ALT-TLD and (insecure) delgations.

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 07 February 2017 22:18 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C49F12950F for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2017 14:18:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iq3FaXsmDS3W for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2017 14:18:42 -0800 (PST)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B276129508 for <dnsop@ietf.org>; Tue, 7 Feb 2017 14:18:42 -0800 (PST)
Received: by mail-it0-x230.google.com with SMTP id 203so87758247ith.0 for <dnsop@ietf.org>; Tue, 07 Feb 2017 14:18:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4GnV+zy3SI5BGFuD+NiYUKG+LhSRAyOO2Kq/LudEkf8=; b=E5xTGyKwozaXhxfH3grCQC3WM+65uZP9D06Z3kDNPNT9d9p95H8axn5HJO7hc5YabT Vo0WXKM5C6/HT+nKMUvkrRKwn8C2ZQpjxH84opFI6zxFcC9A3KIDNOIQNjOBmMMMeloA fv1L4YVBRyStbMctlOydX4wtM+Zkolko09BVn+/jaojJs2upyMCsRSYBAe54c5YRqNQ6 tZz+kFnW8lUOmNJ8TcFkTUvGVFzJK+wXdJ00pEd1rMuv/YQG6v8rYbPoYp0oJHcurZ2e bVTVktTOYGNXcN7zeMHLJ8vdBqE0r2L4fzrroKQXpPr8vUGnb9aRG/YneheieIZ0IxDz KGNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4GnV+zy3SI5BGFuD+NiYUKG+LhSRAyOO2Kq/LudEkf8=; b=kTVGNrx4kNWlzWkvdXFYhiWs0WZik+SHy3MxDmg1PKqZVQvSOh/kMsaGHz1CR74qai vMUwXUoLhD6WQq+7zz7VgfbwxOivxE/es+38fhxn0ktA58vYk8MywJZgcydBuQb4NIs/ DoqYjxutAylLEksALIlishpGAdeb+IDzisB1zqsgk6vyuM6rotw5irTAi/PDQk+8S5eR V7RgpOfhSo9xgKttWeHnbXPh700zPCk+koNG9jv2vz0yW/0vPp5pWMxufA8oMCmm3btE zcp2ZyYLfm/ANLSdQBB6ljGw7x4E0HrvXuXzl2EVmUevPM5/D87U48gvmTdfo8JIRuiR aT/g==
X-Gm-Message-State: AIkVDXLjsF902r1k1bOxM2OdINvZclIt6F8mm0gKKz9iMjbWXBpYfh6b6qN0s80P+UrqmoUvMb+DWMknOxYDmQ==
X-Received: by 10.36.164.75 with SMTP id v11mr14547985iti.101.1486505921794; Tue, 07 Feb 2017 14:18:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.133.208 with HTTP; Tue, 7 Feb 2017 14:18:41 -0800 (PST)
In-Reply-To: <20170207214846.B66EF633C6C5@rock.dv.isc.org>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <20170203210922.7286C618213C@rock.dv.isc.org> <CAH1iCipKwcOsMQY3kjvSZ42LMK37GLD6GP2AVtnWK0c83k-RiA@mail.gmail.com> <20170207040552.8BDCC632F192@rock.dv.isc.org> <3581BE55-B178-4298-8EE8-73FD16B4216D@gmail.com> <D4C0D518-A3ED-4555-93DA-2EA12D82A662@fugue.com> <CAHw9_iK7Vt+ZNw8=E-b+w9gGhwB9fZNqHYp2pqKqT__RgcDttQ@mail.gmail.com> <5CA637EE-C0B6-4E5C-A446-A84431176D0C@fugue.com> <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 7 Feb 2017 14:18:41 -0800
Message-ID: <CAH1iCip=JKo4-WiMttKDNs3v_8KzP0PTd13KSPtzL6N7pPHWWQ@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary=f403045fbba86cf7240547f82103
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gkm-5b4P9IlOiWr7_k0VgZuxxpg>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Ted Lemon <mellon@fugue.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 22:18:45 -0000

On Tue, Feb 7, 2017 at 1:48 PM, Mark Andrews <marka@isc.org> wrote:

>
> In message <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com>, Ted Lemon
> writes:
> > Hm.   When I look for foo.alt, what I get is NXDOMAIN, not SERVFAIL.
> > When I validate, I get a secure denial of existence.   This is the
> > correct behavior.   Why do you think we would get a SERVFAIL?
>
> Because your testing is incomplete.
>
> Go add a empty zone (SOA and NS records only) for alt to your
> recursive server.  This is what needs to be done to prevent
> privacy leaks.
>
>
Here are some possible alternatives (to having the empty zone be named
"alt.").

First: make the locally served empty zone be "empty.as112.arpa".

Or, second method: have the DNAME RDATA be "alt.empty.as112.arpa", and the
locally served zone be the same name.

Or, third, have some other name for the zone (anything other than alt, or
really anything that doesn't collide with a global name), and then use a
local DNAME from "empty.as112.arpa" (or "alt.empty,as112.arpa") to that
zone's name (e.g. "homenet" or "homenet.local" or whatever  you wish).

Since all of the above occur at or below the transition to unsigned, they
should validate. (I need to test these, but I don't see why they wouldn't
work, and all of the above avoid leaking queries to the root or to AS112
servers.)

Brian



> Configure another recursive server to forward its queries to this
> server and enable validation.
>
> Now ask for foo.alt from this second server.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
>