IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld

Ted Lemon <mellon@fugue.com> Thu, 01 May 2025 10:46 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C0D81238D430 for <dnsop@mail2.ietf.org>; Thu, 1 May 2025 03:46:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="jTKKGvGh"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="qc3MpYcW"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-MvGolhPEDA for <dnsop@mail2.ietf.org>; Thu, 1 May 2025 03:46:13 -0700 (PDT)
Received: from flow-b2-smtp.messagingengine.com (flow-b2-smtp.messagingengine.com [202.12.124.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A0F6D238D429 for <dnsop@ietf.org>; Thu, 1 May 2025 03:46:13 -0700 (PDT)
Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailflow.stl.internal (Postfix) with ESMTP id 467DE1D41DB1 for <dnsop@ietf.org>; Thu, 1 May 2025 06:46:13 -0400 (EDT)
Received: from phl-imap-10 ([10.202.2.85]) by phl-compute-12.internal (MEProxy); Thu, 01 May 2025 06:46:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm1; t=1746096373; x=1746103573; bh=Cgwn6GfDBj xLJIPzr4dbbsp8+Tm501e23cPYgqPNNn4=; b=jTKKGvGh5uuVtdROSxn7ez89nY W/lHn2F0J+vYHWaJRHqNS7czXlzo26chtm81/0RziPmU5zs/kA7ebHCe1x0y3d+p rRnW6CXe8S4/Iyaq4KZotErctPIHurMua5lLXQiQe1jzxBSP/xNzV6IYch22iusO XvH+7+Ss2kysMibOWtOYtc6hPdfcV70EToUCm2XWaZRpp3bfia+8kz+7JbnfDP3C xCXmgmczV3Ew55ThB72OUzMQCEve1NXPE6X0bAmOMf1yabPrzH/kJeQezS+k7YoR DRDOJbmBNoaDn0lSDVL85kfZFSotppO6G+KDrv3To3IdayQyp+ri0BA+Ed0A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1746096373; x=1746103573; bh=Cgwn6GfDBjxLJIPzr4dbbsp8+Tm501e23cP YgqPNNn4=; b=qc3MpYcWMkqv7Jo2EqjdjLAQEdzw/Pms9gvYzBBW+UqAj2pjuuY ZVa8UGje3LbEfHjBpmAF1aHe/2KP2GGUT0Qer/GRXQkGMQXRr4eSujZH7ODEO3/i 09PuQ0RxUc1MphXs0HmPeQbqW2xkQJ477r8LH0p5NZ4by8r2NPmMxX5zUkhiZuqB sN5RhPvSpZEoyD7pP9TMZMAFsQ0HBhYtAMQMUNzDZneZ5OjfIr7WsslaqmLXzpzb U8nlVlEv4QJ9+a8mmaLI8ZdfaWcgGPwVkFbC4lP9Mq+Fn+sMKlht7IIkROKporNU vASmtcBP+t4lVMqO/fwxWkaXdpjayS2HRoA==
X-ME-Sender: <xms:9FATaBM9wkJzJFEPQ0LaRF_5id2EAq1O4yoP9A0kuxeSF7hNCGv_YA> <xme:9FATaD8vDf9LwgBvOwDUZIJHo8IT619l2DKOG1c1xnuPswPqyO30VQiZef6SMggPr W3KeNLNXa9iBzl4zrc>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvieelfeejucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefogg ffhffvkfgjfhfutgesrgdtreerredtjeenucfhrhhomhepfdfvvgguucfnvghmohhnfdcu oehmvghllhhonhesfhhughhuvgdrtghomheqnecuggftrfgrthhtvghrnhepleelueeute ejkefhteelleffgeelveelheeiiefgveeuvddutddvkeethedugeefnecuvehluhhsthgv rhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhgvlhhlohhnsehfuhhguh gvrdgtohhmpdhnsggprhgtphhtthhopedupdhmohguvgepshhmthhpohhuthdprhgtphht thhopegunhhsohhpsehivghtfhdrohhrgh
X-ME-Proxy: <xmx:9VATaAQQhJgEKsev1tbiVNPZkYvkK4Gdzi9FzAg6nNtgczpRJFN4-w> <xmx:9VATaNvVMRfuKHHXq9wCXDigQP1IyeTzTlz6PTyQY1Ux6V-kL25CKQ> <xmx:9VATaJeUgvLfQNAj9Ka6NI6DCpjo0l_O4QpTPW9hOWJCZGYAZa4oUw> <xmx:9VATaJ2KMwH5fJDW9CYEdZLKy3uibgUA-PJckQV1EKSFnMI25Wd2YQ> <xmx:9VATaN7GFZz6nrrbdsf4bbEF0nykyQmdJfsMMyfi3PZz4VxGyUkUcNg->
Feedback-ID: i1136489e:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id E486E3C0068; Thu, 1 May 2025 06:46:12 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
X-ThreadId: Teb8ce65f3fed0dd8
Date: Thu, 01 May 2025 06:45:52 -0400
From: Ted Lemon <mellon@fugue.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Message-Id: <2a325a23-d7dc-4380-a946-95cf48d3cd3e@app.fastmail.com>
In-Reply-To: <20250501015544.6E9E9C7136B6@ary.qy>
References: <m1u5h1G-0000LcC@stereo.hq.phicoh.net> <83666fd3-a51f-46e1-a5ac-0b9a46361480@desec.io> <49E3B1B6-E960-4A46-9C5D-2721FD57132D@depht.com> <3b5fb9e7-8a2b-420f-a2fb-dd6f6a0b88ae@isc.org> <89047B78-A2B1-43F2-A996-94DF1E90538A@depht.com> <cc84f69c-c349-4d91-b942-80221b564a9b@isc.org> <ac48e27d-479f-42f3-b87f-891220ef2fe8@app.fastmail.com> <BE721880-6254-48F4-9F91-567A99E0511B@icann.org> <m1u7asT-0000MtC@stereo.hq.phicoh.net> <01E23110-9A50-4187-8A54-34D514504F9B@strandkip.nl> <3A48CBC3-B55B-4FCF-B713-A7CA4C7BB7CC@strandkip.nl> <8E36C1B8-C67B-4704-9E3B-7143863E2262@icann.org> <87f219df-34f0-48fa-89cf-8cb8300c86c2@app.fastmail.com> <1359A8E4-E436-4EC5-B5C7-E0713A3E8182@icann.org> <b5e95596-ffa7-491f-86c5-27a9c98b4336@app.fastmail.com> <6ad73a8b-aab7-4765-9f85-49d7483ca917@app.fastmail.com> <20250501015544.6E9E9C7136B6@ary.qy>
Content-Type: multipart/alternative; boundary="19be2e77a587427cb746bee3bd04f16d"
Message-ID-Hash: BROOARPETXSA7YB33PQCF77ZUBQWPU7B
X-Message-ID-Hash: BROOARPETXSA7YB33PQCF77ZUBQWPU7B
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hX8_zj4NTV-ubTsOLfr1y6yvNLc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

This is why I mentioned locally-served domains. This is territory we’ve already been over many times. In order for .internal to be used, the resolver has to know that it is not globally unique, which means it should be in the locally-served domains registry. Like eg 1.168.172.on-address.arpa or home.arpa. 

On Wed, Apr 30, 2025, at 9:55 PM, John Levine wrote:
> It appears that Ted Lemon  <mellon@fugue.com> said:
> >-=-=-=-=-=-
> >
> >Er, I should add that since using DoH is pretty common, if .internal isn’t listed in the locally-served domains registry its subdomains probably will indeed show up as nxdomain. 
> 
> If you're using DoH to bypass the local resolver, you're not going to see .internal at all.  If you're using it to talk to the local resolver
> you will presumably get the same asnswers as Do53 or DoT.  I still see an awful lot of assumptions about what resolvers might or might not
> do.
> 
> R's,
> John
> 
> 
> >
> >On Wed, Apr 30, 2025, at 9:25 PM, Ted Lemon wrote:
> >> The local resolver can safely lie about the delegation, so unless the stub resolver queries the root directly this isn’t an issue. Even if it does, unless it uses DoH, the
> >edge router can intercept the query. But this isn’t generally necessary. If you’re doing DNSSEC the only reason not to trust the local resolver is if it doesn’t give
> >enough answers to construct the proofs. 
> >> 
> >> On Wed, Apr 30, 2025, at 1:34 PM, Paul Hoffman wrote:
> >>> On Apr 30, 2025, at 10:21, Ted Lemon <mellon@fugue.com> wrote:
> >>> > 
> >>> > The reason to do an insecure delegation is so that the public dns doesn’t securely deny the existence of the zone. If there is a secure denial of existence, a validating
> >stub resolver will not use responses from the local resolver because they will be bogus. 
> >>> 
> >>> This seems to be talking about a validating stub resolver that is configured to also get answers from a particular recursive resolver, yes?
> >>> 
> >>> 1) Wouldn't the stub get two conflicting NS records for .internal, one from the root itself and the other from the recursive? All attempts for lookups would have a 50% chance
> >of going to the blackhole nameserver.
> >>> 
> >>> 2) Wouldn't having an insecure delegation in the root prevent the recursive from signing .internal itself because the root responds with an NSEC proving there cannot be a DS? 
> >>> 
> >>> Again, I could be missing something, but it seems that both of those would hurt the validating stub resolver. A validating stub resolver could instead easily be configured
> >with the trust anchor for the recursive resolver it is configured for.
> >>> 
> >>> --Paul Hoffman
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status