Re: [DNSOP] ALT-TLD and (insecure) delgations.

"Woodworth, John R" <John.Woodworth@CenturyLink.com> Tue, 07 February 2017 03:44 UTC

Return-Path: <John.Woodworth@CenturyLink.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01BCB129894 for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2017 19:44:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qEYe_eOu1FlY for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2017 19:44:51 -0800 (PST)
Received: from lxdnp29m.centurylink.com (lxdnp29m.centurylink.com [155.70.32.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 848B212987F for <dnsop@ietf.org>; Mon, 6 Feb 2017 19:44:51 -0800 (PST)
Received: from lxomavmpc030.qintra.com (lxomavmpc030.qintra.com [151.117.207.30]) by lxdnp29m.centurylink.com (8.14.8/8.14.8) with ESMTP id v173il0T009604 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 6 Feb 2017 20:44:48 -0700
Received: from lxomavmpc030.qintra.com (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id 61EC91E0088; Mon, 6 Feb 2017 21:44:41 -0600 (CST)
Received: from lxomp07u.corp.intranet (unknown [151.117.18.14]) by lxomavmpc030.qintra.com (Postfix) with ESMTP id 9D7041E0140; Mon, 6 Feb 2017 21:44:40 -0600 (CST)
Received: from lxomp07u.corp.intranet (localhost [127.0.0.1]) by lxomp07u.corp.intranet (8.14.8/8.14.8) with ESMTP id v173iUat023042; Mon, 6 Feb 2017 21:44:30 -0600
Received: from vodcwhubex502.ctl.intranet (vodcwhubex502.ctl.intranet [151.117.206.28]) by lxomp07u.corp.intranet (8.14.8/8.14.8) with ESMTP id v173iUXR023036 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Feb 2017 21:44:30 -0600
Received: from PODCWMBXEX501.ctl.intranet ([169.254.1.220]) by vodcwhubex502.ctl.intranet ([151.117.206.28]) with mapi id 14.03.0294.000; Mon, 6 Feb 2017 21:44:30 -0600
From: "Woodworth, John R" <John.Woodworth@CenturyLink.com>
To: 'Ray Bellis' <ray@bellis.me.uk>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] ALT-TLD and (insecure) delgations.
Thread-Index: AQHSfMnvkXNtPT4di0y/0CDCqL340aFVAxeAgAAy1ACAA0egAIAAANiAgAAFR4CAAH5kgIACsLKAgAAA+oCAABO5AIAAASaAgAACfgCAAAEygIAAuncAgAAGZ4CAAAE5gIAABCCAgAAA6wCAAAsugIAAFZKAgAA6b9A=
Date: Tue, 07 Feb 2017 03:44:29 +0000
Message-ID: <A05B583C828C614EBAD1DA920D92866BD06D2ABC@PODCWMBXEX501.ctl.intranet>
References: <6391B5BB-19BD-4717-B9BB-ECD145F7B4F6@fugue.com> <20170206040516.1701.qmail@ary.lan> <CAPt1N1mbzhS19G_uDA8HokVxXuHy5uA7F1c84-1yUUpqZ2ifJQ@mail.gmail.com> <alpine.OSX.2.20.1702052315130.13902@ary.qy> <CAPt1N1m2mowdCF6igU0TN-FCcjas9AaY-uGma4HgPGKx0Jg4Tw@mail.gmail.com> <4E481C14-1C2B-4A18-A4F2-582208C1DDE3@ogud.com> <6B4E9F56-1487-4E09-9245-167C4790AB3D@gmail.com> <EFFF717C-3A5A-4877-8B40-2D5DF42FD19C@ogud.com> <91527611-CBAE-4DFD-8086-5D6499594108@gmail.com> <c1af826c-899e-db90-f592-514874660d7a@bellis.me.uk> <alpine.DEB.2.11.1702061633570.23062@grey.csi.cam.ac.uk> <e5e78d51-4880-c71d-97b6-c833f42f963d@bellis.me.uk>
In-Reply-To: <e5e78d51-4880-c71d-97b6-c833f42f963d@bellis.me.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [151.117.206.7]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-TM-AS-MML: disable
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mRZAlaRTFPLrbDh7jb2TEtLK8CY>
Cc: "Woodworth, John R" <John.Woodworth@CenturyLink.com>, "Ballew, Dean" <Dean.Ballew@CenturyLink.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2017 03:44:53 -0000

> On 06/02/2017 16:55, Tony Finch wrote:
> > Ray Bellis <ray@bellis.me.uk> wrote:
> >>
> >> Yes, that's right, with the caveat that all existing locally served
> >> zones are in the reverse space - there's no forward zones registered (yet).
> >
> > There are several :-) RFC 6761 specifies localhost, invalid, test as
> > locally served zones. RFC 6762 specifies local. RFC 7686 specifies onion.
> >
> > RFC 7534 says that the AS112 DNAME target zones should be locally
> > served, though they are not listed in the special use registry.
> >
> > The example domains are special use but not locally served.
>
> The "locally served zones" and "special use domains" registries are different.
> There is potentially scope for overlap.
>
> It's possible that some special use domains might benefit from special
> treatment in the root zone, too (".localhost" ?)


I know I am late to the game but as I understand the issue (still catching up)
the .alt is intended for both non-DNS and special-use DNS (expected to be
resolved locally).

Just spitballing but what about a new RR type to actively flag the owner as
officially not-existing (e.g. NXD).  These RRs could be used in *any* zone
including root and combined with the special use registry (for policy)
could flag the namespace as both reserved and non-existent.

I tend to agree with Mark on this, SERVFAIL feels wrong.


/John


> Ray
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- THESE ARE THE DROIDS TO WHOM I REFER:
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.