Re: [DNSOP] moving forward on special use names

George Michaelson <ggm@algebras.org> Mon, 19 September 2016 02:05 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4085F12B0B5 for <dnsop@ietfa.amsl.com>; Sun, 18 Sep 2016 19:05:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 33CxmJP4W4hX for <dnsop@ietfa.amsl.com>; Sun, 18 Sep 2016 19:05:25 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6BB912B0AE for <dnsop@ietf.org>; Sun, 18 Sep 2016 19:05:24 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id t67so124613180ywg.3 for <dnsop@ietf.org>; Sun, 18 Sep 2016 19:05:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=xgfQQ/91bmwd/qDbMqt2QneJGuY80lxPCI/98iBjnuY=; b=OU/aIO+ZYzFsww68vyY3sorA9Xwd/jScXKWd6xX1San5XZFnBDnP5Umw/Y4GtfGByj lkWXa3fHLz+tmoNLRV3lDqSZOGCOT+niSFXF3vEeH9fXrK3xp11cWhzKd1vv2wfPptTq Xs4Drtyr2hf+/d9rVxNYBQmHoL0oyIkmrCHfh5ZRiivasmV/8TV+lumNldOxzMSX5G9D uInm4j7MU7CvmStcz27EIX7rHFfpUtLpgnggwCx59lLlU1je7fgfrxamLxjb0/Xx9rAy H0YOCKw8UmiL+qq8r+3GAtHS6bW/oB2NQ3bD3ePSE7KsG4z+UKJlKJcpUfMqqMpc8Act Rc3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=xgfQQ/91bmwd/qDbMqt2QneJGuY80lxPCI/98iBjnuY=; b=eiOw1B6m0PTE7RvS4x0fpyDLWlDSFP/R/n7+ltzROIb9QkCVF8DWhSORg/WSlIS9no bGqm7ADp1DaTlhbaWCZfvi9CnNq3fZttVNN4KTJMIE3IufA7uuKamJxLOaPajZWUMOyI 2wNI5SkgeXOKxmlpNmi2oaSEioFkMo8tlvEqHENiP1y6iguViawmwdccwZYrtMuYgylq uYJr2Velxhy0t8G7wzqXskDZeiJYfWda5nddBpSyayGe3R91j2X5JRWjlQ0wUfAtS9yf JYYGBol6hrQBEdX1ourmOW6XdyG9qUrft4HWMJH3JSlf7O9iVggGhSlwDRPXRe+q1T8Z qIcw==
X-Gm-Message-State: AE9vXwMMX9McxKesIc3L/VfOJWt53aR152nYWNZc/nTOQYXigzNzjSNPJ632xlY++7FrRba2sxizUgr/TT4pgw==
X-Received: by 10.129.109.6 with SMTP id i6mr7588740ywc.291.1474250723932; Sun, 18 Sep 2016 19:05:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.50.73 with HTTP; Sun, 18 Sep 2016 19:05:23 -0700 (PDT)
X-Originating-IP: [2001:dc0:a000:4:5c6e:73d2:2e4e:7066]
In-Reply-To: <CAPt1N1=pVw+o2fsftqJw72CZxAA1a2+-hhCT0xz1MmPkYNMd9g@mail.gmail.com>
References: <20160916181356.70566.qmail@ary.lan> <D2C5DF2A-9A4A-4E72-92BE-BD8808578BCD@gmail.com> <CAPt1N1=pVw+o2fsftqJw72CZxAA1a2+-hhCT0xz1MmPkYNMd9g@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
Date: Mon, 19 Sep 2016 12:05:23 +1000
Message-ID: <CAKr6gn1+pHYWL_h-5ZP=eCNUFsoJRd3WKU8rqYh9Z-yzJE5TZg@mail.gmail.com>
To: dnsop WG <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mvwKApIr30RB24KsMs6amDc6CKk>
Subject: Re: [DNSOP] moving forward on special use names
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2016 02:05:27 -0000

This is an instance of embedding. {thing@example.com}.{non-DNS-part}
is not subject to special delegation rules in some sense, because the
test of {non-DNS-part} requires no DNS action. If its synonymous with
_special_label_.{non-DNS-part}.{example.com} then its about a
conversation with upper systems to perform the transformation. If
{non-DNS-part} doesn't obey domain rules, and is not deterministically
structured, it can be {non-DNS-part}.some.sub.dom.ain eg .ALT and work
fine. It doesn't have to be a terminal on the RHS.

For .onion we were told this was non-negotiably not available. So now
we have the generic problem: upper name handling systems 'above' the
DNS don't want to be required to do work, to mangle apparent-names,
purported-named (whatever they are) according to any proscriptive
ruleset, to determine what to do: They want the DNS to do the work,
that drives them into a state to handle the exceptions.

Thats where my primary complaint in shut-it-down came in: This is an
unreasonable burden on the hierarchy of domain-names, as a thing in
itself.

"we" can't have it both ways. We can't have clean domain-name models
and coerce the domain-name model to cope with non-domain-name
concepts. And "we" can't keep it simple up in applications/URI space,
if we have to do special-case handling up there.

Shame we did think 6761 fixed this: it doesn't.

On Mon, Sep 19, 2016 at 11:57 AM, Ted Lemon <mellon@fugue.com> wrote:
> Okay, this is an interesting application that would certainly require some
> sort of 6761-style action.   Do you believe that it is not covered by the
> current problem statement?
>
> On Sun, Sep 18, 2016 at 9:00 PM, Phill <hallam@gmail.com> wrote:
>>
>> There is actually a fifth type of name, escaped names. Right now, the only
>> names we have of this type are SRV protocol tags, (_http._tcp.example.com)
>> and internationalized names (xn—wev.com)
>>
>> I want to add a third set of escaped names, one that has similar
>> functionality to .onion but does not leak as much information.
>>
>> example.com.m
>> f--
>> b2gk
>> 6
>> -
>> duf5
>> y
>> -
>> gyyl
>> -
>> jn5e
>> d
>>
>>
>> This is a strong domain name and to interpret it we require a policy that
>> is validated under the UDF fingerprint b2gk
>> 6
>> -
>> duf5
>> y
>> -
>> gyyl
>> -
>> jn5e
>> d. This in turn is a base 32 encoding of 92 bits of digest value plus an 8
>> bit version string. The fingerprint is over a content type identifier plus
>> some content as specified here.
>>
>> https://tools.ietf.org/html/draft-hallambaker-udf-03
>>
>> The content is typically going to be some sort of cryptographic key (PGP,
>> PKIX, SSH, JOSE, whatever) that signs some sort of assertion that states how
>> the address ‘example.com’ is to be interpreted.
>>
>> The trick here is that we can now bind security policy direct to any DNS
>> name without having to muck about with DNSSEC, or for that matter any other
>> PKI standard other than the particular standard we want.
>>
>>
>> Lets say that Alice is using OpenPGP and her OpenPGPv5 key is
>> mw83i-32ri4-83klq-3odp3. We can form an address from that:
>>
>> alice@example.com.mf--mw83i-32ri4-83klq-3odp3
>>
>> Now that isn’t an address that we can interpret without access to Alice’s
>> public key. Which is actually what I kinda want because I am fed up of spam.
>> The fact that I give you my address does not mean I want just anyone being
>> able to use it.
>>
>> In the ordinary course of business, my ‘strong name aware’ mailer knows
>> that it has to resolve mf--mw83i-32ri4-83klq-3odp3 somehow before it can use
>> that email address. If I just type it into Outlook, the client will happily
>> pass it on to my mail server and then it will get ‘stuck’ unless the mail
>> system can figure out how to use that address. Which is exactly what you
>> would want to happen with confidential mail.
>>
>> If the address can be resolved, the result is normally going to be a
>> policy that says what protocols the address can be used with and how.
>>
>> Now, naturally, a split horizon DNS would be one natural place to provide
>> access to a resolution service, but it need not be the only one.
>>
>>
>> The use of strong DNS names represents a major step forward in achieving a
>> genuinely decentralized Web. Instead of there being an institution at the
>> trust apex of the Internet, there is a digest function and a PKI scheme.
>>
>>
>> On Sep 16, 2016, at 2:13 PM, John Levine <johnl@taugh.com> wrote:
>>
>> The drafts are:
>> https://datatracker.ietf.org/doc/draft-tldr-sutld-ps/
>> https://datatracker.ietf.org/doc/draft-adpkja-dnsop-special-names-problem/
>>
>>
>> Having read them both, neither one thrills me but I'd give the nod to
>> adpkja.  The "Internet Names" in tldr seems to me a bad idea, since
>> there are a lot of other names on the Internet such as URIs and handle
>> system names, and this is about domain names.
>>
>> It seems to me there are four kinds of names we have to worry about, and
>> neither draft calls them all out clearly:
>>
>> * Names resolved globally with the DNS protocol, i.e.
>>  ordinary DNS names
>>
>> * Names resolved globally with an agreed non-DNS protocol, e.g.
>>  .onion via ToR
>>
>> * Names resolved locally with an agreed non-DNS protocol, e.g,
>>  .local via mDNS
>>
>> * Names resolved locally with unknown protocols, e.g. .corp and
>>  .home, the toxic waste names
>>
>> R's,
>> John
>>
>>
>>
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>>
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>