Re: [DNSOP] ALT-TLD and (insecure) delgations.

Ted Lemon <mellon@fugue.com> Thu, 09 February 2017 21:01 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9603212940D for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 13:01:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RothYOEwzDnS for <dnsop@ietfa.amsl.com>; Thu, 9 Feb 2017 13:01:16 -0800 (PST)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E070A126D74 for <dnsop@ietf.org>; Thu, 9 Feb 2017 13:01:15 -0800 (PST)
Received: by mail-qt0-x235.google.com with SMTP id k15so16379974qtg.3 for <dnsop@ietf.org>; Thu, 09 Feb 2017 13:01:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=jfhVQv3AYBo3BD18ty+pLTQk+8EXZoQ3yhikNUF3msw=; b=EADqZtEVNdsSD+/JKr5Zn7f8vC43tMFK+HtCIs8zJesoTt7BQ/exGsYEy/iaCcSu3e Xy3fChWLs5joXkjhnJerF3ZH5/z2qm7ZE3Vgd4PU8XnneDBuljHzGYjrLqzmmHHA6vbO C7KWgR33cvP4UKqOVlujsK8nbt7/y54BGdUvy4IGITPB5lrNsbeEcvgkdlzKsGmKTIXq VPYvv8SsX601wgtBFhYFZCy2smKmEt6FMBh2IhfBVT5vVTvBCcg9trjYhgYGOCuh/3Ko Qt7OvaGmj/HWB2LIjJcRKAiSom+1+HDE+BqsOCgkGnLubZhAvCChV8TGMSSfbaO9wMin voDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=jfhVQv3AYBo3BD18ty+pLTQk+8EXZoQ3yhikNUF3msw=; b=XyR+hW6YQKxp1wnxObF1pGwSVrKAE5Xtv50lCdffxUoI62t023zFAhAqP8EGSsksC1 rYQxRDOaNlrOtdET7RUy1kmNI2HYPjeZmTpy7D8idwbyPL3d4nBD5E9ByQEwELY/hRPU CyBZnMkAgIiWc+qIrERFjl3XBvkBa196qKjaGIfpOwg8wwbWHlt03hRttcRAJW/NkGTg rDZ+7oF0zEYDZbn4jLCA8ZytqFMCDRzPSIqtzTF5gRCNUl0NYh3zEi0pEYJW19gaH/Je 7KPkzDWAL4nqVq8LjlK6DmMZ8smuuCfaFuxDjvgwmIiGdol5D4BtJBhZENQJfZbJ/YVH hO9w==
X-Gm-Message-State: AMke39mBkaBIT3G2cqBbnqGsShETx/5rDAMIagqpQ+0qquef9y+E3h5icAJF+7cQV4qM1g==
X-Received: by 10.237.56.135 with SMTP id k7mr5210479qte.42.1486674075051; Thu, 09 Feb 2017 13:01:15 -0800 (PST)
Received: from [192.168.1.228] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id 12sm10179621qtv.31.2017.02.09.13.01.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Feb 2017 13:01:13 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <12D7473B-3A22-4A8D-9C13-2AEEDEABB879@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0F044607-62A2-4D4E-8752-E3D4D4F710A7"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Thu, 09 Feb 2017 16:01:12 -0500
In-Reply-To: <20170209204506.BC40D6365CBE@rock.dv.isc.org>
To: Mark Andrews <marka@isc.org>
References: <20170207205554.B6974633BE40@rock.dv.isc.org> <18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue.com> <20170207214846.B66EF633C6C5@rock.dv.isc.org> <FB835756-2C46-40A9-88ED-2F8ADF812BA6@fugue.com> <20170208052544.862956356F33@rock.dv.isc.org> <FFAFD844-824C-44EA-A4B1-1AD28B4FE95C@fugue.com> <20170208060208.8C8E1635864D@rock.dv.isc.org> <E0A42577-0984-4ADD-8658-91413CBE783D@fugue.com> <20170208194208.DB02C635DD72@rock.dv.isc.org> <CAH1iCipA5nvWJqjdGUwJeeT_eU8EH8VYJU2hX1hJoiTb617K8Q@mail.gmail.com> <20170209163123.56hdbzaluekmvbh7@nic.fr> <20170209195722.DC1AB636586C@rock.dv.isc.org> <0394528C-99CD-41D4-9AB6-844D1318264C@gmail.com> <20170209204506.BC40D6365CBE@rock.dv.isc.org>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nmpwN8ONy2XdyHNOI4X8PMfmARs>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2017 21:01:17 -0000

On Feb 9, 2017, at 3:45 PM, Mark Andrews <marka@isc.org> wrote:
> At the moment we have Ted saying that if you want privacy you MUST
> also turn on DNSSEC validation and implement QNAME minimisation and
> implement agressive negative caching (still a I-D).

No, I am _not_ saying that.   I am saying that an unsigned delegation doesn't help with privacy unless you also specially configure your local resolver, and if you are going to specially configure your local resolver, then there are several options for how to do that.   The only reason you need DNSSEC is that if you specially configure your local resolver to lie, then DNSSEC validation will break that.   If you aren't doing DNSSEC validation, you can say any old thing in your local resolver and the stub will believe it.