Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld

Brian Dickson <> Tue, 16 June 2020 01:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DAD913A0F79 for <>; Mon, 15 Jun 2020 18:51:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gJ1MB3vehhMG for <>; Mon, 15 Jun 2020 18:51:35 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 92F9D3A09BB for <>; Mon, 15 Jun 2020 18:51:35 -0700 (PDT)
Received: by with SMTP id n22so4421913vkm.7 for <>; Mon, 15 Jun 2020 18:51:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/4xmhJEcEkkwKYzqpVPD3sakPvKZXFuD4BDSufawTdw=; b=sWcN1GZJnlM/stc7VPIDKaE6etnxglEbOLnSIhwiQMlMogBPbYcPSTceM63AqyjF05 JyPAZOF9TsqJFnJuXd4Q4WrRiYnY/GOcoE6jk+HtV27G8Rmt1P2PsfNe+qYry6H8LKc7 2qC1R39DCcCpL00/MRKEng34pQbhB5/KrS4SUieIjLo+bkryukZYCayxyLDXxsdS20+e uouYllrruXX4ZV8yJYcElXekoNOHJWyLr+9ps+IbL7SiSFDjGNdjNaK3reX1U0iTf5f4 jHnRr0J6INiA2U3kEyXvK6FcmGkK08Gdmpn7fWcqX2ew4Cbufbl/Zzkn3H6rvbRSvLYQ UfPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/4xmhJEcEkkwKYzqpVPD3sakPvKZXFuD4BDSufawTdw=; b=F7cXBfOaueBwFnCcc6kqrqDRpE5D98NYV0pQehl8q3kWW6Ab4/dmje61jJ6/Gg2gVI h6IIO4jECTSZqhD6yjfpZEB7MABhIqaMj5dUBtQtnPGGXbnulEFk+OpDOCTUyTS8mQ8C 5YnL/zWr69mrWTb8ERrmu5xeMTuUEQ+Kt6FdmlltRR4prVLRd1y6bsonvrxMLvWoH0Ec HUSq1CRieOz1UBzozE+RM5EJcInQrvA6Jt9rqyaXAxjYwamjKvA0rnMKle1B3wDlArxs N2zv/rXT02oNW3RJ4WG+DGdVAG0VWCATx/NybsMz75nxPpswLq8mZH9YnxuSjAHStOiu aUSQ==
X-Gm-Message-State: AOAM530DP6CXXCbFnJ6wV1U9G8XKYPrlEC62TCtzFkOaJyvatzP0lIDl XNYp5i6E3KlTszWuIh+gMnrcp6L0nciotdjVcEg=
X-Google-Smtp-Source: ABdhPJz7+p97sE0p3NL+vy192irkTGB2sxPk1boOk14UkaeGqx2W7Qw5kgTb3pgd7/hL5nwSq50rlLIV8hV5wJQyFJ0=
X-Received: by 2002:a1f:4303:: with SMTP id q3mr26916vka.65.1592272294579; Mon, 15 Jun 2020 18:51:34 -0700 (PDT)
MIME-Version: 1.0
References: <> <20200615174753.225EC1ABFFA1@ary.qy> <> <2629924.6WoLTOkaPB@linux-9daj> <> <> <> <> <>
In-Reply-To: <>
From: Brian Dickson <>
Date: Mon, 15 Jun 2020 18:51:23 -0700
Message-ID: <>
To: Tony Finch <>
Cc: Paul Vixie <>, John Levine <>, dnsop <>, Tim Wicinski <>
Content-Type: multipart/alternative; boundary="00000000000081142005a829c825"
Archived-At: <>
Subject: Re: [DNSOP] Call for Adoption: draft-arends-private-use-tld
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 Jun 2020 01:51:37 -0000

On Mon, Jun 15, 2020 at 6:30 PM Tony Finch <> wrote:

> Brian Dickson <> wrote:
> >       - In addition to leaking information, these names generally should
> >       not have any presence in DNS caches, which makes them excellent
> > candidates
> >       for easy poisoning
> These issues happen in exactly the same way whether you squat on a tld or
> use a private subdomain.

Actually, no, or rather, it (susceptibility to poisoning) might depend.
Here's why:

The root zone is DNSSEC signed with NSEC.
It is literally impossible for anyone to poison any name at or below a

A private subdomain of a real domain, only has the same properties if the
real domain is DNSSEC signed (chained from the root), and the public
version of that domain's zone denies the existence of the private subdomain.
I.e. that isn't going to be 100% true ever, and today has only a small
statistical chance of being true (DNSSEC uptake globally being about 1%).

In any case, the argument I'm making is 100% is tautologically optimal, and
the best any single enterprise can do is match that.

It's likely more reliable and easier to go the non-TLD route for all but
the most technically savvy enterprises (who probably won't rely on this
document regardless.)