IETF Logo Mail Archive

Re: [DNSOP] Interim DNSOP WG meeting on Special Use Names: some reading material

Mark Andrews <marka@isc.org> Fri, 08 May 2015 21:42 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480711A0126 for <dnsop@ietfa.amsl.com>; Fri, 8 May 2015 14:42:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.311
X-Spam-Level:
X-Spam-Status: No, score=-1.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_34=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4dP-mpboy5I for <dnsop@ietfa.amsl.com>; Fri, 8 May 2015 14:42:20 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AF851A00AE for <dnsop@ietf.org>; Fri, 8 May 2015 14:42:20 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id B5DB53493E2; Fri, 8 May 2015 21:42:16 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id BEE8B16008B; Fri, 8 May 2015 21:42:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id AE1E216008A; Fri, 8 May 2015 21:42:32 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id f8qsgv87cIJ6; Fri, 8 May 2015 21:42:32 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 5BA2B16004E; Fri, 8 May 2015 21:42:32 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 17E542DF589C; Sat, 9 May 2015 07:42:14 +1000 (EST)
To: John R Levine <johnl@taugh.com>
From: Mark Andrews <marka@isc.org>
References: <20150508194223.55320.qmail@ary.lan> <20150508203559.ACC372DF52BA@rock.dv.isc.org> <alpine.OSX.2.11.1505081636310.30695@ary.lan> <20150508210206.93FCB2DF5464@rock.dv.isc.org> <alpine.OSX.2.11.1505081704140.30778@ary.lan>
In-reply-to: Your message of "08 May 2015 17:09:59 -0400." <alpine.OSX.2.11.1505081704140.30778@ary.lan>
Date: Sat, 09 May 2015 07:42:12 +1000
Message-Id: <20150508214214.17E542DF589C@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/oiL76WMs0fK3VsB_dJhmLgPmBXY>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Interim DNSOP WG meeting on Special Use Names: some reading material
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2015 21:42:21 -0000

In message <alpine.OSX.2.11.1505081704140.30778@ary.lan>, "John R Levine" write
s:
> > For a "mail" a secure NXDOMAIN response saying that "mail." doesn't exist
> > should be fine.
> >
> > For "foo.home" you actually want a insecure response with a insecure
> > referal or at least you want "DS home" to come back as a secure
> > NODATA rather than a secure NXDOMAIN.  This assumes we want to
> > formalise the defacto use of .home for names in the home.
> 
> I'm thinking that if a query for foo.home shows up at the roots, that is 
> evidence of a configuration error.  So how about doing a secure NXDOMAIN, 
> and tell people that if they want to use DNSSEC and their own .home names, 
> it's up to them to put their own local .home trust anchor into their cache 
> and a local DNS server to serve it.

Really, you want to force all home users to sign their own zones
and to securly distribute trust anchors (something we don't know
how to do yet) to every machine that connects to the network (yes
validation happens in applications as well as in the recursive
servers) just to avoid installing a insecure delegation for .home
in the public internet.  We already have insecure delegations for
RFC 1918 and ULA reverse namespaces so we don't stuff up validators
looking up PTR records.

Seeing foo.home just means that a search list with .home in it is
in use outside of the home.  Think of a laptop moving between home
and the office.  A validator, with just the public roots's trust
anchor configured on it, will validate foo.home without needing to
be reconfigured at home or at work if there is a insecure delegation
for .home.

"DS home" on the other had is a normal artifact of doing validation
and if we want to formalise .home then that stops getting a NXDOMAIN
response.

> Your typical home router is running linux anyway, so it doesn't seem 
> unduly cruel to say that if it's going to run a validating cache, it needs 
> to poke its own holes for private names since it's all off the shelf 
> software.

And home routers are not the only place where validation occurs.
 
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email