Re: [DNSOP] Interim DNSOP WG meeting on Special Use Names: some reading material
Mark Andrews <marka@isc.org> Fri, 08 May 2015 21:42 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480711A0126 for <dnsop@ietfa.amsl.com>; Fri, 8 May 2015 14:42:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.311
X-Spam-Level:
X-Spam-Status: No, score=-1.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_34=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4dP-mpboy5I for <dnsop@ietfa.amsl.com>; Fri, 8 May 2015 14:42:20 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AF851A00AE for <dnsop@ietf.org>; Fri, 8 May 2015 14:42:20 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id B5DB53493E2; Fri, 8 May 2015 21:42:16 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id BEE8B16008B; Fri, 8 May 2015 21:42:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id AE1E216008A; Fri, 8 May 2015 21:42:32 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id f8qsgv87cIJ6; Fri, 8 May 2015 21:42:32 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 5BA2B16004E; Fri, 8 May 2015 21:42:32 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 17E542DF589C; Sat, 9 May 2015 07:42:14 +1000 (EST)
To: John R Levine <johnl@taugh.com>
From: Mark Andrews <marka@isc.org>
References: <20150508194223.55320.qmail@ary.lan> <20150508203559.ACC372DF52BA@rock.dv.isc.org> <alpine.OSX.2.11.1505081636310.30695@ary.lan> <20150508210206.93FCB2DF5464@rock.dv.isc.org> <alpine.OSX.2.11.1505081704140.30778@ary.lan>
In-reply-to: Your message of "08 May 2015 17:09:59 -0400." <alpine.OSX.2.11.1505081704140.30778@ary.lan>
Date: Sat, 09 May 2015 07:42:12 +1000
Message-Id: <20150508214214.17E542DF589C@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/oiL76WMs0fK3VsB_dJhmLgPmBXY>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Interim DNSOP WG meeting on Special Use Names: some reading material
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2015 21:42:21 -0000
In message <alpine.OSX.2.11.1505081704140.30778@ary.lan>, "John R Levine" write s: > > For a "mail" a secure NXDOMAIN response saying that "mail." doesn't exist > > should be fine. > > > > For "foo.home" you actually want a insecure response with a insecure > > referal or at least you want "DS home" to come back as a secure > > NODATA rather than a secure NXDOMAIN. This assumes we want to > > formalise the defacto use of .home for names in the home. > > I'm thinking that if a query for foo.home shows up at the roots, that is > evidence of a configuration error. So how about doing a secure NXDOMAIN, > and tell people that if they want to use DNSSEC and their own .home names, > it's up to them to put their own local .home trust anchor into their cache > and a local DNS server to serve it. Really, you want to force all home users to sign their own zones and to securly distribute trust anchors (something we don't know how to do yet) to every machine that connects to the network (yes validation happens in applications as well as in the recursive servers) just to avoid installing a insecure delegation for .home in the public internet. We already have insecure delegations for RFC 1918 and ULA reverse namespaces so we don't stuff up validators looking up PTR records. Seeing foo.home just means that a search list with .home in it is in use outside of the home. Think of a laptop moving between home and the office. A validator, with just the public roots's trust anchor configured on it, will validate foo.home without needing to be reconfigured at home or at work if there is a insecure delegation for .home. "DS home" on the other had is a normal artifact of doing validation and if we want to formalise .home then that stops getting a NXDOMAIN response. > Your typical home router is running linux anyway, so it doesn't seem > unduly cruel to say that if it's going to run a validating cache, it needs > to poke its own holes for private names since it's all off the shelf > software. And home routers are not the only place where validation occurs. > Regards, > John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] Interim DNSOP WG meeting on Special Use N… Suzanne Woolf
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Livingood, Jason
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Bob Harold
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… hellekin
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… hellekin
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Livingood, Jason
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Mark Andrews
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… David Conrad
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Mark Andrews
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… hellekin
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… David Conrad
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… David Conrad
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John R Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Mark Andrews
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John R Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… David Conrad
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John R Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Mark Andrews
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John R Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Suzanne Woolf
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… manning
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… manning
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John R Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Paul Hoffman
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Edward Lewis
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Edward Lewis
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Edward Lewis
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Edward Lewis
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Andrew Sullivan
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Andrew Sullivan
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Dan York
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Stephane Bortzmeyer
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Warren Kumari
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Hugo Connery
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Warren Kumari
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… hellekin
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Andrew Sullivan
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Hugo Maxwell Connery
- Re: [DNSOP] .ALT, was Interim DNSOP WG meeting on… John Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Andrew Sullivan
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… hellekin
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… hellekin
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… David Conrad
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John R Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Lyman Chapin
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… David Conrad
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… George Michaelson
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… George Michaelson
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… George Michaelson
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… David Conrad
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… David Conrad
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Ted Lemon
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Lyman Chapin
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… David Conrad
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Lyman Chapin
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… str4d
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Andrew Sullivan
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Paul Vixie
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Steve Crocker
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… John R Levine
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Francisco Arias
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Mark Andrews
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Paul Hoffman
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Francisco Arias
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Rubens Kuhl
- Re: [DNSOP] Interim DNSOP WG meeting on Special U… Mark Andrews