Re: [DNSOP] New Version Notification for draft-adpkja-dnsop-special-names-problem-00.txt

"Paul Hoffman" <paul.hoffman@vpnc.org> Wed, 25 November 2015 16:24 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C382D1A1B1D for <dnsop@ietfa.amsl.com>; Wed, 25 Nov 2015 08:24:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.047
X-Spam-Level:
X-Spam-Status: No, score=-1.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id onUhxvR9m1Su for <dnsop@ietfa.amsl.com>; Wed, 25 Nov 2015 08:24:28 -0800 (PST)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C6E01A1B1C for <dnsop@ietf.org>; Wed, 25 Nov 2015 08:24:28 -0800 (PST)
Received: from [10.32.60.120] (50-1-98-110.dsl.dynamic.fusionbroadband.com [50.1.98.110]) (authenticated bits=0) by hoffman.proper.com (8.15.2/8.14.9) with ESMTPSA id tAPGONgT028570 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Nov 2015 09:24:24 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-98-110.dsl.dynamic.fusionbroadband.com [50.1.98.110] claimed to be [10.32.60.120]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Patrik Fältström <paf@frobbit.se>
Date: Wed, 25 Nov 2015 08:24:26 -0800
Message-ID: <E673CA6D-27D4-44DC-8411-2D9E3BD40687@vpnc.org>
In-Reply-To: <EB6AB6D0-8808-49C2-90DE-F4E6E146BDE8@frobbit.se>
References: <20151019232608.9713.92337.idtracker@ietfa.amsl.com> <68818B75-F6F6-44A1-BAF5-BB68B7BD86F6@hopcount.ca> <EB6AB6D0-8808-49C2-90DE-F4E6E146BDE8@frobbit.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/oyRj8rfX7I3bD0zaiZNMmW-IkD4>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] New Version Notification for draft-adpkja-dnsop-special-names-problem-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 16:24:29 -0000

On 24 Nov 2015, at 21:40, Patrik Fältström wrote:

> I have read this draft and have a number of comments. I can not say 
> these are the only ones, but at least some :-)

This is only the beginning of the conversation, so: yes. :-)

>
> The dominant protocol for name resolution on the Internet is the
> Domain Name System (DNS).  However, other protocols exist that are
> fundamentally different from the DNS, but which have syntactically-
> similar namespaces.
>
> I claim that if it is syntactically similar and the names are used 
> interchangeable in protocols (see below) we actually DO talk about use 
> of the same namespace. This is the camel in the tent, and I think we 
> should just admit, or say clearly whether we do talk about, which I 
> think we do, one name space with multiple resolution mechanisms.

We need to be *very* careful here. Are names that are 
"syntactically-similar" actually "interchangeable". I propose that they 
are not; only names that are "syntactically-identical" are 
interchangeable. There are different name schemes that are "similar" 
that are not interchangeable. For instance, I have heard that some of 
the name schemes currently being discussed allow labels over 64 octets 
long.

We also need to be very careful to say whether a name scheme is 
syntactically-identical to RFC 1035 "domain names" or to RFC 1123 "host 
names with the preferred name syntax" (LDH). For the latter, we can 
probably say "interchangeable", but we need to think hard about the 
former.

>
> When an end-user triggers resolution of a name on a system which
> supports multiple, different protocols for name resolution, it is
> desirable that the protocol to be used is unambiguous, and that
> requests intended for one protocol are not inadvertently addressed
> using another.
>
> It is not so much different protocols as different resolution 
> mechanisms. If you say "protocol" here, it might sounds like if with 
> the DNS protocol you can not use multiple different resolution 
> mechanisms (which I think one can -- one of them using the root 
> managed by ICANN).

+1

>
> Such usage, which a few commenters have referred to as "protocol
> switching," is not limited to "protocol switch" in the strict sense
> of indicating specific protocols on the wire.  It could indicate to
> switch to another name space (eg .onion), use a different protocol
> (eg tor, or mdns), or indicate to use a local DNS scope by not using
> the DNS root for name resolution (eg .home in homenet) or something
> else altogether.
>
> It is important (which I think also Stephane indicated) that we talk 
> about different resolution mechanisms for the name itself. We do not 
> talk about how to access the service in question.

+1 again.

>
> At the time of writing, three top-level domain names reserved by
> inclusion in the Registry are used by name resolution protocols other
> than the DNS:
>
>    LOCALHOST is used to refer to the host on which the name
>    resolution takes place, without reference to the DNS;
>
>    LOCAL is used by the Multicast DNS protocol specified in [RFC6762]
>    which is similar in some respects to the DNS, but which uses
>    different well-known port number and is limited to a particular
>    multicast scope;
>
>    ONION is used to construct names that designate anonymous hidden
>    services reachable via the Tor network using onion routing.
>
> I think a better text to describe ONION would be:
>
>    ONION is used to construct names that designate
>    services reachable via the Tor network using onion routing.

Unfortunately, I agree. <insert apologies for my federal government 
here>

> What about EXAMPLE?

Which name resolution protocol uses EXAMPLE? RFC 2606 reserves it for 
examples in documentation.

>
> The lack of a more elegant way to specify a
> name resolution protocol in (for example) a URI amounts to an
> architectural oversight.
>
> Well...in the architecture we have both the URI scheme and if you look 
> further the URN definition to manage all different kind of switches. 
> And we do not have to wake up the old discussion again whether 
> HTTP://EXAMPLE.COM/ in reality should be URI:HTTP://EXAMPLE.COM/
>
> I think the key issue here is that the different "strings" that look 
> like "domain names" (i.e. are within the same name space) are used 
> interchangeable wherever in the URI (or even URN) definition where 
> "domain names" are to be used.

Disagree, and I agree with the text in the draft. It is an oversight on 
the part of the URI spec that it does not say "these are only for names 
in the DNS namespace; if you want a different name, use URNs".

>
> If we accept the notion that the most significant label of a domain
> name is actually a protocol switch, it implies that we are actually
> building a catalog of all top level domains that explain which are
> are switches.
>
> What about not-yet-allocated strings in this catalog?

Yes, exactly. This is a major problem in this part of the draft. It is 
begging us to predict the future, and we suck at that.

> I think it is important to say that as of today (at least), the 
> default resolution mechanism is to use the DNS, although a 
> non-existing string today imply one apply the search path algorithm to 
> chase down names.

+1

> In the case of [I-
> D.ietf-dnsop-onion-tld], leakage of ONION queries on the Internet
> might lead to disclosure of private information that, in some cases,
> might pose a risk to the personal safety of end-users.
>
> More, less or similar to leakage when people use non-FQDN and their 
> search path create surprises?

More, because .onion was designed to provide data- and metadata-hiding, 
and the search path mechanism was not.

> This document aims to provide a problem statement that will inform
> future work.  Whilst security and privacy are fundamental
> considerations, this document expects that that future work will
> include such analysis, and hence no attempt is made to do so here.
>
> See among other places SAC-057 
> <https://www.icann.org/en/system/files/files/sac-057-en.pdf>

Yes, this should be added as a useful informational reference.

--Paul Hoffman