IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld

Ted Lemon <mellon@fugue.com> Tue, 17 June 2025 11:24 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DFED435E04D4 for <dnsop@mail2.ietf.org>; Tue, 17 Jun 2025 04:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="VvbWgM6Y"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="P5ZaphpY"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fIa2ODJ0hJCJ for <dnsop@mail2.ietf.org>; Tue, 17 Jun 2025 04:24:29 -0700 (PDT)
Received: from fhigh-b5-smtp.messagingengine.com (fhigh-b5-smtp.messagingengine.com [202.12.124.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4353935E04C1 for <dnsop@ietf.org>; Tue, 17 Jun 2025 04:24:29 -0700 (PDT)
Received: from phl-compute-03.internal (phl-compute-03.phl.internal [10.202.2.43]) by mailfhigh.stl.internal (Postfix) with ESMTP id ECFBF25401A7; Tue, 17 Jun 2025 07:24:28 -0400 (EDT)
Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-03.internal (MEProxy); Tue, 17 Jun 2025 07:24:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1750159468; x=1750245868; bh=U6HyqkvJGIdJCy5yXhnIa1DD+bThX6gI587dtpF1yGM=; b= VvbWgM6Yw+MuOqHZS3ICPMkgFPihCIajL3dqYl1KA+a+vGN4mMBWT+5gADtgLHK0 DmqQ012/5+/cfsWDNPijBUDTJ6MBGtPB52tz2v3lL0dp5r7Hx2kpnMSsNaYyVGgj LA4u+ZrbYpr8SBcTLrehIOqsyOHxMVlavpXSzaP9ck/uVBjTuzRxhUUiq43xBgAq FprmiZ5cRi4urtV9fKKCfAoCEuxdFi0hEuHx73hxrQhcyT/yoJ7shXIBjWJ9HJ0x tVajDai51qTWNxT7HVI/4A97aE61/tQN2eXpdKVxlKwAgB6AY1ZmB0zDng0qRS63 SXK2rewwkF68M9Dbv/Gctw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1750159468; x= 1750245868; bh=U6HyqkvJGIdJCy5yXhnIa1DD+bThX6gI587dtpF1yGM=; b=P 5ZaphpY16saRfrnkfz4oCON9YXTrmP0vyegFGfcCgXDcvm3wUyTtaff02ALOaORT nwp+uBJoP30Vws0KA1IbhBRrVl+4pwTJUxCK70w1xjjy6kMZgMbrFmLjveve5dJu nSU5sjiyMAFUeqw0/vYGcV1jawaoYeytUWbXP1OIfbd65s+pDHkXAMjVbMQswh88 cqdnqsl91m+pRigFqZOGXEwi73/+IhKEl9rHWDWSvYFP8KQu+cNFQj1EIjFMgzrB YillTvEdBF6GcVz9H7dpHPcg07a6I36CDJkSve/PMG9PVHJQG/tIsnoXBN/ua0AV A7soT2GXtH5OlVyICIxLg==
X-ME-Sender: <xms:bFBRaOgh6kVGWnh7i7HT1xw-2daRQnO9UW92Quhc3KvdL-csxVF1kA> <xme:bFBRaPD7_NgwI7SLinRGh9IXwaRGAJL8QoT-wBXMhZUQx6i1JBCDEIcjx4RC16q8h rM8P4LurzkwhPbaTx4>
X-ME-Received: <xmr:bFBRaGE9sQb9-LopTRXZetgjp5kKAwM4VfPo6VujMNXzFZ-R5c9g7RATgHKp_LeYwThiDK7M2z9CIe5G4GpUdFzXRRn64X5Pt0NIcaynvGl08xt_ZA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgddthecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpegtggfuhfgjffevgffkfhfvofesthhqmhdthhdtjeen ucfhrhhomhepvfgvugcunfgvmhhonhcuoehmvghllhhonhesfhhughhuvgdrtghomheqne cuggftrfgrthhtvghrnhepleelkeeludelgfegvdegfedvhfethfdtfffftefgjeektdet tdetuddvgfefvdeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepmhgvlhhlohhnsehfuhhguhgvrdgtohhmpdhnsggprhgtphhtthhopedvpdhm ohguvgepshhmthhpohhuthdprhgtphhtthhopehpshhprggtvghksehishgtrdhorhhgpd hrtghpthhtohepughnshhophesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:bFBRaHS06w6ep5ynDwyFKp9t5xDa21GWs0cRSQjorooT7hxVXaHIug> <xmx:bFBRaLzRr01FZ1SjPQU96f4YbYIWTac2dn0AU1nIl0gnWp5MQ1bi5Q> <xmx:bFBRaF7Rgex_usWrpOFON_OjGIpcGP5P_Uk-eu9VUSkIYVsDrDXQyQ> <xmx:bFBRaIwqpk4sO_asxgOFyFQ3MJ7bwSGVM124GKmLGPWNK5dfpApTLw> <xmx:bFBRaAhkz9zwS_PqdnHfXJ6Gl64VO32CXUS86NA5rGcsrjEfSTe9lh8R>
Feedback-ID: i1136489e:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 17 Jun 2025 07:24:27 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3856.100.4\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <5ed468ec-f2c5-4cac-bea3-36a8da3a5931@isc.org>
Date: Tue, 17 Jun 2025 13:24:14 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <226C3DE8-82B9-492A-A6B1-69AC98EEE809@fugue.com>
References: <1C9E8ABA-4399-491B-A9F4-D9ACCB1BA72C@virtualized.org> <866409E5-0D9A-4669-8C6E-C9D1C7BDAA21@dnss.ec> <SA1PR15MB4370BAE2BD669193DDB9AE44B38D2@SA1PR15MB4370.namprd15.prod.outlook.com> <20250502171756.5AC67C762C3C@ary.qy> <SA1PR15MB43704113DF8B19A8A5A66AD6B38D2@SA1PR15MB4370.namprd15.prod.outlook.com> <4B83E121-9562-449C-A00E-2A31894ADED0@icann.org> <m1uBDWf-0000MlC@stereo.hq.phicoh.net> <9EE8E4CC-04A3-46C7-BDDF-EF538A822AA8@virtualized.org> <m1uBHRs-0000LsC@stereo.hq.phicoh.net> <BE3A5560-740A-47A9-835B-8C8EEF2B50B9@virtualized.org> <m1uCDdk-0000LlC@stereo.hq.phicoh.net> <20250506133721.199BCC803209@ary.qy> <m1uCItL-0000LTC@stereo.hq.phicoh.net> <6d8bc9b1-8729-08b7-bd0c-564ae0dd3a59@taugh.com> <9D0395B7-1157-4569-B2C7-628BBD909887@fugue.com> <C3487997-B656-4A6D-A069-752077629957@icann.org> <5ed468ec-f2c5-4cac-bea3-36a8da3a5931@isc.org>
To: Petr Špaček <pspacek@isc.org>
X-Mailer: Apple Mail (2.3856.100.4)
Message-ID-Hash: EMNM6DE2QP6QARQOZ3KOFY7STVQWQNAB
X-Message-ID-Hash: EMNM6DE2QP6QARQOZ3KOFY7STVQWQNAB
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qt0Qj4K8oCz9gC9ifNIjTo2ZhMc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Thanks!

BTW, this is actually documented in section 7 of RFC6303. Rereading that section, I get a sense of where Paul's objection is coming to: I think the recommendation about DNSSEC trust anchors there is hopelessly impractical. However, the preceding two paragraphs seem correct.

They also anticipate the advice I was given in this working group when preparing RFC8375 (home.arpa). Section 6 of RFC8375 discusses this problem, and the motivations for the delegation requestion in section 7, in detail, and is based on advice that was given by folks in this WG about this problem.

Paul, I will note that you are called out specifically in the acknowledgments as having reviewed this text, although I do not remember at this late date what you said. Andrew Sullivan is cited as the source for the actual text that appears in the document, and may have more to say about this (or may not, no pressure).

> On 17 Jun 2025, at 13:04, Petr Špaček <pspacek@isc.org> wrote:
> 
> On 5/6/25 20:09, Paul Hoffman wrote:
>> On May 6, 2025, at 09:56, Ted Lemon <mellon@fugue.com> wrote:
>>> 
>>> I think that you're trying to solve two different problems here. The first problem is just generally what can you do to avoid causing a validation failure? The second problem is, how can you actually validate locally served domains?
>>> 
>>> They are both really interesting questions, and I think that it would be very useful to consider how we would solve the problem of validating locally served domain.
>>> 
>>> However, this is not absolve us of the responsibility to make sure that we don't accidentally cause validation failures where they are inappropriate. We already have prior art on this. We know how to solve this problem. RFCs that solve this problem all solve that and exactly the same way.
>> ...and that way might not work the way we want, and thus should be defined in RFCs before we make recommendations about them. In specific, we don't have any RFCs that deal with insecure delegation for clients that move around.
> 
> This is provably incorrect. 10.in-addr.arpa is an insecure delegation which with network-dependent content, and it works for decades. Please let's not create more diversions from the actual problem at hand, which is the missing insecure delegation. I.e. I fully agree with Ted Lemon.
> 
> -- 
> Petr Špaček
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

v2.31.3 | Report a Bug | By Email | System Status