Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

John R Levine <johnl@taugh.com> Thu, 30 July 2020 23:59 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 649603A1280 for <dnsop@ietfa.amsl.com>; Thu, 30 Jul 2020 16:59:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=x1QR/7ug; dkim=pass (1536-bit key) header.d=taugh.com header.b=bbtOKfrf
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JAyDxrgU5c84 for <dnsop@ietfa.amsl.com>; Thu, 30 Jul 2020 16:59:13 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62D863A127D for <dnsop@ietf.org>; Thu, 30 Jul 2020 16:59:12 -0700 (PDT)
Received: (qmail 57372 invoked from network); 30 Jul 2020 23:59:11 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=e017.5f235ecf.k2007; i=johnl-iecc.com@submit.iecc.com; bh=Lp6OOBkMqzn19pRMNX2PGGExEwp5BVbax16El4elzHg=; b=x1QR/7ughTFpDqog4w+z/Y7Z6Qo6RMovFE0amJOd63UUjFeu4/cP+rhqUYgnIq7IkPgYjGRhk5y4KpDqbSPko5b2PIFeOtcKWpdQJe40ifKGWFW5vbCNQxoBgiN1+XEH0QKDu1IF9uDvX8C2hDjO+Yhs2ZkVTyoxrXT3Hoe43Hlu91GgiHpGJSe6fEX6g+C+xwbZfT7qgAMqtvfmkVV9Po+JAUQJwlMsPlaTNjPR92ybeh/xGklht0eDyBUov2fk
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=e017.5f235ecf.k2007; olt=johnl-iecc.com@submit.iecc.com; bh=Lp6OOBkMqzn19pRMNX2PGGExEwp5BVbax16El4elzHg=; b=bbtOKfrfE4nx+G3S/ayu3QH7zqeaNIKQgnhNk/tVt+DNxaU/X9h3Z3TlKabh2EqTnLY7FtTgVqzQ4QsgxVmrlQhHaR9spql2K6NLbVdhhkahD1mEz9B9QrE0dUWyvqo1S+7KE19VFuhJxB8jEPytm+DvMHIqmb4p8PtO42LXQR0GSJQ5RNBiWzlildrIKlHvh2U6MHENhFKCQS+FqVPSVXBXPS80OWa2uxeF5mizc/xEBFcWqF8vip9RBHFfEN+f
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPSA (TLS1.3 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP6; 30 Jul 2020 23:59:10 -0000
Date: 30 Jul 2020 19:59:09 -0400
Message-ID: <c878bcfd-4287-9592-5ab1-df6a5fe3acbb@taugh.com>
From: "John R Levine" <johnl@taugh.com>
To: "Tony Finch" <dot@dotat.at>
Cc: "Joe Abley" <jabley@hopcount.ca>, dnsop@ietf.org
In-Reply-To: <alpine.DEB.2.20.2007302306530.16320@grey.csi.cam.ac.uk>
References: <CAHbrMsDWR0Yf_66f7g6sYm5Wk5vg9avGnLLT2sqezHzJzK4qJw@mail.gmail.com> <alpine.LRH.2.23.451.2007301253530.416340@bofh.nohats.ca> <F16107A1-669C-41AD-9F59-1794C64B0737@hopcount.ca> <alpine.LRH.2.23.451.2007301446380.418549@bofh.nohats.ca> <rfv9s4$2mta$1@gal.iecc.com> <alpine.DEB.2.20.2007302306530.16320@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rXIocvwDmhNs-mggELkih0PFwNw>
Subject: Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 23:59:16 -0000

> If there are RRSIG(A) records in .com and .net there must have been a
> policy change since 2010?

Sorry, no, they're different.  For all of the new TLDs they run they have some test
delegations with name servers in the TLD:

emt-ns1.emt-t-1113662392-1595861228527-2-sdojq.aol.	172800	in	a	198.41.1.168
emt-ns1.emt-t-1113662392-1595861228527-2-sdojq.aol.	172800	in	rrsig	a	8	3	172800	20200804181604	20200728181604	32545	aol.	h+iuDHDjmnr5a0egcjKDSiGxSyYe9O4UVJVOL8F3ttqwv31PnNnWyxFoa9k8gyGGBB6155jbJExvCY4KxqHqYPKylVw5Br/zfbFCfXD+wpMEmxHvQbRkDtK7AZBSLNunPl8gJ+WmywX8LVXhjobWCo9VGMogVKJz+cRcFKu/PY97fOzQbnNJBkF473zoPNX0Ct+2C/5QSEd5OYSIVfD2iA==
emt-ns1.emt-t-1158551749-1595861079980-2-xo.aol.	172800	in	a	198.41.1.126
emt-ns1.emt-t-1158551749-1595861079980-2-xo.aol.	172800	in	rrsig	a	8	3	172800	20200804175637	20200728175637	32545	aol.	a4ij0JWJZlHXbPR+At9pYnTrWwpyFI12ubSnMmZ6PhlK4Sed5v64mzVy8QAmbgAtT2kNJqLW/weG4ZGHQDzN/oTYo2+NhLYpqf9/r1CBaX1V3As17lOSx5I7nm5aeKIupYnyMBb/h5NyxIh/7pbYT4fd+AtENKIt1Va+TAsZPBcL6a9dqcajRpnQ3Fx9Tq9QQJQC38sfHEK2X4fjRCF3/w==
emt-ns1.emt-t-1737294735-1595858930228-2-jz.aol.	172800	in	a	198.41.1.92
emt-ns1.emt-t-1737294735-1595858930228-2-jz.aol.	172800	in	rrsig	a	8	3	172800	20200804171915	20200728171915	32545	aol.	FiTCAdK7jDWig2s0Y/duIsKuM86BOoe4jEcYLh9eEI1swnPKmUTWY9aM5xCFr9yqTlWHDz5cX3WzivizMqbhOa7LorQuIU359bh2z9FOk1MWZrhLUk5jhBW8tLT+Lj6lNe8rN4kmfVAU3ScBJ8X+pfALYACkoHdIuZs74fvspxiO/DF7EOH88mmyedyFiZA0NtOzN4lfFLDkPqUgKQL+8g==
emt-ns1.emt-t-1919814529-1595856863287-2-rflv.aol.	172800	in	a	198.41.1.111
emt-ns1.emt-t-1919814529-1595856863287-2-rflv.aol.	172800	in	rrsig	a	8	3	172800	20200804165227	20200728165227	32545	aol.	WtEXPHu8fXQ3hDK6qVOmHbcRDMKsXTG2Q3qlJh10zyUCAFATsSvaZtHvmFZX60EvzB5H9qOATjmhd4ondDAoHwwS5+vn2Q8+Gtwl8lbMgv97OjtZTyf+KDKf7zsS+h7+rQtL8xOHSZp04uB6bTGscE7FoFVnXtGLC8efJPpGcIEvXtqx1CQMmA+OfY6Fkff6a0+qD3ZECCWtLbc/KI3pnw==
emt-ns1.emt-t-2040593332-1595870898209-2-fjmc.aol.	172800	in	a	198.41.1.65
emt-ns1.emt-t-2040593332-1595870898209-2-fjmc.aol.	172800	in	rrsig	a	8	3	172800	20200804215349	20200728215349	32545	aol.	CKITWMU4hsaZz9sDYLPZOdnqPrGucEb82tPrFe7AUnsKC8uc20OwpaWBZsKiljm1J3khT7LuZFfLpvAC4Ma4c7DFXZBlJU0vwV4ONk5+M6+Ne+kiIYr8FfdAZy/UfgO0PYY0bqFYADINjxhAAcUPabgDQXmyjgHMLJmSXHibCWlD7rNhGbSYnHk2HYljhB3F5Qr5M/9JbgSXySq2XAdVQQ==
emt-ns1.emt-t-320674882-1595861934204-2-ngoj.aol.	172800	in	a	198.41.1.109
emt-ns1.emt-t-320674882-1595861934204-2-ngoj.aol.	172800	in	rrsig	a	8	3	172800	20200804183500	20200728183500	32545	aol.	OFH8JEJioRiVjLm9eP2Dxgncj064Mevm9QAV0/Ybj8p0HhhEehlKvwazcTSCymLHN2eKiw8b9jN3Lfvpy2PEh2yXGM+GzJ5/eTLO0RLGV2PuaXYGiFbgze8j48ROw+W9FD7LdP33U2vGXwmn8aHaIAuCvzoIHQAUnDgKTJK9zQYzYj51Ltx0zFZGtibsafKwMvRI7fJcbJgApAJ89tjaSQ==
emt-ns1.emt-t-645432105-1595875144963-2-p.aol.	172800	in	a	198.41.1.80
emt-ns1.emt-t-645432105-1595875144963-2-p.aol.	172800	in	rrsig	a	8	3	172800	20200804233833	20200728233833	32545	aol.	KVOc4xcORtulWDbaMxMBATKmBxPz2BKTozKsh9hWmxqAYuJviwRSfFDthojzIWc1rHJocAWTf/0pwQVhYvWeK1w5LH+4v33VxzGOlQKTBYr20etIgChS5JK7ohH4PsZPK0juk+1mvFHoD7DJYeGv3XIkXOEs4+cdsbIOD9hBnWh4OrihJdPGPZIzpiMG21Nplc5CFP+uOGbPZPtdqqdJEQ==
emt-ns1.emt-t-706490806-1595861285174-2-gmk.aol.	172800	in	a	198.41.1.117
emt-ns1.emt-t-706490806-1595861285174-2-gmk.aol.	172800	in	rrsig	a	8	3	172800	20200804182723	20200728182723	32545	aol.	InRAqN/asgig+58aeUI4AqCP7QgMdK/Xr/5soEYRnvUdqXdD6s9vSqVDWhZzbdBNocKnoMo1WBiYUIMBvPoUGCMnAjCuKq5hze654pZAoiQYFatnE+AhNgkRqGdglvlSrP6ou7igOmPOAlMlEgmnwV3psVMJeaAdXI2Zx/460TLSYougRqS9/gCPf5hfinXiRpf4l2InnRypGU25ARapdw==

> I don't know if other nameservers implement the same behaviour. AFAIK it
> isn't possible to represent orphan glue in standard zone files or zone
> transfers, so I think this is an ATLAS special.

Nothing special there, orphan glue that isn't under a delegation is
just an ordinary A record. I suppose they could do an nsec3 opt-out to
provide a hint that it's intended to be glue, but who'd care?

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly