IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: [EXTERNAL] Re: Call for Adoption: draft-davies-internal-tld

Ted Lemon <mellon@fugue.com> Fri, 09 May 2025 20:47 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4B3AE26FBCFB for <dnsop@mail2.ietf.org>; Fri, 9 May 2025 13:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="jgpQADJi"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="QXtsVFBO"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4KiqXXRIEBKr for <dnsop@mail2.ietf.org>; Fri, 9 May 2025 13:47:17 -0700 (PDT)
Received: from fhigh-a5-smtp.messagingengine.com (fhigh-a5-smtp.messagingengine.com [103.168.172.156]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 8386926FBCF6 for <dnsop@ietf.org>; Fri, 9 May 2025 13:47:17 -0700 (PDT)
Received: from phl-compute-01.internal (phl-compute-01.phl.internal [10.202.2.41]) by mailfhigh.phl.internal (Postfix) with ESMTP id 6A8CA11400CC; Fri, 9 May 2025 16:47:17 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-01.internal (MEProxy); Fri, 09 May 2025 16:47:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1746823637; x=1746910037; bh=lnEaSkjba+hkFBqKVGhr5pXblriqst2wh97HSEqHMwk=; b= jgpQADJi5u++/obzfxMAK1McdLBei3I/3ssRYDBmF7BhOALJQp5PQCqIKWFt4xNX us+TP31pRBu4+nHSUp3+HqczX4hjlNZFzhjVqY+mFUkaoJismSu4Dr1D/JPC4bdS 6h7nrCPWmkBe+eoZr+0Li/UTemFm3evXuHGG3F4owkv3M+yrR4H58/KS1feNm6Br xftECwCoD/hHU2ZRtFALVmGmnwiEDlUMzYLJNaX/qwEj28AtDH+CUYEgmXk5hLj4 H/35vEkpgP5gYcPfw8WKpNY8jjg+rfWQkjMHu6NTrwKlIUGE60FMH+mlUVT/3lhp 9Z39X+tKrj6cLHXmHIUj8g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1746823637; x= 1746910037; bh=lnEaSkjba+hkFBqKVGhr5pXblriqst2wh97HSEqHMwk=; b=Q XtsVFBO8dk9zhxlrERXLOlSDnyTHMRy8n2qq4uuWILidrNlM3hNvMmhqTZHG4s4P JnPcx4VPAfqlnde0U/mhzA1gAyHgOe4ATi/3wPNt8KGm3S3Bw1pXmDGYKASLKbxw KAnQ4sP5zp9WYTtpfPbjv++oal1HOW8/5GLwCrmkNAdN7MB5SU0Lj8AU4XbOnpU5 YOeTTyBrYtKaNqscZyGTv2nM+5YLUPWv5h3U4Pfi+a16AKWHvr6uJ+3SGKh5/lpW LjgpXv8JelBUtFzKYvzKqwr4DISYnK0BhZLf17zPqKXZPCpXm9NjDjzdU8AtwQIM nqkwBLHk0fL926RPXoGNw==
X-ME-Sender: <xms:1WkeaCdWWckzfC9xO9mhjRxaAQmtjDPu4KqgqOsCTXhCRfxfsncGdg> <xme:1WkeaMPUWoRslE_2Pt7OVgnc27tX01WfsS959Pf7x3QWwRjXQzzb72XES766itIhI oCEC2z6ScCqqddI8DU>
X-ME-Received: <xmr:1WkeaDgh-CpSZoQRa4f6JjQwOJYakAYjTS8z9j9CBe7theEyNzWnP2e1m1rPFbvfDxubY9I>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvleefieduucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhh tddvnecuhfhrohhmpefvvgguucfnvghmohhnuceomhgvlhhlohhnsehfuhhguhgvrdgtoh hmqeenucggtffrrghtthgvrhhnpeduhfeiuefgtdetleevteeivedujeehgfeiieelueej ieegiedvgfetvefhheeuteenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehmvghllhhonhesfhhughhuvgdrtghomhdpnhgspghrtghpthhtohep fedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepjhhohhhnlhesthgruhhghhdrtg homhdprhgtphhtthhopegunhhsohhpsehivghtfhdrohhrghdprhgtphhtthhopegrjhhs segtrhgrnhhkhigtrghnuhgtkhdrtggr
X-ME-Proxy: <xmx:1WkeaP_gAa4tdaCM2HWbvnIVzBaFOgyPVtWRcu1OIx69QX5BHGc87w> <xmx:1WkeaOuqSZDBl7HYNwb8d8jl6ZF1YXsSLPVAOAHPMlW695H6h3yaBQ> <xmx:1WkeaGGEd3oEP20BtSX2U-zzPs5rUWFnVngdQqkrgPDQ9dcT7H70hw> <xmx:1WkeaNMU3B9nB_AmJHQWidyuZ6R_5pThRQ3LdT2H0h075t-h41KNGw> <xmx:1WkeaPXP-M1bHgKps8Z42DAlcCVajjLgX8yT8ncDGPebyIIfIB0dIh_E>
Feedback-ID: i1136489e:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Fri, 9 May 2025 16:47:16 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.2\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <20250509201525.D4F69C885F62@ary.qy>
Date: Fri, 09 May 2025 22:47:05 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <03C29294-EC48-404E-8DBF-57930C206821@fugue.com>
References: <1C9E8ABA-4399-491B-A9F4-D9ACCB1BA72C@virtualized.org> <9EE8E4CC-04A3-46C7-BDDF-EF538A822AA8@virtualized.org> <m1uBHRs-0000LsC@stereo.hq.phicoh.net> <2796076.J18nJlZdWt@workstation.vm.ideapad.lan> <o25foqoshjnudrk4z6ucpxypvn36kpqn4nboa6r4zzespjvm2o@dlsnqvs4cgr7> <20250509201525.D4F69C885F62@ary.qy>
To: John Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.3826.700.2)
Message-ID-Hash: IBMPMQA4OQWCUBOTYZE2HJRBWHDKQS4M
X-Message-ID-Hash: IBMPMQA4OQWCUBOTYZE2HJRBWHDKQS4M
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, ajs@crankycanuck.ca
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: [EXTERNAL] Re: Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/reLTgueTCSUbLSxRR14s4CCGdMU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

The sad fact is that hardly anybody actually relies on DNSSEC right now. The use case for things like internal and home.arpa just relies on they're not being a secure denial of existence. Arguably, and this is certainly what I would argue, if you actually want DNSSEC on, for example, a home network, then you need a secure delegation. I think this is a much more interesting problem to solve the problem of installing trust anchors for locally served domains. 

The obvious reason why trust anchors for locally served domains don't work is that if everybody's house uses home.arpa as its locally served domain, then whenever I visit anybody and use their home Wi-Fi, I'm going to get a validation error. 

I think fixing this is way harder than just figuring out a way to make it easier for people to get delegations for their home routers. After all, we somehow figured out how to do the equivalent with ACME. (I use the term "we" loosely, since my only involvement with this was rejoicing at the success that Let's Encrypt had doing it.)

> On 9 May 2025, at 22:15, John Levine <johnl@taugh.com> wrote:
> 
> It appears that Andrew Sullivan  <ajs@crankycanuck.ca> said:
>> In the absence
>> of an automatic local trust-anchor installation mechanism that happens at network auto configuration (the very idea of which
>> strikes me as creating way more problems than it is likely to fix), I don't see how DNSSEC is compatible with this degenerate use
>> of a global namespace with an overloaded private use space.
> 
> I agree with your point that trying to make DNSSEC work in a private namespace is a losing battle.  But since we clearly
> have people who think it should work, maybe they could try something along the lines of what I suggested yesterday, a
> TOFU way to publish local trust anchors on the theory that whatever network is the first one a device connects to is
> the one it trusts.
> 
> I have my doubts about whether it would make things better, but I'd rather give it a try than rerun the arguments about
> which flavor of DNSSEC breakage is the right one.
> 
> R's,
> John
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

v2.31.3 | Report a Bug | By Email | System Status