Re: [DNSOP] ALT-TLD and (insecure) delgations.

Ted Lemon <> Wed, 08 February 2017 15:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 24DF7129BBA for <>; Wed, 8 Feb 2017 07:05:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1YrVpd5LzJp6 for <>; Wed, 8 Feb 2017 07:05:47 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B2F60129BB7 for <>; Wed, 8 Feb 2017 07:05:46 -0800 (PST)
Received: by with SMTP id w20so162465785qtb.1 for <>; Wed, 08 Feb 2017 07:05:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=rrvY8ue0oTJxT3rLt0GWGTwBFASGOp0+9aBsvnmAf9Y=; b=s9W4SA+G1LuJ3E1nqM+WjPRibE/YxSjcEeLKgymYnJPvNFpwYFU2NOc1WGOyVV6YRI dgCKUuF0N0rp7LgvxdWXkuc4h77VGqIfrozXZiv+i08bTMaj2rlnMUTLM/qyiSSLwO1g b9kzKcTR48Ke68uhP7iIlRnmh4UcNyLBeoPwwRBU1nOg7jIoKFybXo7QIfQGpNOpYJa9 wX6Fj4BqmIK648xQ17mRL2c1oWuoIrwTDoQpwA66dnTrtX8rx7ODG/srk2GWtvGuyN7t 1NFt88c3Zk6NPsaG+qBq6X1MbqBAispvrQ+l0iGAQSWE0H/1kMEJbhvKAv9Cn7i+rjb5 UfYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=rrvY8ue0oTJxT3rLt0GWGTwBFASGOp0+9aBsvnmAf9Y=; b=bmMuGGlLhQQwgRrxv9JUhs7UacuoczDWa8NIZW6klrgr3V4MJ3bbS+RRRpYTXjHPfX fYza2zqVDDOYwbbeDF/28vjSCR15Z4bKwPnc+8K4LcIEpRLSRjaDyqYqVAFbt+GR1BGc fXo63btY5GFSWeYhTcX6ZrVkVZ4UzhDGVgjVF6q/XYkpaHtqRncgGOzbW67xEFYLcUDB chLKQO6dl7XexSI6h41VfhjfRBJURJy80UDeR2wzlIclgUGXa9k1aIsMbmpbpDk5+r2C yNrJoREPzU50aTfL/lUBcxbPyajJHPdmr99hBl8YIGlMjG5VBBHkpM2e6qRA2qvNxarQ kMaA==
X-Gm-Message-State: AMke39mLf6fuVqIi6pVsjAK9fpGA1r9ffqqFGFhrCo816aFNrdOqmUsxwg5HVAYwBUgshg==
X-Received: by with SMTP id r55mr22488849qte.25.1486566345759; Wed, 08 Feb 2017 07:05:45 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id d52sm6408270qtc.2.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Feb 2017 07:05:44 -0800 (PST)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8130BE97-BDAE-449F-8AC3-4EA451992E2B"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 08 Feb 2017 10:05:42 -0500
In-Reply-To: <>
To: Mark Andrews <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3259)
Archived-At: <>
Cc: " WG" <>, Brian Dickson <>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Feb 2017 15:05:48 -0000

On Feb 8, 2017, at 1:02 AM, Mark Andrews <> wrote:
> Which assumes agggressive negative caching.   I'm going to make a
> realistic assumption that it will take 10+ years for there to be
> meaningful (>50%) deployment of aggressive negative caching.

First of all, this probably isn't true, since most of the caches we care about are run by network operators, who tend to update more frequently for obvious reasons.   But the solution you propose, which causes a SERVFAIL, involves a specially-prepared resolver.   So if you get to _create_ the problem with a specially-prepared resolver, I get to solve it with a differently specially-prepared resolver.   If you want queries to .alt not to leak, you have to preload your cache with a proof of nonexistence for .alt, and you have to keep it up to date.   This is not terribly difficult to arrange.

>> Leaking a query to .alt is harmless.
> Is it?  What reports are we going to see over the next 20 year of
> DITL data on *.alt.

How is that relevant?   Suppose we don't create .alt, and instead people just pick random top-level domains for their experiments, as they do now.   Will the number of bogus queries to the root be greater, or fewer?   Furthermore, queries for .alt are legitimate, in just the same way that queries for .com are.   They just have a different answer.