Re: [DNSOP] ALT-TLD and (insecure) delgations.

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 03 February 2017 20:02 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F158129873 for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 12:02:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F9OQaRuaAaw8 for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 12:02:48 -0800 (PST)
Received: from mail-it0-x244.google.com (mail-it0-x244.google.com [IPv6:2607:f8b0:4001:c0b::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF3DB12951E for <dnsop@ietf.org>; Fri, 3 Feb 2017 12:02:48 -0800 (PST)
Received: by mail-it0-x244.google.com with SMTP id o185so2670543itb.1 for <dnsop@ietf.org>; Fri, 03 Feb 2017 12:02:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=R502FTLFWEvGVHbK/dVcqpE3mu5OsPZVjAQ/qhJicKA=; b=urWDVj+Ps4aZjRKm5Ptge31XBKFacmIFk6QY3+tB24PD9TbyPK3SVBVwZwCVqt990G DSlnKOhFjzmXvC3vr1ExX80G48H+wYBD8Adxkf3j3e9XFWlsXpXpfXATZh2bSWof7OQZ Rhij+/cmRtEufQHhdmcV9j8FiUA13QhTg9SHS+V/JO7dEFNAH8Aumr2R5dT4wpNRiLog s9svCOvb4MfIbCe5GPfTfU9vSNKyqe+29EOb0RSeh8gfvkNinFPoQaaWbrWhhh0W7ryI 9xbsSpVZbMSxY2aX9QedVvQT8Japhb9XXrGPBHpV+RW+dHbT0ebNxtAp1qbirqczx4ji 5hGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=R502FTLFWEvGVHbK/dVcqpE3mu5OsPZVjAQ/qhJicKA=; b=mbrgnoI/Ik1gPlPdpnF/lcR/XnEICSR8ggoZSSaW5HUeSH5ciLM9+qmbw7LWdoSsRm pBsJiDzug3efMIvfXnforCjyFbvXHBK02FKVrxtnMSbGvUZqQ0TmqiAv8fCljoA7Ugz4 g0xBA7k4JMhoplZ8Ua4M/jB0mNUIG98Gxg3/vBUBIOye1EqRYTi/vTY3tFs8MGFJu3us p4+s/QQwWxyRi00bTqHLq85FCBPSolRulpCWjrtXnNHtnJTtVGu5AoPIMynNM2UZeSbb 2mmRpZC/YfRuVrLSwHFU+8Wtwt+M5Gxf2+dqiMaE63DXZmdZzhs4THRSRiiQkjgWay25 bvwg==
X-Gm-Message-State: AIkVDXLWrqeGNYNW6ZJtlnGu5k2E9f8rrwwqi6dNrKklZSBj34G/KQk2jQXtQjleTUI24wwEx55/3HDquj6nBg==
X-Received: by 10.36.164.75 with SMTP id v11mr2514197iti.101.1486152167960; Fri, 03 Feb 2017 12:02:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.133.208 with HTTP; Fri, 3 Feb 2017 12:02:47 -0800 (PST)
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 3 Feb 2017 12:02:47 -0800
Message-ID: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary=f403045fbba80ddab20547a5c407
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rnmb5Qb5J1m3fSKwexb0Wx3RcwU>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2017 20:02:50 -0000

Stephane wrote:

> On Wed, Feb 01, 2017 at 03:28:29PM -0500,
>  Warren Kumari <warren at kumari.net> wrote
>  a message of 103 lines which said:
>
> > or 2: request that the IANA insert an insecure delegation in the
> > root, pointing to a: AS112 or b: an empty zone on the root or c"
> > something similar.
>
> Here, people may be interested by draft-bortzmeyer-dname-root (expired
> but could be revived). The main objection was the privacy issue
> (sending user queries to the "random" operators of AS112.)
>
>
My opinion on these issues are as follows, roughly:

   - I am in favor of AS112 for ALT
   - For AS112, I prefer the AS112++ method (DNAME)
   - I do not see why the DNAME would/should not be DNSSEC signed
   - Any local use of ALT can be served locally and signed using an
   alternative trust anchor
   - I don't think there is any issue with having both the NXD from the
      root, and the local assertion of existence, both present (in cache and in
      authoritative data respectively)
      - Maybe there are issues with specific implementations?
      - If anyone knows of such problems, it would be helpful to identify
      them along with the implementation and version
   - For AS112 privacy, perhaps someone should write up a recommendation to
   set up local AS112 instances, to provide privacy, as an informational RFC?
      - Even simply through resolver configurations, without a full AS112
      "announce routes"?
      - Do any resolver packages offer such a simple AS112 set-up?
      - Maybe the efforts for privacy should start there (implement first,
      then document)?
      - Do any stub resolver packages include host-local AS112
      features/configurations?

Overall, I'm obviously in favor of use of ALT, and for signing whatever is
done for ALT, and for use of DNAME for ALT.

Brian "DNAME" Dickson