Re: [DNSOP] ALT-TLD and (insecure) delgations.

Brian Dickson <> Fri, 03 February 2017 20:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F158129873 for <>; Fri, 3 Feb 2017 12:02:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F9OQaRuaAaw8 for <>; Fri, 3 Feb 2017 12:02:48 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c0b::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BF3DB12951E for <>; Fri, 3 Feb 2017 12:02:48 -0800 (PST)
Received: by with SMTP id o185so2670543itb.1 for <>; Fri, 03 Feb 2017 12:02:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=R502FTLFWEvGVHbK/dVcqpE3mu5OsPZVjAQ/qhJicKA=; b=urWDVj+Ps4aZjRKm5Ptge31XBKFacmIFk6QY3+tB24PD9TbyPK3SVBVwZwCVqt990G DSlnKOhFjzmXvC3vr1ExX80G48H+wYBD8Adxkf3j3e9XFWlsXpXpfXATZh2bSWof7OQZ Rhij+/cmRtEufQHhdmcV9j8FiUA13QhTg9SHS+V/JO7dEFNAH8Aumr2R5dT4wpNRiLog s9svCOvb4MfIbCe5GPfTfU9vSNKyqe+29EOb0RSeh8gfvkNinFPoQaaWbrWhhh0W7ryI 9xbsSpVZbMSxY2aX9QedVvQT8Japhb9XXrGPBHpV+RW+dHbT0ebNxtAp1qbirqczx4ji 5hGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=R502FTLFWEvGVHbK/dVcqpE3mu5OsPZVjAQ/qhJicKA=; b=mbrgnoI/Ik1gPlPdpnF/lcR/XnEICSR8ggoZSSaW5HUeSH5ciLM9+qmbw7LWdoSsRm pBsJiDzug3efMIvfXnforCjyFbvXHBK02FKVrxtnMSbGvUZqQ0TmqiAv8fCljoA7Ugz4 g0xBA7k4JMhoplZ8Ua4M/jB0mNUIG98Gxg3/vBUBIOye1EqRYTi/vTY3tFs8MGFJu3us p4+s/QQwWxyRi00bTqHLq85FCBPSolRulpCWjrtXnNHtnJTtVGu5AoPIMynNM2UZeSbb 2mmRpZC/YfRuVrLSwHFU+8Wtwt+M5Gxf2+dqiMaE63DXZmdZzhs4THRSRiiQkjgWay25 bvwg==
X-Gm-Message-State: AIkVDXLWrqeGNYNW6ZJtlnGu5k2E9f8rrwwqi6dNrKklZSBj34G/KQk2jQXtQjleTUI24wwEx55/3HDquj6nBg==
X-Received: by with SMTP id v11mr2514197iti.101.1486152167960; Fri, 03 Feb 2017 12:02:47 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Fri, 3 Feb 2017 12:02:47 -0800 (PST)
From: Brian Dickson <>
Date: Fri, 03 Feb 2017 12:02:47 -0800
Message-ID: <>
To: " WG" <>
Content-Type: multipart/alternative; boundary="f403045fbba80ddab20547a5c407"
Archived-At: <>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Feb 2017 20:02:50 -0000

Stephane wrote:

> On Wed, Feb 01, 2017 at 03:28:29PM -0500,
>  Warren Kumari <warren at> wrote
>  a message of 103 lines which said:
> > or 2: request that the IANA insert an insecure delegation in the
> > root, pointing to a: AS112 or b: an empty zone on the root or c"
> > something similar.
> Here, people may be interested by draft-bortzmeyer-dname-root (expired
> but could be revived). The main objection was the privacy issue
> (sending user queries to the "random" operators of AS112.)
My opinion on these issues are as follows, roughly:

   - I am in favor of AS112 for ALT
   - For AS112, I prefer the AS112++ method (DNAME)
   - I do not see why the DNAME would/should not be DNSSEC signed
   - Any local use of ALT can be served locally and signed using an
   alternative trust anchor
   - I don't think there is any issue with having both the NXD from the
      root, and the local assertion of existence, both present (in cache and in
      authoritative data respectively)
      - Maybe there are issues with specific implementations?
      - If anyone knows of such problems, it would be helpful to identify
      them along with the implementation and version
   - For AS112 privacy, perhaps someone should write up a recommendation to
   set up local AS112 instances, to provide privacy, as an informational RFC?
      - Even simply through resolver configurations, without a full AS112
      "announce routes"?
      - Do any resolver packages offer such a simple AS112 set-up?
      - Maybe the efforts for privacy should start there (implement first,
      then document)?
      - Do any stub resolver packages include host-local AS112

Overall, I'm obviously in favor of use of ALT, and for signing whatever is
done for ALT, and for use of DNAME for ALT.

Brian "DNAME" Dickson