IETF Logo Mail Archive

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

David Conrad <drc@virtualized.org> Tue, 17 March 2015 17:17 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A83921A87BC for <dnsop@ietfa.amsl.com>; Tue, 17 Mar 2015 10:17:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pi6k2u2yVniY for <dnsop@ietfa.amsl.com>; Tue, 17 Mar 2015 10:17:51 -0700 (PDT)
Received: from mail-pd0-f182.google.com (mail-pd0-f182.google.com [209.85.192.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FAE51A87BB for <dnsop@ietf.org>; Tue, 17 Mar 2015 10:17:51 -0700 (PDT)
Received: by pdnc3 with SMTP id c3so15273626pdn.0 for <dnsop@ietf.org>; Tue, 17 Mar 2015 10:17:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:content-type:from :in-reply-to:date:cc:message-id:references:to; bh=WjKKcFttSLbKBv20T8M/DKfCGM7mVwRwGbNuIbzDm/8=; b=GCjJMNQu4ZWmcXdTa1uLF2aN2pv0bXbRJvK6goj8Tr16vwMT9/TbMpUNFixfiX7aOL hXm6qo6CCR6hHcnK/crf3bRNrf1kpqJrNJSuwSIspqxLizgmfkAcUnCzlieUH0pjOeYv XNLvPJRo6FnOTHDE5F9ywL4H9ccKYbyKOucP7leSzdWyEEeS/SmEryHeYe3N03xycuS+ +5h69YvGk/a9TrRF1upgFAazYZtzduLcsx2+GsIjbv73W8sZK2o8u+aNhWuw/zeyM33J a1dse7UhGrN3DF0k5sVVszlUpdtXdR3Q7AFOvRCcsHOW5EueAp20NfP7wOmW04Ylej13 ZqIw==
X-Gm-Message-State: ALoCoQlYTN8//ZwSSRzNWsI1Q57Z74xb5NK+dOeQlFY5X8nIKOX2b8I0BhZZg3PjnMzX/DYTbgIy
X-Received: by 10.66.55.68 with SMTP id q4mr136282307pap.71.1426612670885; Tue, 17 Mar 2015 10:17:50 -0700 (PDT)
Received: from [10.0.1.9] ([73.162.11.223]) by mx.google.com with ESMTPSA id om6sm23362934pdb.40.2015.03.17.10.17.49 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 17 Mar 2015 10:17:49 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_E478D78C-232D-441E-BC18-18635DEBDB9C"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.5b5
From: David Conrad <drc@virtualized.org>
In-Reply-To: <D12E02F5.B7A7%alecm@fb.com>
Date: Tue, 17 Mar 2015 10:17:47 -0700
Message-Id: <1C9814DA-7843-4AB5-B98F-0BDADFA406CD@virtualized.org>
References: <CAFggDF0XX3v7yGsaCwFnE7cjK0yz4-frxFgoBJfnztO8k-LFBg@mail.gmail.com> <alpine.LFD.2.10.1503162052420.20709@bofh.nohats.ca> <D12DE3BF.B714%alecm@fb.com> <55084532.9010504@gnunet.org> <46B5350F-EADB-42C8-9013-54FA3DFC57E5@virtualized.org> <D12E02F5.B7A7%alecm@fb.com>
To: Alec Muffett <alecm@fb.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/rzSi1nbWLvh8JJCT3bheb5guC2I>
Cc: Richard Barnes <rlb@ipv.sx>, dnsop <dnsop@ietf.org>, Christian Grothoff <grothoff@gnunet.org>, Mark Nottingham <mnot@mnot.net>, Brad Hill <hillbrad@fb.com>, Jacob Appelbaum <jacob@appelbaum.net>, Paul Wouters <paul@nohats.ca>
Subject: Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 17:17:53 -0000

Alec,

On Mar 17, 2015, at 9:20 AM, Alec Muffett <alecm@fb.com> wrote:
> Christian’s response clearly distinguishes the separateness of Jake & my
> document "draft-appelbaum-dnsop-onion-tld-00.txt” from his
> “draft-grothoff-iesg-special-use-p2p-names”.

Yes. Hopefully, a revised version of draft-grothoff will be provided at some point, however that's unrelated to your draft.

> In my previous e-mail I have outlined the goals of
> “draft-appelbaum-dnsop-onion-tld-00.txt” and will happily address any
> further questions.

Some thoughts on draft-appelbaum:

* In section 2:

"  2.  Application Software: Applications that implement the Tor
       protocol MUST recognize .onion names as special by either
       accessing them directly, or using a proxy (e.g., SOCKS [RFC1928])
       to do so.  Applications that do not implement the Tor protocol
       SHOULD generate an error upon the use of .onion, and SHOULD NOT
       perform a DNS lookup."

I might revise the second sentence to say:

"Applications that do not implement the Tor protocol will be unaware of the special treatment of the .onion domain, however in keeping with all names found in the Special Names Registry, such applications SHOULD generate an error upon use of .onion names and MUST NOT perform a DNS lookup."

(this makes the assumption that namespace defined by the Special Names Registry is not the DNS namespace)

" 3.  Name Resolution APIs and Libraries: Resolvers that implement the
       Tor protocol MUST either respond to requests for .onion names by
       resolving them (see [tor-rendezvous]) or by responding with
       NXDOMAIN.  Other resolvers SHOULD respond with NXDOMAIN."

I'd probably revise this to:

3.  Name Resolution APIs and Libraries: APIs and libraries that implement
    the Tor protocol MUST either respond to requests for .onion names by
    resolving them (see [tor-rendezvous]) or by responding with
    NXDOMAIN.  APIs and libraries that do not implement the Tor protocol
    will be unaware of the special treatment of the .onion domain, however
    in keeping with all names in the Special Names Registry, calls with
    .onion names SHOULD generate an error and MUST NOT perform a DNS
    lookup.

"  4.  Caching DNS Servers: Caching servers SHOULD NOT attempt to look
       up records for .onion names.  They SHOULD generate NXDOMAIN for
       all such queries.

   5.  Authoritative DNS Servers: Authoritative servers SHOULD respond
       to queries for .onion with NXDOMAIN."

In both of these, why not "MUST" instead of "SHOULD"?

In section 4:

" .onion names are often used provide access to end to end encrypted,"

Probably should be "... used to provide ...".  Stylistically, might also say "end-to-end".

Hope this helps.

Regards,
-drc

v2.23.0 | Report a Bug | By Email