Re: [DNSOP] ALT-TLD and (insecure) delgations.

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 03 February 2017 20:55 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43B2C12950A for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 12:55:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QQC9nOuO2FbD for <dnsop@ietfa.amsl.com>; Fri, 3 Feb 2017 12:55:35 -0800 (PST)
Received: from mail-it0-x241.google.com (mail-it0-x241.google.com [IPv6:2607:f8b0:4001:c0b::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55CAE129506 for <dnsop@ietf.org>; Fri, 3 Feb 2017 12:55:35 -0800 (PST)
Received: by mail-it0-x241.google.com with SMTP id 203so2793726ith.2 for <dnsop@ietf.org>; Fri, 03 Feb 2017 12:55:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fwW3l5o+KhucFuFYgrgfuutYLEF+ctRcp5CNwCpUijM=; b=FRyJwB4HTdd/VPT2Kv3n/UDCtD44Ejf+Ob0Hux2RNNn8NXaXV+bP52LeVr0BJ7d4eU zyB/0ZgZnlDaM6s05QUhLMW30TiFh+POeWhoDWqAhWRdRpFJ9AOZhr7tX2SUcipLYQh4 lZC7Ic9a4vHA/MV/2wSQFT39vKuST4snoVCCBWUnaRy3B3zoRB8+KnPo0QCJLx2sAeZH bBTGxCG2IApUEGYwjGZOodw8GvudlzF8c0tvJddLPjK5lDvyiAqiQLWOENZS8HJ6EMsa GH/HDr35eXq1COP78gyl4m+1MF+OdOKduSLv+tgcu4d9zCmE5OxvlEXwH0avt7gxV1+d qxtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fwW3l5o+KhucFuFYgrgfuutYLEF+ctRcp5CNwCpUijM=; b=JJ8si87MHAGTpkCFpzFd26L5eU6ysotmSsEyGcda/1MIvOMXX9o4LYhI7A+7fRk2WD IPQJQYiwOJQCr2xvRjIN1Duc+pdKOxsnartbAFoUVoiFqu/q3TRxGnE1K4T953Qk6zta CtWAOuGZJ4EZPO7nCnsD53OX1ZcGbIuXbr1QpzkhVQlx3anYzgAI2LDjGkhiiBk8bDZP h8gnwBF34Dzv0LeUlAM/aQ7gawC6cJ1+WvnrVDsc+Z2dlbw1E3IzxlyvRHodV4o5swNt GIpMV44z7slQ0HyWmXp/ev1NxKnS+KvSP9P3+DdOufKTu0VdQTWK+JcenJy7M0Y9OZgt bQYg==
X-Gm-Message-State: AIkVDXIVcQyOXLDC4fJrcpnIFdR+9TcY4SrhjUJ90ahXcIu6/KcpOW43ZyVs7q8jp/Kwtvxn3mRR3Ppkh5JerQ==
X-Received: by 10.36.105.148 with SMTP id e142mr2657882itc.95.1486155334635; Fri, 03 Feb 2017 12:55:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.133.208 with HTTP; Fri, 3 Feb 2017 12:55:34 -0800 (PST)
In-Reply-To: <CA+nkc8DRCWqDTb+XKNbqaw8vQhdidUcdNLiG7f0_rCMuMhwtxA@mail.gmail.com>
References: <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.gmail.com> <CA+nkc8DRCWqDTb+XKNbqaw8vQhdidUcdNLiG7f0_rCMuMhwtxA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 03 Feb 2017 12:55:34 -0800
Message-ID: <CAH1iCiqBioG=kG_rQS12xXZ8SkSOpa-xupydTuGiR4ys9zmUJg@mail.gmail.com>
To: Bob Harold <rharolde@umich.edu>
Content-Type: multipart/alternative; boundary="001a113f6fdecd55e20547a680f8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sDnn6nz-rl9Z-UDXQUoaXnHS-ZE>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Feb 2017 20:55:37 -0000

On Fri, Feb 3, 2017 at 12:19 PM, Bob Harold <rharolde@umich.edu> wrote:

>
> On Fri, Feb 3, 2017 at 3:02 PM, Brian Dickson <
> brian.peter.dickson@gmail.com> wrote:
>
>> Stephane wrote:
>>
>>> On Wed, Feb 01, 2017 at 03:28:29PM -0500,
>>>  Warren Kumari <warren at kumari.net> wrote
>>>  a message of 103 lines which said:
>>>
>>> > or 2: request that the IANA insert an insecure delegation in the
>>> > root, pointing to a: AS112 or b: an empty zone on the root or c"
>>> > something similar.
>>>
>>> Here, people may be interested by draft-bortzmeyer-dname-root (expired
>>> but could be revived). The main objection was the privacy issue
>>> (sending user queries to the "random" operators of AS112.)
>>>
>>>
>> My opinion on these issues are as follows, roughly:
>>
>>    - I am in favor of AS112 for ALT
>>    - For AS112, I prefer the AS112++ method (DNAME)
>>    - I do not see why the DNAME would/should not be DNSSEC signed
>>    - Any local use of ALT can be served locally and signed using an
>>    alternative trust anchor
>>    - I don't think there is any issue with having both the NXD from the
>>       root, and the local assertion of existence, both present (in cache and in
>>       authoritative data respectively)
>>       - Maybe there are issues with specific implementations?
>>       - If anyone knows of such problems, it would be helpful to
>>       identify them along with the implementation and version
>>    - For AS112 privacy, perhaps someone should write up a recommendation
>>    to set up local AS112 instances, to provide privacy, as an informational
>>    RFC?
>>       - Even simply through resolver configurations, without a full
>>       AS112 "announce routes"?
>>       - Do any resolver packages offer such a simple AS112 set-up?
>>       - Maybe the efforts for privacy should start there (implement
>>       first, then document)?
>>       - Do any stub resolver packages include host-local AS112
>>       features/configurations?
>>
>> Overall, I'm obviously in favor of use of ALT, and for signing whatever
>> is done for ALT, and for use of DNAME for ALT.
>>
>> Brian "DNAME" Dickson
>>
>>
> I would prefer an UNsigned delegation.  If someone wants a signed zone,
> they can add a trust anchor, I assume.  But if they want an unsigned zone
> there needs to be a way to get that.
>

I think you would be able to do the following, via local configuration, to
create an unsigned zone under ALT:

Locally configure ALT.
Have delegations to WHATEVER.ALT with NS, but without DS.
Sign the resulting ALT zone.

WHATEVER.ALT is now an unsigned zone, whose existence is signed by the
local trust anchor for ALT.

(The ALT trust anchor would exist alongside the real root trust anchor; the
local stuff overrides the root stuff, for ALT.)

Brian


>
> --
> Bob Harold
>
>