IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld

Joe Abley <jabley@strandkip.nl> Tue, 17 June 2025 16:14 UTC

Return-Path: <jabley@strandkip.nl>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D6D6F3605E42 for <dnsop@mail2.ietf.org>; Tue, 17 Jun 2025 09:14:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=strandkip.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6s3KaPVVqXHD for <dnsop@mail2.ietf.org>; Tue, 17 Jun 2025 09:14:25 -0700 (PDT)
Received: from dane.soverin.net (dane.soverin.net [185.233.34.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D8AF23605E26 for <dnsop@ietf.org>; Tue, 17 Jun 2025 09:14:25 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4bMBlN68pbz1H35; Tue, 17 Jun 2025 16:14:24 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.100]) by soverin.net (Postfix) with ESMTPSA id 4bMBlN4LrBzHP; Tue, 17 Jun 2025 16:14:24 +0000 (UTC)
Authentication-Results: smtp.soverin.net; dkim=pass (2048-bit key; unprotected) header.d=strandkip.nl header.i=@strandkip.nl header.a=rsa-sha256 header.s=soverin1 header.b=XrpokwIV; dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=strandkip.nl; s=soverin1; t=1750176864; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hHRDVVRUd3WFnP9Txlf7L6SIW2zjP+tvzp5Fyumg6qs=; b=XrpokwIVtGNfZ2JboBjgRFSbi44RkEmWs6EkzHuCUKM86LEfmByeDokUnW1d+o2e6BirGV 1XFbsu5Ky4KXXOlglPyWSXk8WBZ4jymAbC7NB7UZtwl/qOGS/EnlJ6h+8N2xLW+Onpw449 Eoilija6dFtRYmtvN9qC0W2kO9OHB/gjuk5S9CW4tYkLnbMUJLFGFsso9//SyPN9u+yxPz NdxWUMgGXHH+4COFdc8GmF8kp1QTTMXZNDu5scCqp7MEO9DGMb7G7id5mgwukqOBejDgSl 5gqYTnYjnhfetKeRn93jPam5kt1KBHc/xtpnj5xeBNAspizHzu3WwimdqzBdhA==
X-CM-Envelope: MS4xfFTFXjlSLypQ8NewzBkzsaffPrP6PVs3k1MN84LUNKis1z7Z11dfx5uAA367yhVcllswM6shswHEzSVT3wGO36LaPS+K0AUb/1I13NzuUqJY/08mh4Nc u/gUCSQ84b9+KYxPs3WzK4a6Y0cawWJ264FuXZBoKa43p70EaxeVb/ClLiSd8Et/wRBeD2pK4Tc8awomFqgja67pNLH3hCqF++27lk2lu5GqcxmzcMzQV8pB I0YPafh4SEXN3tiQhuqn5dm/BEXrWYLl/qkEDKC+0Eo=
X-CM-Analysis: v=2.4 cv=UsCZN/wB c=1 sm=1 tr=0 ts=68519460 a=Xe3T0Gaq1rth7aCrjvjMsw==:617 a=EAbm1kOQ37LB4ChJ:21 a=xqWC_Br6kY4A:10 a=IkcTkHD0fZMA:10 a=48vgC7mUAAAA:8 a=QLhupLqRAAAA:8 a=SCo1hh1FAAAA:8 a=lcDB774rd4wLoaEoIxYA:9 a=QEXdDO2ut3YA:10 a=tar-a19HCcU9EdznJS_w:22 a=nwb-CePKZZm3gL-ai9HY:22 a=ADiJHLWpjGBBXEl7-v_j:22
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.600.51.1.1\))
From: Joe Abley <jabley@strandkip.nl>
In-Reply-To: <20250617155625.4A1B8CE93F75@ary.qy>
Date: Tue, 17 Jun 2025 18:14:14 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <0957339E-2F92-49B8-ADDC-4A1DCB763323@strandkip.nl>
References: <1C9E8ABA-4399-491B-A9F4-D9ACCB1BA72C@virtualized.org> <866409E5-0D9A-4669-8C6E-C9D1C7BDAA21@dnss.ec> <SA1PR15MB4370BAE2BD669193DDB9AE44B38D2@SA1PR15MB4370.namprd15.prod.outlook.com> <20250502171756.5AC67C762C3C@ary.qy> <SA1PR15MB43704113DF8B19A8A5A66AD6B38D2@SA1PR15MB4370.namprd15.prod.outlook.com> <4B83E121-9562-449C-A00E-2A31894ADED0@icann.org> <m1uBDWf-0000MlC@stereo.hq.phicoh.net> <9EE8E4CC-04A3-46C7-BDDF-EF538A822AA8@virtualized.org> <m1uBHRs-0000LsC@stereo.hq.phicoh.net> <BE3A5560-740A-47A9-835B-8C8EEF2B50B9@virtualized.org> <m1uCDdk-0000LlC@stereo.hq.phicoh.net> <20250506133721.199BCC803209@ary.qy> <m1uCItL-0000LTC@stereo.hq.phicoh.net> <6d8bc9b1-8729-08b7-bd0c-564ae0dd3a59@taugh.com> <9D0395B7-1157-4569-B2C7-628BBD909887@fugue.com> <C3487997-B656-4A6D-A069-752077629957@icann.org> <5ed468ec-f2c5-4cac-bea3-36a8da3a5931@isc.org> <20250617155625.4A1B8CE93F75@ary.qy>
To: "John R. Levine" <johnl@taugh.com>
X-Spampanel-Class: ham
Message-ID-Hash: VCIS5DOTGQTXA6T6MP7ORJIXIN7BMTNP
X-Message-ID-Hash: VCIS5DOTGQTXA6T6MP7ORJIXIN7BMTNP
X-MailFrom: jabley@strandkip.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tw9XLsKb0vQCmiW-I8t7LDe9uJY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi John,

On 17 Jun 2025, at 17:56, John Levine <johnl@taugh.com> wrote:

> It appears that Petr � pa� ek <pspacek@isc.org> said:
>> This is provably incorrect. 10.in-addr.arpa is an insecure delegation 
>> which with network-dependent content, and it works for decades. ...
> 
> I dunno about you, but on all the systems I use the local cache substitutes
> a stub for 10.in-addr.arpa so it doesn't matter what the global DNS says.

10.IN-ADDR.ARPA exists in the global namespace, and is an insecure delegation from the IN-ADDR.ARPA zone. INTERNAL does not exist in the global namespace, and its non-existence is provable using DNSSEC. These things are not quite the same.

My understanding is that some people are worried about:

 - mobile device, regularly roams between different networks
 - device has its own resolver cache, but uses network-provided nameservers
 - device does its own validation
 - device manages to cache the non-existence of .INTERNAL while using nameservers that do not reveal the existence of that domain
 - device subsequently relocates to a network whose local nameservers do serve responses under .INTERNAL
 - device fails to accept .INTERNAL names because they contradict with the signed non-existence in the cache
 - hilarity ensues

I have not seen this use-case myself but I can appreciate that the imagined device in this example might have an ambiguous situation to deal with.

> I don't see any way to reconcile those.

The draft we just submitted and that I just sent a clickbaity message about proposes a lightweight method to reduce the ambiguity.

https://datatracker.ietf.org/doc/draft-jabley-dnsop-zone-cut-to-nowhere/


Joe

v2.31.3 | Report a Bug | By Email | System Status