IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld

Ted Lemon <mellon@fugue.com> Tue, 06 May 2025 20:46 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 87623259BFAD for <dnsop@mail2.ietf.org>; Tue, 6 May 2025 13:46:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=fugue.com header.b="NdJIipxL"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="P9XjjWcX"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4UNMKJw56GME for <dnsop@mail2.ietf.org>; Tue, 6 May 2025 13:46:10 -0700 (PDT)
Received: from fhigh-a1-smtp.messagingengine.com (fhigh-a1-smtp.messagingengine.com [103.168.172.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id DDBAB259BFA8 for <dnsop@ietf.org>; Tue, 6 May 2025 13:46:10 -0700 (PDT)
Received: from phl-compute-04.internal (phl-compute-04.phl.internal [10.202.2.44]) by mailfhigh.phl.internal (Postfix) with ESMTP id B7F91114027E; Tue, 6 May 2025 16:46:10 -0400 (EDT)
Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-04.internal (MEProxy); Tue, 06 May 2025 16:46:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue.com; h=cc :cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm1; t=1746564370; x=1746650770; bh=vV0gVvBpVjBp6ZWZfGJO/K8LQmufiu7u9dnlMRr2J98=; b= NdJIipxL5C75rm6k8NAVKfnJ9NCbm6WMBIT99YgG7hznXS54lbHyTXJbpKFcckPc rWPZ31YMVn7Y3UdY1JVncO8z38Ux1FaG5JeB9f1gYO5qrHXqB3kHvAjrZ6fL11OX /cM7/N+0EXn9H4chBMiG734PgSVQapE5VnGkrSd74DVsMPYVtd/1jx61o9L1cVLa TC2WvJoESe4Rz2WjVgBzxLXneSpz+ywzZC00ZEl4DvPLsZftlSMZn8C/MeY9sYel VVRk6UK66YzPkFcT9JgoIoZR3+bY4iFVsc6ExDhemFvPC9vAdrZh+bJmcoVjelsV T9EiiAE3mIs/D5KmC/M/+g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1746564370; x= 1746650770; bh=vV0gVvBpVjBp6ZWZfGJO/K8LQmufiu7u9dnlMRr2J98=; b=P 9XjjWcXkykDj8+WRV2OMpN2revBt3jdI/xcPyJcOvynWpEdgJmvIOSqYEBIRr6qs 0UrhPjy+9l8RvUWnvDZVIs5GSatszWGZYvZWyuDzlJPgsjvHzC9lIBFocRKzJ2kY Y7nw6IS7PUhkesL0G+8ohtLPqC7zKAG/a3XxXWGISODUBWoQnr54fxYGGNRAEDQr eONnqi7wv/NbFJu/lCL8C97zPrGpDclgXEa9OOjcjYnbhAIsUNprj9bbuO6Okg8l 5T02SqCqu9lAzben9FkTFf/FbrIezXbLeh3ikI4HAEdT42SMT7Cu1LU1QbjTNtGk ewvfg17gD5hSY+j4C4POw==
X-ME-Sender: <xms:EnUaaOkxW8Mwme35Ao8IHz_hRzlPvyt8yIgcrSrXl2ABJK1GCL7A_g> <xme:EnUaaF2ybXWi8vhxPSBu8ERa8TdJf4ere8NSPy3MonjTksIzEgitx0AAFok1TCkvQ fSj-JtIgj3wRv9tZHE>
X-ME-Received: <xmr:EnUaaMrXEJmhlQXcYL6Hlry6dqOs4816n_hQATv5Gri4XB5VpC7OPxSzDiKdfuqH-YnchBA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddvkeegleejucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpih gvnhhtshculddquddttddmnecujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhh tdejnecuhfhrohhmpefvvgguucfnvghmohhnuceomhgvlhhlohhnsehfuhhguhgvrdgtoh hmqeenucggtffrrghtthgvrhhnpeelleekledulefggedvgeefvdfhtefhtdffffetgfej kedttedtteduvdfgfedvieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpehmvghllhhonhesfhhughhuvgdrtghomhdpnhgspghrtghpthhtohep fedpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepmhgrrhhkrgesihhstgdrohhrgh dprhgtphhtthhopehprghulhdrhhhofhhfmhgrnhesihgtrghnnhdrohhrghdprhgtphht thhopegunhhsohhpsehivghtfhdrohhrgh
X-ME-Proxy: <xmx:EnUaaCnJJq2tLvrf4_m9hpUrLmuYjTp-XAqnqGGX1IuDTtctvvCsoQ> <xmx:EnUaaM1ATs7jAOxGieIDIcFrd82ZvxWNoYgxjLOy1_dYJsQ39DjG2w> <xmx:EnUaaJthbCmXuTncj_Wu8hTxfAJpn1sMrwLi6rm8Vw8_tK1RC1CTLA> <xmx:EnUaaIViWNrayiNW7zXT60A7gu31SvC-Ag_LPjG4hWlnhTQnsYWvyg> <xmx:EnUaaLgunLd5_yFNi7jiRlLC12C4F_ELeqAY5nAIVRr8fh93xGhWBA-U>
Feedback-ID: i1136489e:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Tue, 6 May 2025 16:46:09 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.600.51.1.1\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <D4177A34-3EF6-45D9-8076-49A12BFCE81F@isc.org>
Date: Tue, 06 May 2025 22:45:58 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <7935F96B-C006-4D9A-B65B-59652630B46A@fugue.com>
References: <C3487997-B656-4A6D-A069-752077629957@icann.org> <D4177A34-3EF6-45D9-8076-49A12BFCE81F@isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.3826.600.51.1.1)
Message-ID-Hash: ABLWVBRV3ZM3G24TZRPRHKKTOLP47RRV
X-Message-ID-Hash: ABLWVBRV3ZM3G24TZRPRHKKTOLP47RRV
X-MailFrom: mellon@fugue.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Hoffman <paul.hoffman@icann.org>, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: what problem are we trying to solve, was Call for Adoption: draft-davies-internal-tld
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vwE8boN_Xr_jAlCT3S4rVVzfuOM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

The Apple resolver at least clears the cache whenever it detects a network transition. So the problem Paul is describing wouldn't happen. Dunno what other mobile devices do.

I think its worth documenting this behavior if the working group wants to do that work.

> On 6 May 2025, at 22:42, Mark Andrews <marka@isc.org> wrote:
> 
> While this is an interesting issue how does this differ from what already exists for every mobile device which connects to a network with private names today?  These names resolve it NXDOMAIN or not depending on the attachment point.  
> Traditionally stub resolvers only keep answers for as long as they need them for. That is usually significantly less than the TTL of the returned answer, often milliseconds.   If there is a on device cache it can be partially flushed on SSID changes.  If the device is worried about spoofed answers it can install (additional) trust anchors based on SSID that are  initially added using out of band methods and maintained using RFC 5055. 
> 
> For hardwired devices there are profiles that can be set by the user when they connect.  They flush the local cache today of you have a Mac and other OS have similar capabilities. Trust anchors can be set via that mechanism.  
> 
> Note negative trust anchors are NOT used above. 
> 
> -- 
> Mark Andrews
> 
>> On 7 May 2025, at 04:11, Paul Hoffman <paul.hoffman@icann.org> wrote:
>> 
>> On May 6, 2025, at 09:56, Ted Lemon <mellon@fugue.com> wrote:
>>> 
>>> I think that you're trying to solve two different problems here. The first problem is just generally what can you do to avoid causing a validation failure? The second problem is, how can you actually validate locally served domains?
>>> 
>>> They are both really interesting questions, and I think that it would be very useful to consider how we would solve the problem of validating locally served domain.
>>> 
>>> However, this is not absolve us of the responsibility to make sure that we don't accidentally cause validation failures where they are inappropriate. We already have prior art on this. We know how to solve this problem. RFCs that solve this problem all solve that and exactly the same way.
>> 
>> ...and that way might not work the way we want, and thus should be defined in RFCs before we make recommendations about them. In specific, we don't have any RFCs that deal with insecure delegation for clients that move around.
>> 
>> Assume that a resolver for a corporate network uses .example as a TLD for its internal users. A user starts up their laptop when outside the network, and try to access foo.example.
>> 
>> - If .example is not listed in the root zone, they get a short-lived NXDOMAIN. When they move on to the corporate network after a short period of time, and try again, they get the address for foo.example.
>> 
>> - If .example has an insecure delegation, they get a two-day TTL to a nameserver that will tell them that foo.example doesn't exist.  When they move on to the corporate network after a short period of time, they still believe that foo.example doesn't exist because they believe the nameserver for .example is the one in the insecure delegation at the root.
>> 
>> This can probably be fixed, but we don't currently have such a fix in an RFC. I suspect there will be strong disagreement about what the fix should be (I have no opinion, and probably won't later). Saying "We already have prior art on this" understates what the "this" is.
>> 
>> --Paul Hoffman
>> 
>> _______________________________________________
>> DNSOP mailing list -- dnsop@ietf.org
>> To unsubscribe send an email to dnsop-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status