Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa
Ted Lemon <mellon@fugue.com> Thu, 14 December 2017 01:45 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A400B127137 for <dnsop@ietfa.amsl.com>; Wed, 13 Dec 2017 17:45:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHJ_ct3zYZL4 for <dnsop@ietfa.amsl.com>; Wed, 13 Dec 2017 17:45:45 -0800 (PST)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78EC51270AE for <dnsop@ietf.org>; Wed, 13 Dec 2017 17:45:45 -0800 (PST)
Received: by mail-qt0-x22f.google.com with SMTP id g10so6143183qtj.12 for <dnsop@ietf.org>; Wed, 13 Dec 2017 17:45:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=oZWSEjRdfXwCGf5vaCJ7M5gXgobcVBh4bvaOCWGt9SE=; b=Yc5SDQbmYY86vD9pAPqO2qIrTc9n7f8y1YTfyc2IB9yHpSqOQiyYEFWa7a+jLz8CaB U0mFVb5VXwsIL/5Sxgk0VXUNnG0bEHUhuF7xKOOWfmyB0OKmavAki1YXgPZvC7PCWv9P PF27hEHbNm2QfshyemRpGAUBCotGCE5A11ZJQm+rp13Oe2ePVbYFNaojXrmuP2d1Rhsl NbXVs045wRsZQ8ac5mMaf4RUOwHqHntenA3rz0N0xV7fiGeJmTPRpliod8zdLTSVxrZR yZJ4W0YXTEqbK7A0yKMz7U/PZ51P8dx7ZBDwATNcwbwHdcf1Z1pit1QGk9CdgRJieYFF 9dKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=oZWSEjRdfXwCGf5vaCJ7M5gXgobcVBh4bvaOCWGt9SE=; b=txEne3/AS2c/77gYEdvsSnJc3pIwdSwBbC0Dk6yTFLE7E3a9x1/siSJdMJu63FLOc1 2jHY0I5vv/flh4uAlMD384oe3qnJNIum61IP3SuJ5Xn+Al940ByiNul5AgJbXckpRjaD 43lN1vvru+lpPU8cQ/G3UvfLf6buVtDtaRlP33Fr5soVy7uYoeNK8qr62SK13Nb7zWvd OxDnqi3TU86cDg7HhDXVMqd6SHfSa7fWJAhWOjn+B+rqSS9dXtfKMOQZY97X73MP2YIF 2mbtnKDgIHvw8IjWHSL8ueUGZoLoRpckqlBEW4eGVEX0yvOZSwQKCcHUThOvFdjzC/IU 7rWQ==
X-Gm-Message-State: AKGB3mJqFwYzF2roFvCOF5ynMU0HPKU3I0hpILgVNQe0oribDRUNHzqB 9T3SXAHnf+hgeZ7Gw8g5tIJbWA==
X-Google-Smtp-Source: ACJfBouGIP5E4pIADXSk1zdmifjXVn+b5vlJS1qYNxJpkW/UVtc1Y+NWJMUPRT1Fx3aRhMK3V7x44Q==
X-Received: by 10.200.40.15 with SMTP id 15mr13645869qtq.74.1513215944522; Wed, 13 Dec 2017 17:45:44 -0800 (PST)
Received: from cavall.lan (c-24-60-163-103.hsd1.ma.comcast.net. [24.60.163.103]) by smtp.gmail.com with ESMTPSA id a72sm1766904qkc.60.2017.12.13.17.45.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Dec 2017 17:45:43 -0800 (PST)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <E29866C2-763D-426D-A8F0-DF0EF1B19D52@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5A91B03C-36E7-471B-9D1A-E26A22FA9C40"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Wed, 13 Dec 2017 20:45:42 -0500
In-Reply-To: <09515131-DD1B-4FC9-90F6-C088173857BA@hopcount.ca>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, dnsop@ietf.org, Paul Vixie <paul@redbarn.org>
To: Joe Abley <jabley@hopcount.ca>
References: <20171211090051.qjoruin7nkdjsnvd@nic.fr> <5A2E4B7C.50509@redbarn.org> <20171211091800.wonjnvhl3xrx6r4s@nic.fr> <118C37A8-0DEF-460B-8A79-AAE470D3CED8@hopcount.ca> <1B37BBA1-D141-441A-855E-1ACFF2DC15BD@fugue.com> <EC253232-3713-426E-9300-20AE38C8BE4F@hopcount.ca> <23CF8A88-F530-426D-A6A9-4B80AF28D603@fugue.com> <09515131-DD1B-4FC9-90F6-C088173857BA@hopcount.ca>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/w6Hxcr24hDOxI00JjMMBPiSp9lM>
Subject: Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Dec 2017 01:45:48 -0000
On Dec 13, 2017, at 7:31 PM, Joe Abley <jabley@hopcount.ca> wrote: > The ambiguity is (for example) that "point to" is not a well-defined phrase, given that we have two documented ways of doing this in the AS112 project, and neither is "black hole server" which from the examples seems it refers to servers made available from the AS112 project, but which examples surely are non-normative. What is wanted is that there be a delegation in .arpa for home.arpa that isn't signed, so that DNSSEC validation will not fail when an answer is presented to the stub that is different than what's in the .arpa zone. There is never a valid use case where a query actually goes to a server to which home.arpa is delegated from the authoritative servers for .arpa. We just need for .arpa not to say something that contradicts what the locally-served zone says. This is the same behavior that is necessary for e.g. 10.in-addr.arpa, in order that a local DNS service can provide answers within that zone without the actual from-the-root delegation authentically contradicting what that server is saying. IOW, if you think that what is being requested here is different than what's needed for 10.in-addr.arpa, we've failed to communicate. The issue is that we hadn't really thought about the secure denial of existence problem prior to the dot-home work.
- [DNSOP] DNS privacy and AS 112: the case of home.… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Paul Vixie
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Paul Vixie
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] [Ext] Re: DNS privacy and AS 112: the… Kim Davies
- Re: [DNSOP] [Ext] DNS privacy and AS 112: the cas… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer