Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

Paul Wouters <paul@nohats.ca> Thu, 30 July 2020 20:36 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A9303A0C86 for <dnsop@ietfa.amsl.com>; Thu, 30 Jul 2020 13:36:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7sCeeIQTNmob for <dnsop@ietfa.amsl.com>; Thu, 30 Jul 2020 13:36:57 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CE613A0C46 for <dnsop@ietf.org>; Thu, 30 Jul 2020 13:36:57 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4BHhzC31ZKz5T4; Thu, 30 Jul 2020 22:36:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1596141415; bh=QRJkBMuAb4MKnf+TVDaDwhLV9uYuMl2XXb2JNfDSa9k=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Dfy04ByBlVH98a/nGARWxQr+yLJmr1ZqIDG7erBAhGQIQZKHjGuT8+NOKwo94fcRV Sk6J/gODVwWXtFggfJiI+fke2wbNTn1qoV4v6gLIr+QhR1avRkg7BhkQ7wQt09sXRk /NPzS/YFz+/dY7Pg01+3RfF8VlP78rzjSvkQqDUY=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 0YIybqpzIVmp; Thu, 30 Jul 2020 22:36:54 +0200 (CEST)
Received: from bofh.nohats.ca (unknown [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 30 Jul 2020 22:36:54 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 8A0156029BA4; Thu, 30 Jul 2020 16:36:52 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 81A9A669F1; Thu, 30 Jul 2020 16:36:52 -0400 (EDT)
Date: Thu, 30 Jul 2020 16:36:52 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Joe Abley <jabley@hopcount.ca>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <31548781-6B30-4198-810F-32245590C7D6@hopcount.ca>
Message-ID: <alpine.LRH.2.23.451.2007301630050.418549@bofh.nohats.ca>
References: <CAHbrMsDWR0Yf_66f7g6sYm5Wk5vg9avGnLLT2sqezHzJzK4qJw@mail.gmail.com> <05f9f7ce-1bb7-b195-1be5-4db4c13b3145@nic.cz> <alpine.LRH.2.23.451.2007301253530.416340@bofh.nohats.ca> <F16107A1-669C-41AD-9F59-1794C64B0737@hopcount.ca> <alpine.LRH.2.23.451.2007301446380.418549@bofh.nohats.ca> <31548781-6B30-4198-810F-32245590C7D6@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wFzO0S4-1E2JOCHOyrsDa51DgFg>
Subject: Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 20:36:59 -0000

On Thu, 30 Jul 2020, Joe Abley wrote:

>> The .org is definately what I would call a
>> delegation-only domain. Now let's examine the corner case you have
>> and see if/what we can do.
>
> OK. Note that it's not a corner case, however; there are many thousands of examples of this and although I haven't examined every single serial that has ever been published, it seems entirely plausible that that there has never been an ORG zone published since 2002 which has been delegation-only.

50 domains in a few million is a corner case :)  But let's not drift
into language here. I understand your point in that you always have a
few of these in the .org zone.

>> So you are saying that if ns1.example.org serves another-example.org
>> and example.org is suspended for abuse, that you will still service
>> A records for ns1.example.org and NS records for another-example.org
>> containing ns1.example.org but no NS records for example.org? In
>> the hopes that another-example.org keeps working?
>
> That also seems quite imprecise. Here's a more specific worked example to make sure we understand each other.
>
> $ORIGIN ORG.
>
> BADDOMAIN NS ...
> BADDOMAIN NS ...
> NS1.BADDOMAIN A 192.0.2.1
>
> GOODDOMAIN NS NS1.BADDOMAIN.ORG.
> GOODDOMAIN NS ...
>
> If BADDOMAIN.ORG is suspended (or if the domain is suppressed for some equivalent reason) then the zone cut betwen ORG and BADDOMAIN.ORG will be removed (the BADDOMAIN.ORG NS set will disappear) but the A record above will remain, since it is linked to another domain, GOODDOMAIN.ORG, that depends upon it. Without a zone cut, that makes the ORG servers authoritative for the A record.

That is exactly what my "quite imprecise" text said :)

Although please clarify what you do if there are DS records for
BADDOMAIN.ORG and/or GOODDOMAIN.ORG

> To a certain extent, this behaviour is a consequence of (a) the venerable operaetional need to suspend domains because they have been implicated in abuse and (b) the EPP data model used in the ORG registry, which itself has its origins in the RRP data model used before the re-delegation of ORG to PIR in 2002. As such, it's tempting to assert that the behaviour is a contractual requirement shared with all other gTLDs that are operated subject to the same contract that exists between PIR and ICANN, hence my question about applicability.
>
>> Wouldn't that already fail with DNS servers like unbound with:
>>
>> 	harden-glue: yes
>> 	harden-dnssec-stripped: yes
>> 	harden-below-nxdomain: yes
>> 	harden-referral-path: yes
>>
>> which is the default in Fedora / RHEL / CentOS and maybe others?
>
> If so, that sounds like a problem with Fedora/RHEL/CentOS. To the best of my knowledge, this has been the way that ORG has operated for the past 18+ years.

Clearly not many people are querying for BADDOMAINS.ORG, or they are
afraid to contact you?

Also, you seem to claim that it is normal and accepted that one should
trust unsigned glue records from a parent for your delegation and that
confirming these records at the child is something that you count on
people not doing?

Seems like .org needs to update an 18+ year old operation policy, and
just to clarify that has nothing to do with this draft as .org already
has this problem.

Paul