Re: [DNSOP] ALT-TLD and (insecure) delgations.
Warren Kumari <warren@kumari.net> Wed, 01 February 2017 23:47 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7A58129625 for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 15:47:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mw3CG2ADUGau for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 15:47:22 -0800 (PST)
Received: from mail-qt0-x231.google.com (mail-qt0-x231.google.com [IPv6:2607:f8b0:400d:c0d::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5023D129623 for <dnsop@ietf.org>; Wed, 1 Feb 2017 15:47:22 -0800 (PST)
Received: by mail-qt0-x231.google.com with SMTP id w20so219159327qtb.1 for <dnsop@ietf.org>; Wed, 01 Feb 2017 15:47:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=n8NDq06KYfQNyAJXdTTw6D9d6h9xaTSt9T1ffCLey7I=; b=iNHuB6gVuAsNaKeL6t39ojEFo5dI4mOSZdJKg6YtYCibZhh5Ope5uRBtFEOSDaX/7V tKVQJGwtuHKIwUuqRbAiinwUheYwP25VFyY/XOMxjp+UUljv7GOBYSyOBL6KZDy0edH0 Jhp/8+GmD+0m6x8p3XiNn33h1UpcPZsmqUINkmnRs0wJkkoGDGOwgZp3gzPGLPA1NRxv tZmoYDhmGVj45XR7WDirwCljcesCsQtBWjnqcj2Lgftj0/mIh0ydDyxoA0m0id27Q/Uh CtLC6HKDHD+1JCQkyLKKlG9BMkiw4s3cfTxBHHYP8Xe5ixyK7w/abalXiXwObw2s0QwJ R0wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=n8NDq06KYfQNyAJXdTTw6D9d6h9xaTSt9T1ffCLey7I=; b=YEsYij5MzevJHX/+xE24EaV/4xJQDrjiadwjGHkI83QkSV/QeiLYBcUM2ZRDNsGK+a 61VRMpkOEKKOzH/1UPKLyebqf458TfTkyZh0uspyxrsKPkM5C3vz2ZKo+itvcpst77Kf B1cGqasoR4oMNYN6hfk/2Hp+4DPJsry7jopBtkiOivviSkfUk+pbHBoVfw6gwcZrQ941 B0IA87XK8oxOBj5WMH4wPPIX8x5SBnAvszC1RNq2mKXaC0vgvOHljBRIvMgeHWYDXHTO WWWq3nasQLPISg5uyQw7mukil0d8zfEhkIXX26FGCXvM0eYjNcH1yXhZFtwpJ0mKXzTW AUrw==
X-Gm-Message-State: AMke39lXpU9g2aDzHS9X882TFYqa7YHbwTUMTHzx6nBMUDc5nMkfpnhYM6f+g8yBZpt7ANFnX5zVFmEoEtGugFL6
X-Received: by 10.55.78.67 with SMTP id c64mr5857922qkb.251.1485992841227; Wed, 01 Feb 2017 15:47:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.179.19 with HTTP; Wed, 1 Feb 2017 15:46:50 -0800 (PST)
In-Reply-To: <20170201204455.6nymmjlj5lzq2ect@mycre.ws>
References: <CAHw9_i+8PA3FQx8FqW-xQ_96it7k-g5UrMB7fxARUi1gwQ++hw@mail.gmail.com> <20170201204455.6nymmjlj5lzq2ect@mycre.ws>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 01 Feb 2017 18:46:50 -0500
Message-ID: <CAHw9_iJ50jWgsAe+hRKUtubfAtpt7+GEeCKEASzypcf86+4nYA@mail.gmail.com>
To: Robert Edmonds <edmonds@mycre.ws>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ypQ14HrWs82FS-3nH33IboAX17E>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2017 23:47:24 -0000
On Wed, Feb 1, 2017 at 3:44 PM, Robert Edmonds <edmonds@mycre.ws> wrote: > Warren Kumari wrote: >> The largest outstanding issue is what to do about DNSSEC -- this is >> (potentially) a problem for any / all 6761 type names. >> The root is signed, so if a query leaks into the DNS (as they will), >> an (unaware) validating resolver will try resolve it, and will expect >> either a signed answer, or proof of an insecure delegation; without >> this things will look bogus, and so resolvers will SERVFAIL. >> >> Clearly, a signed answer isn't feasible, so that leaves 2 options - 1: >> simply note that validation will fail, and that SERVFAIL will be >> returned in many case (to me this seems "correct"), or 2: request that >> the IANA insert an insecure delegation in the root, pointing to a: >> AS112 or b: an empty zone on the root or c" something similar. > > Hi, Warren: > > I'm kind of confused. If a .ALT query leaks into the DNS, and there's > neither a secure or insecure delegation in the root, isn't the result a > signed NXDOMAIN, not a SERVFAIL? > > ; <<>> DiG 9.11.0-P1 <<>> +dnssec foo.alt > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36917 > ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 Yup, but if a resolver has a (empty) local zone for .alt, and someone queries it and validates, then I think you get SERVFAIL -- the root says .alt doesn't exist, but here you have an answer apparently from inside the zone -- 'tis an empty / NXD answer, but still looks like shenanigans are happening... W > > -- > Robert Edmonds -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Robert Edmonds
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Bob Harold
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Warren Kumari
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. George Michaelson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Andrew Sullivan
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Mark Andrews
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Olafur Gudmundsson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John R Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ólafur Gudmundsson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Jim Reid
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ralph Droms
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ólafur Gudmundsson
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Suzanne Woolf
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Tony Finch
- Re: [DNSOP] ALT-TLD and (insecure) delgations. John Levine
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ray Bellis
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Woodworth, John R
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Ted Lemon
- Re: [DNSOP] ALT-TLD and (insecure) delgations. Stephane Bortzmeyer