IETF Logo Mail Archive

Re: [DNSOP] ALT-TLD and (insecure) delgations.

Warren Kumari <warren@kumari.net> Wed, 01 February 2017 23:47 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7A58129625 for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 15:47:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mw3CG2ADUGau for <dnsop@ietfa.amsl.com>; Wed, 1 Feb 2017 15:47:22 -0800 (PST)
Received: from mail-qt0-x231.google.com (mail-qt0-x231.google.com [IPv6:2607:f8b0:400d:c0d::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5023D129623 for <dnsop@ietf.org>; Wed, 1 Feb 2017 15:47:22 -0800 (PST)
Received: by mail-qt0-x231.google.com with SMTP id w20so219159327qtb.1 for <dnsop@ietf.org>; Wed, 01 Feb 2017 15:47:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=n8NDq06KYfQNyAJXdTTw6D9d6h9xaTSt9T1ffCLey7I=; b=iNHuB6gVuAsNaKeL6t39ojEFo5dI4mOSZdJKg6YtYCibZhh5Ope5uRBtFEOSDaX/7V tKVQJGwtuHKIwUuqRbAiinwUheYwP25VFyY/XOMxjp+UUljv7GOBYSyOBL6KZDy0edH0 Jhp/8+GmD+0m6x8p3XiNn33h1UpcPZsmqUINkmnRs0wJkkoGDGOwgZp3gzPGLPA1NRxv tZmoYDhmGVj45XR7WDirwCljcesCsQtBWjnqcj2Lgftj0/mIh0ydDyxoA0m0id27Q/Uh CtLC6HKDHD+1JCQkyLKKlG9BMkiw4s3cfTxBHHYP8Xe5ixyK7w/abalXiXwObw2s0QwJ R0wQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=n8NDq06KYfQNyAJXdTTw6D9d6h9xaTSt9T1ffCLey7I=; b=YEsYij5MzevJHX/+xE24EaV/4xJQDrjiadwjGHkI83QkSV/QeiLYBcUM2ZRDNsGK+a 61VRMpkOEKKOzH/1UPKLyebqf458TfTkyZh0uspyxrsKPkM5C3vz2ZKo+itvcpst77Kf B1cGqasoR4oMNYN6hfk/2Hp+4DPJsry7jopBtkiOivviSkfUk+pbHBoVfw6gwcZrQ941 B0IA87XK8oxOBj5WMH4wPPIX8x5SBnAvszC1RNq2mKXaC0vgvOHljBRIvMgeHWYDXHTO WWWq3nasQLPISg5uyQw7mukil0d8zfEhkIXX26FGCXvM0eYjNcH1yXhZFtwpJ0mKXzTW AUrw==
X-Gm-Message-State: AMke39lXpU9g2aDzHS9X882TFYqa7YHbwTUMTHzx6nBMUDc5nMkfpnhYM6f+g8yBZpt7ANFnX5zVFmEoEtGugFL6
X-Received: by 10.55.78.67 with SMTP id c64mr5857922qkb.251.1485992841227; Wed, 01 Feb 2017 15:47:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.179.19 with HTTP; Wed, 1 Feb 2017 15:46:50 -0800 (PST)
In-Reply-To: <20170201204455.6nymmjlj5lzq2ect@mycre.ws>
References: <CAHw9_i+8PA3FQx8FqW-xQ_96it7k-g5UrMB7fxARUi1gwQ++hw@mail.gmail.com> <20170201204455.6nymmjlj5lzq2ect@mycre.ws>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 01 Feb 2017 18:46:50 -0500
Message-ID: <CAHw9_iJ50jWgsAe+hRKUtubfAtpt7+GEeCKEASzypcf86+4nYA@mail.gmail.com>
To: Robert Edmonds <edmonds@mycre.ws>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ypQ14HrWs82FS-3nH33IboAX17E>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] ALT-TLD and (insecure) delgations.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2017 23:47:24 -0000

On Wed, Feb 1, 2017 at 3:44 PM, Robert Edmonds <edmonds@mycre.ws> wrote:
> Warren Kumari wrote:
>> The largest outstanding issue is what to do about DNSSEC -- this is
>> (potentially) a problem for any / all 6761 type names.
>> The root is signed, so if a query leaks into the DNS (as they will),
>> an (unaware) validating resolver will try resolve it, and will expect
>> either a signed answer, or proof of an insecure delegation; without
>> this things will look bogus, and so resolvers will SERVFAIL.
>>
>> Clearly, a signed answer isn't feasible, so that leaves 2 options - 1:
>> simply note that validation will fail, and that SERVFAIL will be
>> returned in many case (to me this seems "correct"), or 2: request that
>> the IANA insert an insecure delegation in the root, pointing to a:
>> AS112 or b: an empty zone on the root or c" something similar.
>
> Hi, Warren:
>
> I'm kind of confused. If a .ALT query leaks into the DNS, and there's
> neither a secure or insecure delegation in the root, isn't the result a
> signed NXDOMAIN, not a SERVFAIL?
>
>     ; <<>> DiG 9.11.0-P1 <<>> +dnssec foo.alt
>     ;; global options: +cmd
>     ;; Got answer:
>     ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36917
>     ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1


Yup, but if a resolver has a (empty) local zone for .alt, and someone
queries it and validates, then I think you get SERVFAIL -- the root
says .alt doesn't exist, but here you have an answer apparently from
inside the zone -- 'tis an empty / NXD answer, but still looks like
shenanigans are happening...

W


>
> --
> Robert Edmonds



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email