IETF Logo Mail Archive

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

"John Levine" <johnl@taugh.com> Tue, 18 October 2016 17:54 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24D9B129784 for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 10:54:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNR0bip6CRxS for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 10:54:03 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 546BE129712 for <dnsop@ietf.org>; Tue, 18 Oct 2016 10:54:03 -0700 (PDT)
Received: (qmail 85289 invoked from network); 18 Oct 2016 17:54:02 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 18 Oct 2016 17:54:02 -0000
Date: Tue, 18 Oct 2016 17:53:40 -0000
Message-ID: <20161018175340.26608.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <CA+nkc8ASvjQkSqqGQuRSnuxZy=TC3LBf+8EyTtM+VkOCWeY-ww@mail.gmail.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zJwfYNWplSX2oSa1ZubUESq1jUI>
Cc: rharolde@umich.edu
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 17:54:05 -0000

>I would think that the best approach might be:
>- insecure delegation to 127.x.x.x, so that queries do not leak past the
>host of the local resolver.  This is the best we can do for the CPE
>equipment and other resolvers that will not be updated until they are
>replaced.
>- add .local to resolvers that do update, so they don't bother trying to
>query 127.x.x.x
>- local root is still an option, and reduces queries to the root even more.

If we're going to ask people to change their software, how about
asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in
their caches?  Those deal with .local and .onion leaks at the same time
they do other useful stuff.

I still see this proposal as a distraction from other more general proposals.

R's,
John

v2.23.0 | Report a Bug | By Email