IETF Logo Mail Archive

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

"John R Levine" <johnl@taugh.com> Tue, 18 October 2016 21:44 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 250751298AA for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 14:44:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=iRsQYuWQ; dkim=pass (1536-bit key) header.d=taugh.com header.b=G4lTOn2M
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jfVvs_80axG1 for <dnsop@ietfa.amsl.com>; Tue, 18 Oct 2016 14:44:31 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39115129891 for <dnsop@ietf.org>; Tue, 18 Oct 2016 14:44:31 -0700 (PDT)
Received: (qmail 30878 invoked from network); 18 Oct 2016 21:44:30 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=789d.580697be.k1610; bh=28pvcM9qriyx+BctksHlUHRNiQX+A8P+GDaL2igtFC0=; b=iRsQYuWQAEEZ5zddBj4Z6SimzxXSx7YnLxNqZRH6rxzYlTC3WgUz83LzQCs0LAmj38UUb475NVhq8sjIASZ8B/ojNaWNnSD1StroZB061+s9i90W+r1cCUhHvvTNWiuJ61OXUex93JTdS/X3jwORR/v24e0aHNXNQn+FnDAzUw9b4cIMO0xa1nPM0JZ1wfgufiLt0GAvJEjiYqRxkVli/kgj2CtEZz4F+jgGg7Sy0KjFtnirAPbMM7TJykw6Kxpi
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=789d.580697be.k1610; bh=28pvcM9qriyx+BctksHlUHRNiQX+A8P+GDaL2igtFC0=; b=G4lTOn2MzYYSoDUJcbLG3/KOMHHj1O7gXmpLJqjOXaEHkI5m/KrvBA30cMCfL3yuFiw4c1oJDmbqUwSEdMpF0eZJHQkugw89eFElwsFi2jf2J2lGA/+W3seR+hB7GjW5o4OYwA8+jHTIVhcAKvdX8BpiXPz4jrbd5ETDfX757j56mdsRdOPNsW26gaVGyOFEh1sVb4fQuzsovppQqSfjgS5xoQC0zSQ/ej1rfN7k4m/vZp4qpwXiARRAdoQv/fMz
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 18 Oct 2016 21:44:30 -0000
Date: Tue, 18 Oct 2016 17:44:29 -0400
Message-ID: <alpine.OSX.2.11.1610181740070.35115@ary.qy>
From: John R Levine <johnl@taugh.com>
To: Mark Andrews <marka@isc.org>
In-Reply-To: <20161018211145.0DA0456EF21C@rock.dv.isc.org>
References: <20161018175340.26608.qmail@ary.lan> <20161018211145.0DA0456EF21C@rock.dv.isc.org>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zkmq-Wow_Vbgjn0KVLv_e1dqQzE>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2016 21:44:33 -0000

>> If we're going to ask people to change their software, how about
>> asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in
>> their caches?  Those deal with .local and .onion leaks at the same time
>> they do other useful stuff.
>
> No.  They slow the leaks.  They do not STOP the leaks.  They depend on
> leaks to work.

With a 24 hour TTL on the root zone, it ain't going to leak very much.

Or if you get to hack on your cache, you can just do what unbound already 
did and put in dummy stub zones, no new code needed.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.31.3 | Report a Bug | By Email | System Status