IETF Logo Mail Archive

Re: [homenet] On the TLD question and validatably-insecure delegation

Mark Andrews <marka@isc.org> Wed, 16 November 2016 06:30 UTC

Return-Path: <marka@isc.org>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E97C129648 for <homenet@ietfa.amsl.com>; Tue, 15 Nov 2016 22:30:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.398
X-Spam-Level:
X-Spam-Status: No, score=-8.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ON66faR0FULN for <homenet@ietfa.amsl.com>; Tue, 15 Nov 2016 22:30:57 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 300A11295C2 for <homenet@ietf.org>; Tue, 15 Nov 2016 22:30:57 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 782761FCABC; Wed, 16 Nov 2016 06:30:48 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 502BA16003F; Wed, 16 Nov 2016 06:30:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 38677160044; Wed, 16 Nov 2016 06:30:47 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 9wbBqQUIyheW; Wed, 16 Nov 2016 06:30:47 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id BBEE016003F; Wed, 16 Nov 2016 06:30:46 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 0CD6C5A467BC; Wed, 16 Nov 2016 17:30:43 +1100 (EST)
To: Andrew Sullivan <ajs@anvilwalrusden.com>
From: Mark Andrews <marka@isc.org>
References: <20161116054604.GB55057@mx2.yitter.info>
In-reply-to: Your message of "Wed, 16 Nov 2016 00:46:05 -0500." <20161116054604.GB55057@mx2.yitter.info>
Date: Wed, 16 Nov 2016 17:30:43 +1100
Message-Id: <20161116063043.0CD6C5A467BC@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/WgqcVdr32mlC45EXyY1euLEjfbA>
Cc: homenet@ietf.org
Subject: Re: [homenet] On the TLD question and validatably-insecure delegation
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Nov 2016 06:30:59 -0000

In message <20161116054604.GB55057@mx2.yitter.info>, Andrew Sullivan writes:
> Hi,
> 
> Mark Andrews's point about a DNSSEC insecure delegation today was not
> I think fully appreciated.
> 
> In order to create a top-most label in the domain name that can be
> used this way and that has the necessary properties, we cannot simply
> instruct IANA to do it.  That is in fact creating a delegation in the
> root zone of the DNS.  I believe that RFC 2860 (the MoU between the
> IETF and ICANN) does allow us to create special-use domain names at
> the top-most level.  But I do not believe it allows us to create
> special-use domain names at the top-most level _in the DNS_, because
> that is control of the root zone and it is unambiguously the province
> of ICANN.
>
> Therefore, if the WG decides to use a top-level label for these
> purposes, we have to apply to ICANN to get it delegated from the root
> in a provably insecure fashion.  Interestingly, ICANN actually has a
> policy that it won't delegate things from the root any more that are
> _not_ DNSSEC signed, and the whole point here is in fact to add an
> entry that is contrary to that policy, so getting such a delegation
> would require ICANN to change its policies before it could happen.

I suspect this is a mischaracterization of the policy.  GTLD
delegations are so constrained.  This is not a GTLD delegation.

New country code delegations are not so constrained.

We are not asking them to delegate away from the roots.

root zone:
HOMENET. NS A.ROOT-SERVERS.NET.
...
HOMENET. NS M.ROOT-SERVERS.NET.

homenet zone:
HOMENET. SOA a.root-servers.net. nstld.verisign-grs.com. 1 1800 900 604800 86400
HOMENET. NS A.ROOT-SERVERS.NET.
...
HOMENET. NS M.ROOT-SERVERS.NET.

B.T.W. this should also be done for .ONION and .LOCAL if we want
local DNS resolvers to intercept these queries.  DNSSEC keeps
getting forgotten.  The only reason people aren't screaming
is that there are very few validating clients and the both
.ONION and .LOCAL don't use the DNS.  SERVFAIL is nearly as
good as NXDOMAIN for these use cases.

HOMENET uses the DNS.  If one can get a trust anchor for HOMENET
installed in every validator there shouldn't be any queries for
HOMENET/DS.

> That is an important practical fact that ought to be taken into
> consideration when deciding what kind of label to use.
> 
> Best regards,
> 
> A
> 
> -- 
> Andrew Sullivan
> ajs@anvilwalrusden.com
> 
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email