IETF Logo Mail Archive

Re: Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

Alec Muffett <alecm@fb.com> Tue, 11 August 2015 22:59 UTC

Return-Path: <prvs=5665a76676=alecm@fb.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AB0D1A1E0E for <ietf@ietfa.amsl.com>; Tue, 11 Aug 2015 15:59:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cfsCWUeTqSC9 for <ietf@ietfa.amsl.com>; Tue, 11 Aug 2015 15:59:47 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C72241A1A8D for <ietf@ietf.org>; Tue, 11 Aug 2015 15:59:46 -0700 (PDT)
Received: from pps.filterd (m0004003 [127.0.0.1]) by mx0b-00082601.pphosted.com (8.14.5/8.14.5) with SMTP id t7BMxOHJ021317; Tue, 11 Aug 2015 15:59:41 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=gbJfvdCW14ChKERFJpgkB4bAASbL1KhipMZpvflGTSU=; b=nJynSpuJJFZfQBphbJ9wLA6MuVtY2gGI+Fv9Xmx6ys17jViOB5YF/XPrF56xN9vz76Sb YYM4L5+sJc6EnzJxtn2t1RQ7rfj2d3y829R2PSKF4lV2zGUfg3QAFIoxIVFF8PehJvE0 nl7F8CPWop9YWqae8QWMRLSbUlhcQTIwzI4=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0b-00082601.pphosted.com with ESMTP id 1w7snn05m7-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 11 Aug 2015 15:59:41 -0700
Received: from PRN-MBX02-4.TheFacebook.com ([169.254.2.114]) by PRN-CHUB11.TheFacebook.com ([fe80::80d:37ff:4b6a:a4fc%12]) with mapi id 14.03.0195.001; Tue, 11 Aug 2015 15:59:39 -0700
From: Alec Muffett <alecm@fb.com>
To: Peter Koch <pk@DENIC.DE>
Subject: Re: Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Topic: Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Index: AQHQ1Hs3RjvWibFSx02Yb/KcU/cg4p4H3y4A
Date: Tue, 11 Aug 2015 22:59:38 +0000
Message-ID: <46616F08-3CD4-448E-8638-95CFDA1C6D0F@fb.com>
References: <20150714192438.1138.96059.idtracker@ietfa.amsl.com> <20150811211733.GG23964@x28.adm.denic.de>
In-Reply-To: <20150811211733.GG23964@x28.adm.denic.de>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.52.123]
Content-Type: multipart/signed; boundary="Apple-Mail=_76547F4D-2610-437E-9390-7C5007789C9B"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-08-12_01:2015-08-11,2015-08-11,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/U7CZpTN_N0TeWUuwX9x_aw0UobA>
Cc: Mark Nottingham <mnot@mnot.net>, "ietf@ietf.org" <ietf@ietf.org>, Jacob Appelbaum <jacob@appelbaum.net>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 22:59:49 -0000

Hi Peter,

> I object to the publication of the above draft as Proposed Standard.
> The intended registration is incompatible with the registration policy
> laid out in RFC 6761 and is likely to create a false sense of security.

To deal with the latter, first:

The intended registration is not, and nowhere intends, to create any sense of security at all, let alone a false one.

The intended registration is meant as an enabler for the existing and ongoing population of onion space, and to enable the broad adoption of SSL certificates within that space.

It would be a broad and implausible assertion that SSL Certificates and HTTPS does not provide security for users of Web (and other) protocols, but to argue that the registration of “.onion” as a special use domain name would be equal to making the argument that the existence of “.com” as a registered TLD somehow engenders a false sense of security.

This latter point is arguable, I suppose, but the false sense of security engendered there would reside in DNS and not in the fact of registration.  :-)

> It is unclear what path is suggested by the IESG since the draft, other than
> RFC 6762 for the "local." TLD, does not contain a protocol specification.

The Tor protocol is controlled by Tor, and is apt to change; there is enough description there to explain how onion addresses are mechanically generated, but to tie the registration RFC to a specific implementation/version seemed unwise.


> It is my reading that any protocol eligible for a registration in the "Special
> Names" registry has to be an IETF Standards Track protocol - the grandfathered
> entries in that very registry nonwithstanding.  Any deliberations w.r.t. the
> Tor protocol are missing from the above draft and the Last Call message.

We are not seeking to register the protocol.  We are seeking to register a namespace that the protocol uses.


> The "Special Names" registry does not offer any means to convey any particular
> behaviour, let alone differences between various reserved names.  It is more
> than brave to expect that non-supporting implementations would be able (or
> willing) to follow the SHOULDs in the first quoted block.


The advice received from IANA last night as part of the last call, suggests this:


>> However, one reviewer added the following:
>> 
>> "My comment would be there is nothing in the IANA considerations regarding how IANA manages the root zone, although immediately prior it says:
>> 
>> "'DNS Registries/Registrars: Registrars MUST NOT register .onion names; all such requests MUST be denied.'
>> 
>> "I believe 'register' in this context is not sufficiently clear. Perhaps 'delegate' is intended? For example, normally for a reserved name IANA would keep a record in the root zone database to acknowledge this, but this could appear to prohibit keeping a record for this purpose. Further, my understanding is part of the reason for this whole I-D is to all SSL certificate vendors (which are often DNS registries/registrars) to allow registration of SSL certificates for .onion names. I would say a plain reading of this may prohibit that. I would suggest there be an explicit additional category that makes it clear it expects service providers, such as trust providers, for to support .onion domains in such applications."


…so this suggestion - which myself and Jacob Appelbaum (the authors) warmly wish to adopt - would lead to “.onion” being reserved and not delegated, but also clearly documented as a space in which SSL certificates are to be issued.  I think that would aid the goals we’ve sought to describe in the draft.


> It remains to be specified how these "generated" responses would interact
> with DNSSEC validation.  Again, it is unclear how agnostic (as of today)
> recursive resolvers would learn about the new name and apply specific behaviour to it.

I think the IANA proposition would mean that DNSSEC would cease to be an issue, but perhaps you would like to suggest some alternative wording for us to consider?


> The draft does not explain why it asks for a "special name" at the top level.
> Neither the draft nor the Last Call document or envision any coordination
> with the responsible body as per the MoU RFC 2860.


I believe that that was dealt with extensively in DNSOP.  Mark?


    -a


—
Alec Muffett
Security Infrastructure
Facebook Engineering
London

v2.23.0 | Report a Bug | By Email