IETF Logo Mail Archive

Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard

Alec Muffett <alecm@fb.com> Mon, 10 August 2015 19:25 UTC

Return-Path: <prvs=5664d36374=alecm@fb.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A724C1B2A59; Mon, 10 Aug 2015 12:25:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yovQkC8gyJqQ; Mon, 10 Aug 2015 12:25:49 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E96541B2A5E; Mon, 10 Aug 2015 12:25:48 -0700 (PDT)
Received: from pps.filterd (m0004003 [127.0.0.1]) by mx0b-00082601.pphosted.com (8.14.5/8.14.5) with SMTP id t7AJODVU020255; Mon, 10 Aug 2015 12:25:26 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=gty0xDjtZrSii16O6/VEVcsEXUbHZawMMXRsR2JKIQU=; b=bi9kEC21YgzTRVNC3SgGTjhl6ny7v69q6uyQodLdqGb01Pd+E+iG/zEWMlC8EoZp9ywA b+M6lRcObOW5++B5J0cfHLi4B6eC0+RLRbLRPl+3WAGje1ckiUrYpjslBDLwOA5VJaTV biglNfU5KC+MnGVrXb01ka6hDcHoX5lB89Q=
Received: from mail.thefacebook.com ([199.201.64.23]) by mx0b-00082601.pphosted.com with ESMTP id 1w70h18f56-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 10 Aug 2015 12:25:25 -0700
Received: from PRN-MBX02-4.TheFacebook.com ([169.254.2.114]) by PRN-CHUB13.TheFacebook.com ([fe80::8c35:7ba8:bb32:ee09%12]) with mapi id 14.03.0195.001; Mon, 10 Aug 2015 12:25:24 -0700
From: Alec Muffett <alecm@fb.com>
To: Ted Hardie <ted.ietf@gmail.com>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Topic: [DNSOP] Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard
Thread-Index: AQHQvmrojAhJLnn8xU++NMtyLYg/4p4BKKEAgAAK5gCAAA/pgIABQ5uAgAOK6QCAABSIgIAACqmAgAAL9wA=
Date: Mon, 10 Aug 2015 19:25:23 +0000
Message-ID: <8D7DDDFF-BC2E-4A98-ADDB-A72D2C6A796E@fb.com>
References: <20150714192438.1138.96059.idtracker@ietfa.amsl.com> <D1EA295A.DFA3%edward.lewis@icann.org> <55C4C0DA.8070502@w3.org> <D1EA43FA.DFB8%edward.lewis@icann.org> <554DA9E5-2071-48A2-8AC8-DD07DE3B2BB0@fb.com> <CA+9kkMAcW_g28qAZ8SKbqefZfdDxzdM7=0D_of7f_qLm08d3wA@mail.gmail.com> <CD2ABBDD-F9CA-4A27-A0B6-3CDD37DB1AB4@fb.com> <CA+9kkMAmuXuLpsHVm8PeFQ5V+48mdd06=u=L+gKPqGVQSh-FFg@mail.gmail.com>
In-Reply-To: <CA+9kkMAmuXuLpsHVm8PeFQ5V+48mdd06=u=L+gKPqGVQSh-FFg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.52.123]
Content-Type: multipart/signed; boundary="Apple-Mail=_1AA2B570-3904-4031-BAD9-08C72A6FFCF1"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-08-10_03:2015-08-10,2015-08-10,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/ePhjn1TB0tHxrf8YA1CfAss63ls>
Cc: Edward Lewis <edward.lewis@icann.org>, Mark Nottingham <mnot@mnot.net>, "dnsop@ietf.org" <dnsop@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, Richard Barnes <rlb@ipv.sx>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2015 19:25:54 -0000

Hi again, Ted!


> On Aug 10, 2015, at 11:42 AM, Ted Hardie <ted.ietf@gmail.com> wrote:
> […]
> ​I think the Internet community needs to understand that a reservation in the encompassing name space means that no gTLD with the same string will be permitted in the DNS and understand who has the right specify the process by which the names within .onion are minted and assigned.

I would agree, in fact I feel this was strongly thrashed-out in discussion of the draft.

> 
>>> A scan of section 3.2.2 of RFC3986 “Uniform Resource Identifier (URI): Generic Syntax”
>>> […]
>>> This specification does not mandate a particular registered name lookup technology and therefore does not restrict the syntax of reg-name beyond what is necessary for interoperability.
> 

> ​This is a little bit more complicated than the above suggests, because a specific URI scheme can describe in detail which elements of RFC3986 syntax are expected within it.  See, for example, RFC 6068, Section 2 <https://urldefense.proofpoint.com/v1/url?u=http://tools.ietf.org/html/rfc6068%23page-3&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=PKCvk5ihsZdnlobuFIuhTw%3D%3D%0A&m=oCCVXQHML7Wu9tLutu8gi0yjQy%2FYshsl6QPZDObXbt0%3D%0A&s=169bbca645c89ea6cb6b8e1f492f00233288a5afea42e886b71051a7e31cdb61> for the syntax of the mailto: URI (which is fundamentally different from URI schemes which use path elements in the way HTTP does). RFC 7595 <https://urldefense.proofpoint.com/v1/url?u=https://tools.ietf.org/html/rfc7595&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=PKCvk5ihsZdnlobuFIuhTw%3D%3D%0A&m=oCCVXQHML7Wu9tLutu8gi0yjQy%2FYshsl6QPZDObXbt0%3D%0A&s=2902ce28be4aa8782a28349946b7aeba381329ac17f118c226111a2f7de618d1> has some additional detail in the context of registrations.

Some Googling suggests that the http:// scheme is defined in RFC 2616, which - to summarise - again does not mandate DNS.

- Section 3.2.2 defines the host-name part in abstract regards TCP connections:
>identified resource is located at the server listening for TCP connections on that port of that host
- Section 3.2.3 discusses string comparisons

- Section 15.3 discusses DNS spoofing and DNS caching, which is inapplicable

- Sections 5.2 and 14.23 discuss the Host header, the latter most specifically:
The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL.
…again without reference to DNS.  Since the use of an Onion in a Host header would reflect the origin, I think this works.

So, by this analysis I think Onions in http (and by extension https) are fine.

Not to mention, appropriate. :-)

> In this case, I believe .onion names that intend to be carried in URI slots that would also carry non-.onion names will either have to confirm that the URI's scheme-specific part permits it or update the syntax to do so.

Exactly.  I believe that they do.

> ​I believe that it would be valuable to check the proposed syntax against the individual schemes' scheme-specific-parts as part of the deliberations.

Where else would you suggest looking, please?

    -a

—
Alec Muffett
Security Infrastructure
Facebook Engineering
London

v2.23.0 | Report a Bug | By Email