Christian, > On Jan 6, 2015, at 12:47 AM, Christian Grothoff <christ...@grothoff.org> > wrote: >> The DNS implementation of the >> singular hierarchical domain name namespace does not preclude the use of >> any portion of that namespace outside of the DNS (for example, see >> nsswitch). > > Well, I believe that while you are technically right, an nnswitch plugin > hijacking ".com" today to do something very different from DNS > resolution is typically not merely bad design, but most likely malware.
I meant to provide nsswitch as one (generic) example of a way to implement a
portion of the domain name namespace outside of the DNS. It obviously is not
the only means -- /etc/hosts would be another (less generic) example.
> This is what we mean by usability: we need to satisfy user's
> expectations, and just grabbing some TLD that ICANN has already
> allocated is likely to cause usability problems by confusing users.
I understand and that is, I believe, what RFC 6761 was trying to facilitate.
The question isn't whether grabbing some TLD is a good idea (it isn't) but
rather, is a TLD actually necessary. So far, as far as I've seen, the only
concrete justification you've provided appears to be that a TLD (as opposed to
a second-level name in a sub-tree dedicated to non-DNS domain names) means
fewer characters to type. I'd note that in the case of TOR, something like
T.ALT or O.ALT would be the same number of characters as .ONION.
> Correctly configured installations of the P2P name
> systems must never contact DNS servers about these pTLDs.
It might be worthwhile stating this explicitly as in:
"Installations of the P2P name systems MUST NOT contact DNS servers about these
pTLDs."
perhaps adding that exposure to the DNS of these P2P names would constitute a
potential privacy/security risk.
However, as I understand it, this wouldn't appear to apply to GNS and Namecoin
("GNS and Namecoin domains MAY use [the DNS tree hierarchy], as they return
DNS-compatible results; ..."), so I presume I'm misunderstanding something --
apologies for not having time to delve into the details of how those systems
actually work (that's on my list of things to do).
> Yes, except thinking about it 'cannot ... administratively' also has not
> exactly the right ring to it. I'll change it to:
>
> "Names within pTLDs are not allocated by some designated administration"
> would be more precise.
That's clearer, at least to me.
> However, if say the socks proxy is "off", or the NSS is missconfigured,
> then the requests may unintentionally be leaked to DNS.
OK. My concern was that I had somehow inferred that a potential algorithm for
transition to a P2P system was:
get domain name
query DNS for domain name
if response is NXDOMAIN then
query P2P system for domain name
P2P domain name handling
else
DNS domain name handling
endif
(which would obviously be bad)
Perhaps in section 2, around (or replacing) the third bullet on starting page
3, you could say something along the lines of:
"o When a pTLD protocol has been implemented, existing software libraries and
APIs MUST intercept queries intended for the DNS and MUST NOT extend regular
DNS operation to ensure P2P names cannot leak into the DNS."
>> "A pTLD is mentioned in capitals, and within double quotes to mark
>> the difference with a regular DNS gTLD."
>>
>> Presumably you mean "TLD" not "gTLD" as "gTLD" is a specific type of
>> top-level domain (generic as opposed to country code (ccTLD)).
>
> Well, we don't have ccTLDs in the text, and in my view "TLD" includes
> "gTLD", "ccTLD" and "pTLD".
Right, the nit I was picking was there was no need to specify the type of DNS
TLD.
Regards,
-drc
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
