Re: [DNSOP] draft-adpkja-dnsop-special-names-problem-01

Tue, 29 Mar 2016 19:08:47 -0700 


------ Original Message ------
From: "John Levine" <jo...@taugh.com>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Cc: "adr...@qbik.com" <adr...@qbik.com>
Sent: 30/03/2016 2:55:22 p.m.
Subject: Re: [DNSOP] draft-adpkja-dnsop-special-names-problem-01


Surely .onion could have been handled in the application, without
pushing it down to the resolution layer.


I have to say I'm startled to see that people here aren't aware that
.onion is entirely handled in applications.



a google search for "DNS .onion leaks" comes up with many links, many 
relating to reported bugs in browsers.



I think maybe browser vendors would have had a thing to say or two about 
the prospect of having a new list of things to monitor / maintain.  the 
Verisign study of .onion requests hitting their root servers is also 
interesting, noting that .onion was the 461st most popular TLD.


https://www.verisign.com/assets/onionleakage.pdf?inc=www.verisigninc.com


So I don't know if we can truly claim that resolvers are being shielded 
from .onion by the applications.  Maybe it's better now, it would be 
interesting if Symantec were to update this.




The usual implementation
is a modified SOCKS proxy that treats .onion names specially.

The point of reserving .onion in the DNS is first to ensure that
nobody allocates it as an actual DNS domain,

ok



and secondly to encourage
developers to stub it out in DNS resolvers so that .onion requests
don't leak into the DNS.  The only thing that anyone's asking DNS
developers to do is to fail .onion requests rather than forwarding
them along.

That's the problem.  Creating new requirements for DNS developers to do 
anything at all is a huge problem.



People who implement RFCs are used to being able to do the 
implementation, achieve compliance, and then do nothing - safe in the 
knowledge that future changes would be optional or backward compatible.  
This fundamental principle was broken in 6761



Having said that, I wish there was a way with a single DNS lookup one 
could resolve both/either IPv4 and/or IPv6 addresses from a name with a 
single query (e.g. the "give me any version address" query), rather than 
having to make 2 lookups and fail over etc.  Would basically halve the 
amount of DNS traffic on the network and resolve a lot of pathological 
cases.


Cheers

Adrien




R's,
John


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop





























					Reply via email to