On Fri, Oct 14, 2016 at 10:04 AM, Paul Wouters <p...@nohats.ca> wrote: > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: > >> draft-bortzmeyer-dname-root >> >> <https://datatracker.ietf.org/doc/draft-bortzmeyer-dname-root/?include_text=1>, >> which proposes to "sink" special-use TLD (may be you've heard of RFC >> 6761 "special use domain names"?) using AS 112, will expire soon. From >> the discussions, the two biggest issues were the "governance" >> difficulties (adding DNAME records in the root...) and the privacy >> issues (sending .local requests to random AS 112 operators). >> >> It seems there is not enough interest for this work, so I was thinking >> of just documenting the current state of the discussion, in case other >> people rediscover the problem. May be an individual RFC? > > > This is tricky. We want DNS resolvers to not send these onto the > internet. But by adding delegations in the root to AS112, aren't > we making it more likely that the queries leak further onto the net?
So, back in ~Feb 2014 we had very similar discussion about ALT-TLD, AS112 delegations and DNAME. Initially the ALT-TLD document (https://datatracker.ietf.org/doc/draft-ietf-dnsop-alt-tld/) had .alt being delegated to "new style" AS112 nameservers, but Joe Abley pointed out that this would be a lame delegation. We also discussed using DNAME, but the general view seemed to be that getting this deployed in the root would be an uphill battle; much of this discussion was happening during the new gTLDs process , "the variants problem", bundling, etc. There is also a big difference between "reserving" something and actually getting it delegated, even for a "null" answer. The consensus seemed the be that adding things like .alt to the RFC6303 ( "Locally Served DNS Zones") registry was sufficient. I think that the consensus was correct -- RFC6303 zones come baked into most authoritative resolver packages, and the time to upgrade the majority of "served users" isn't that long (especially if you get this into the registry shortly before a large CVE :-P). Anything which isn't caught by Locally Served Zones simply flows upwards till it hits the root -- which is already handling this garbage anyway... So, back to Stephane's original question -- I think that documenting the current state is useful, or we will have this discussion all over again in a few months.... Below is the .ALT IANA considerations, and extracts of the 6761 "questions": 4. IANA Considerations The IANA is requested to add the ALT string to the "Special-Use Domain Name" registry ([RFC6761], and reference this document. In addition, the "Locally Served DNS Zones" ([RFC6303]) registry should be updated to reference this document. 4.1. Domain Name Reservation Considerations This section is to satisfy the requirement in Section 5 of RFC6761. [SNIP] 4. Caching DNS servers SHOULD recognize these names as special and SHOULD NOT, by default, attempt to look up NS records for them, or otherwise query authoritative DNS servers in an attempt to resolve these names. Instead, caching DNS servers SHOULD generate immediate negative responses for all such queries. 5. Authoritative DNS servers SHOULD recognize these names as special and SHOULD, by default, generate immediate negative responses for all such queries, unless explicitly configured by the administrator to give positive answers for private-address reverse-mapping names. 6. DNS server operators SHOULD be aware that queries for names ending in .alt are not DNS names, and were leaked into the DNS context (for example, by a missing browser plugin). This information may be useful for support or debugging purposes. > > Paul > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
