On 8/23/2019 2:18 PM, Warren Kumari wrote: > [ No hats!] > > On Sun, Aug 18, 2019 at 2:29 PM John Levine <jo...@taugh.com> wrote: >>> So it would be helpful to know if you think the recommendations are in fact >>> reasonable. >> I think they're reasonable but I would more clearly distinguish cases >> by where the protocol switch is, where I think these are the >> interesting ones: >> >> 1. Names handled totally unlike the DNS with nothing like an IP address >> (.onion) >> >> 2. Names handled through mutant DNS which can returns IP addresses (.local, >> .localhost, .homenet/.home.arpa) >> >> 3. Names that have other problems such as conflicting prior use (.test, >> .example, .invalid, also .home, .belkin) >> >> For 1, we can reserve if if there's a compelling argument and evidence >> of clear use. This leads to a catch 22 where the only way to get the >> evidence is to squat on it, but I don't see any way around it. I >> particularly do not want to reserve names just because someone claims >> to have a great plan. I think this probably includes Warren's great >> plan for .alt. > .... hey, that's my cue!
Well, maybe. When looking at leakage at the root, i find a 4th pattern in addition to the three listed in the draft. Basically, I find a lot of configurations in which the local admin define a "super root", to use in a search list. Something like a search list composed of "corp.example.com; example.com; super-root". This is probably meant to implement some variation of "split DNS". It leaks at the root when the search list is composed with something like "no-such-name.example.net", which does not actually exist. The device ends up searching for "no-such-name.example.net.<local-root>", which in the right circumstances leaks a query to the root. It is easy to recognize this pattern: non existent TLD, preceded by a valid TLD name as 2LD. It accounts for a fairly large fraction of root traffic. The value of "local-root" vary. Some domains use an IP address. Many use common names like "LOCALDOMAIN" or "LAN", some use the name of a local server, some use the name of an access router. Arguably, they could use a reserved 2LD under ALT, although I am not holding my breath... -- Christian Huitema
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
