On Mon, Jun 15, 2020 at 5:59 PM Tony Finch <d...@dotat.at> wrote:
> Brian Dickson <brian.peter.dick...@gmail.com> wrote:
>
> > Internal-only use is not only satisfied with non-delegated name spaces,
> it
> > actually is a much better fit for everything.
>
> Yes, I agree, but why does the point of non-delegation have to be a
> squatted collision-prone TLD, rather than a guaranteed collision-free
> subdomain of a properly registered domain?
>
Precisely because you want a non-TLD (we should remember this is NOT an
actual TLD), for a number of reasons:
- You want to be able to limit the places any leaked traffic goes
- Currently this would be the Root Servers
- I think it would make sense for non-TLDs to be DNAME'd to AS112++'s
empty zone (which generates an NXDOMAIN)
- Either as specific names, or as a wildcard
- The typical content of enterprisey internal-only names (the DNS
queries themselves) are sensitive in nature
- I have had the opportunity to view DITL data from ISP resolvers,
and the nature of these kinds of queries was unsettling
- In addition to leaking information, these names generally should
not have any presence in DNS caches, which makes them excellent
candidates
for easy poisoning
- As I pointed out elsewhere in this thread, collision avoidance without
revealing information can be done easily enough,
- E.g. with use of a 12-character random string of letters and digits
- 36^12 is pretty collision-resistant.
- Use one of these, enterprise-wide
- Or even site-wide at a sub-enterprise level if site-site isn't a
requirement.
You can only squat on a property. This is a non-property, so technically it
is not squatting, appearances notwithstanding.
Brian
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
