On 18 Jun 2020, at 16:15, Ted Lemon <mel...@fugue.com> wrote: > > For what it’s worth, I am in favor of adopting this document. With that said, > however, I do have questions, Roy.
Thanks for your support. > If we use these ccTLDs as squatting domains, that means that we’re going to > see a lot of traffic at the root trying to find nonexistent name servers, > right? “A lot” is relative. 73% of queries to the ICANN managed root servers are for domains that do not exist. Close to 50% is done by a single application. This traffic will likely end up in the margins. When squatted domains are traded in for private use domains, there is no difference. > And these ccTLDs provably do not exist, right? Yes, and rightfully so. > Contrariwise, home.arpa has an un-signed delegation. Queries for home.arpa > are no worse than queries for any other .arpa subdomain, as far as the root > is concerned. On the other hand, perhaps they are worse for .arpa, and since > in fact .arpa is currently served by the root servers, perhaps this makes no > difference. I have no idea. > What’s the difference we’ll see in traffic for the root versus traffic for > .arpa if people adopt known-unused, securely nonexistent ccTLDs instead of an > un-signed delegation under .arpa? Again, negligible. > Also, what do you think the operational effect of this will be? Given that > these domains are currently provably nonexistent, this means that a resolver > looking up names in these domains will have to special-case them. A resolver has to special provision anything that is used in private, regardless of DNSSEC, correct? A validating stub resolver needs to have a negative trust anchor for that unsigned space, if that unsigned space is actually used privately. The inverse is a stunningly bad idea: If .internal is delegated from the root, there is a security hole that (1) is open by default in EVERY network. (2) every hacker knows about. You can spoof .internal from the outside of the victim resolver, in your own time, from your own network. (3) every user has to use, since there is no other private space (unless .zz and others is a non-delegated, but designated private space). (4) every device will be shipped with, because they have been told that .internal is the new squatting. and if you don’t want to be exposed to this security hole EVERYONE has to (1) redirect .internal elsewhere, even WHEN YOU ARE NOT USING IT. (Some new app may be using it, some client on your network may be using it) (2) deploy a bogus trust anchor on your validating stub resolver everywhere. And for what? For the theoretical validating stub resolver that somehow can't have a negative trust anchor for .internal (good luck deploying a signed .internal), while having a trust anchor for root. But this is just my opinion. Giving the world an open door into everyone’s private space was not what I had in mind when I started working on DNSSEC. Roy _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
