On Mon, Jun 15, 2020 at 6:30 PM Tony Finch <[email protected]> wrote: > Brian Dickson <[email protected]> wrote: > > - In addition to leaking information, these names generally should > > not have any presence in DNS caches, which makes them excellent > > candidates > > for easy poisoning > > These issues happen in exactly the same way whether you squat on a tld or > use a private subdomain. >
Actually, no, or rather, it (susceptibility to poisoning) might depend. Here's why: The root zone is DNSSEC signed with NSEC. It is literally impossible for anyone to poison any name at or below a non-TLD. A private subdomain of a real domain, only has the same properties if the real domain is DNSSEC signed (chained from the root), and the public version of that domain's zone denies the existence of the private subdomain. I.e. that isn't going to be 100% true ever, and today has only a small statistical chance of being true (DNSSEC uptake globally being about 1%). In any case, the argument I'm making is 100% is tautologically optimal, and the best any single enterprise can do is match that. It's likely more reliable and easier to go the non-TLD route for all but the most technically savvy enterprises (who probably won't rely on this document regardless.) Brian
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
