On Sun, Apr 23, 2023 at 4:16 PM, Paul Wouters <[email protected]> wrote:
> Paul Wouters has entered the following ballot position for > draft-ietf-dnsop-alt-tld-23: Yes > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > Please refer to https://www.ietf.org/about/groups/iesg/statements/ > handling-ballot-positions/ for more information about how to handle > DISCUSS and COMMENT positions. > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-alt-tld/ > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Some of my comments might be DISCUSS-worthy (my apologies), but I really > don't want to block this document for any further time. But please do take > my comments into considerations if you can do a quick ref update. > > The term pseudo-TLD as defined here is not how I've seen the term used. A > pseudo TLD as I've seen it used is a TLD that's one step below a real TLD > and runs as a general GTLD (open registration), eg "uk.com". I guess I > would qualify the use in this document more as "fake TLD", but I can see > how that might come over as even more perogative. So I am fine with the > current definition and use case. Perhaps a "to be confused with" note could > be added, but is not strictly required. > We've been using this terming this way since at least 2015, and so changing it now would be very disruptive. Do you have proposed text to clarify that it's not used to mean something like the public suffix list? > 4. Caching DNS servers SHOULD NOT recognize names in the .alt pseudo-TLD > as special and SHOULD NOT perform any special handling with them. > > There is value for a recursor to "pre-load" the proof of non-existence of > ".alt" (the entire branch in the hierarchy) to avoid any potential leakage > of subdomains within alt. It could potentially also reduce error message > logs if someone starts using .alt not as a real hierarchy or using non-DNS > valid characters in their name, eg Ulabel stuff or even binary stuff like > 0x00010001000000003616c7400. They could also just return NXDOMAIN instead > of forwarding the query to the root servers to avoid a privacy leak. Or it > could modify the question foo "foo.alt" and only send "alt" to the root. I > see no reason such additional protection mechanisms need to violate this > "SHOULD NOT" clause. Why not flip the statement around? > > 4. Caching DNS servers MAY recognize names in the .alt pseudo-TLD as > special and MAY perform special privacy preserving methods to return > (DNSSEC signed) NXDOMAIN answers to prevent leaking entries under the .alt > pseudo-TLD into the global DNS. > > 5. Authoritative DNS servers SHOULD NOT recognize names in the > .alt pseudo-TLD as special and should not perform any special handling > with them. > > Any reason the second "should not" is lowercase ? Note that I do agree > here, and would even say MUST NOT so that people can use DNS technology > even if not rooted in the global DNS for their > .alt names without having to modify existing DNS software (eg run a shadow > .alt using DNS on port 666 or something) > > 6. DNS server operators will treat names in ... > > I find the use of "will" here a little odd. Perhaps: > > 6. DNS servers and operators, which whave no special handling for the .alt > pseudo-TLD will end up treating names in ... > > > 7. DNS registries/registrars for the global DNS will never register names > in the .alt pseudo-TLD because .alt will not exist in the global DNS root > > "will never" seems wishful thinking. I've seen some very fraudulent stuff > happen with DNS registries/registrars. eg what if one of them will support > pseudo-TLDs along with real DNS domains, and includes bogus .alt > registrations? Perhaps: > > 7. DNS registries/registrars for the global DNS can never legitimately > register names in the .alt pseudo-TLD because .alt will never exist in the > global DNS root > Oh, good point. Your proposed text still make it sound like they are not allowed to support non-DNS names, and so I'm proposing: "7. It is not possible for DNS registries/registrars to register names in the .alt pseudo-TLD as the .alt will not exist in the global DNS root." This threads the needle of not trying to tell registries and registrar what they are allowed to do by simply point out that's it's an impossibility for them to register *DNS* names in an undelegated name. > Again, my apologies to Warren for not balloting a blanc YES :) > Nah, thanks for the comments…. and it's still a YES :-p W
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
