Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-19 Thread John R Levine
SERVFAIL is a temporary error. NXDOMAIN is a permanent error which is cachable. SERVFAIL is not "fine". Hmmn. Keeping in mind that these responses are sent by the cache, could you explain what "cacheable" means in this context? Applications can, and some do, cache responses. No doubt, but

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-19 Thread Mark Andrews
In message , "John R Levine" wri tes: > >> So a cache stub that provides unsigned answers to .local and .onion > >> queries is just fine. If the client treats that as SERVFAIL or > >> whatever it does with unverified answers, that's fine too. > > >

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-19 Thread John R Levine
So a cache stub that provides unsigned answers to .local and .onion queries is just fine. If the client treats that as SERVFAIL or whatever it does with unverified answers, that's fine too. SERVFAIL is a temporary error. NXDOMAIN is a permanent error which is cachable. SERVFAIL is not "fine".

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-19 Thread Mark Andrews
In message <20161019140954.31332.qm...@ary.lan>, "John Levine" writes: > >You may not care that validating stub resolvers that ask for > >example.local get back answers that can be validated as NXDOMAIN > >without leaking queries to the root but I do. Just adding the zone > >locally without

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-19 Thread John Levine
>You may not care that validating stub resolvers that ask for >example.local get back answers that can be validated as NXDOMAIN >without leaking queries to the root but I do. Just adding the zone >locally without having the insecure delegation results in just that >condition. It just occurred to

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-19 Thread John Levine
>the discussions, the two biggest issues were the "governance" >difficulties (adding DNAME records in the root...) Nobody's mentioned the governaance issues, but speaking as someone who spends too much time hanging around ICANN, that will be a huge can of worms. If we tell them that DNAMEs are

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread Brian Dickson
A short time ago, in a time zone not far away, Warren Kumari wrote: On Fri, Oct 14, 2016 at 10:04 AM, Paul Wouters wrote: > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: > >> draft-bortzmeyer-dname-root >> >> ,

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread Mark Andrews
In message , George Michaelson writes: > Mark, thats a bit of an unsatisfactory answer. the RFC (which you > authored) says: > > "...As with caching positive responses it is sensible for a resolver to >limit for how long

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread George Michaelson
Mark, thats a bit of an unsatisfactory answer. the RFC (which you authored) says: "...As with caching positive responses it is sensible for a resolver to limit for how long it will cache a negative response as the protocol supports caching for up to 68 years. Such a limit should not be

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread Mark Andrews
In message , "John R Levine" writes: > >>> No. They slow the leaks. They do not STOP the leaks. They depend on > >>> leaks to work. > >> > >> With a 24 hour TTL on the root zone, it ain't going to leak very much. > > > > The practical TTL is 3 hours.

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread George Michaelson
I would encourage you to write up some terminal state, either for publication as an informational or in some other document series. People find stuff, and if you link to it in the mail archives, it will be a useful reminder of where we got to on the conversation. On Wed, Oct 19, 2016 at 8:38 AM,

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread Mark Andrews
In message , "John R Levine" writes: > >> If we're going to ask people to change their software, how about > >> asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in > >> their caches? Those deal with .local and .onion leaks at the

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread John R Levine
If we're going to ask people to change their software, how about asking them to implement aggressive NSEC or NXDOMAIN-means-NXDOMAIN in their caches? Those deal with .local and .onion leaks at the same time they do other useful stuff. No. They slow the leaks. They do not STOP the leaks.

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread Mark Andrews
In message <20161018175340.26608.qm...@ary.lan>, "John Levine" writes: > >I would think that the best approach might be: > >- insecure delegation to 127.x.x.x, so that queries do not leak past the > >host of the local resolver. This is the best we can do for the CPE > >equipment and other

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread John Levine
>I would think that the best approach might be: >- insecure delegation to 127.x.x.x, so that queries do not leak past the >host of the local resolver. This is the best we can do for the CPE >equipment and other resolvers that will not be updated until they are >replaced. >- add .local to

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread Stephane Bortzmeyer
On Tue, Oct 18, 2016 at 11:15:32AM -0400, Bob Harold wrote a message of 157 lines which said: > This does not cause any additional load on the AS112 servers. Sparing the AS 112 servers is a non-goal. Their operators never said they were overloaded.

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-18 Thread Bob Harold
On Fri, Oct 14, 2016 at 3:51 PM, Mark Andrews wrote: > > In message , Paul > Wouters w > rites: > > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: > > > > > "Using DNAME in the DNS root zone for sinking of special-use >

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-14 Thread Mark Andrews
In message , Paul Wouters w rites: > On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: > > > "Using DNAME in the DNS root zone for sinking of special-use TLDs" ? > > > > On Fri, Oct 14, 2016 at 10:04:21AM -0400, > > Paul Wouters

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-14 Thread Paul Wouters
On Fri, 14 Oct 2016, Stephane Bortzmeyer wrote: "Using DNAME in the DNS root zone for sinking of special-use TLDs" ? On Fri, Oct 14, 2016 at 10:04:21AM -0400, Paul Wouters wrote a message of 19 lines which said: But by adding delegations in the root to AS112, aren't we

Re: [DNSOP] Future of "Using DNAME in the DNS root zone for sinking of special-use TLDs" ?

2016-10-14 Thread John Levine
I would rather we abandon this draft. I don't think the benefit is worth the cost. It is not my impression that the load on the roots from special-use leakage is a significant fraction of the overall flood of garbage they get. Whether or not it is, we have at least three things going on that