On 01/06/2015 11:31 PM, David Conrad wrote: > Christian, > >> On Jan 6, 2015, at 12:47 AM, Christian Grothoff >> <christ...@grothoff.org> wrote: >>> The DNS implementation of the singular hierarchical domain name >>> namespace does not preclude the use of any portion of that >>> namespace outside of the DNS (for example, see nsswitch). >> >> Well, I believe that while you are technically right, an nnswitch >> plugin hijacking ".com" today to do something very different from >> DNS resolution is typically not merely bad design, but most likely >> malware. > > I meant to provide nsswitch as one (generic) example of a way to > implement a portion of the domain name namespace outside of the DNS. > It obviously is not the only means -- /etc/hosts would be another > (less generic) example.
Sure. >> This is what we mean by usability: we need to satisfy user's >> expectations, and just grabbing some TLD that ICANN has already >> allocated is likely to cause usability problems by confusing >> users. > > I understand and that is, I believe, what RFC 6761 was trying to > facilitate. The question isn't whether grabbing some TLD is a good > idea (it isn't) but rather, is a TLD actually necessary. So far, as > far as I've seen, the only concrete justification you've provided > appears to be that a TLD (as opposed to a second-level name in a > sub-tree dedicated to non-DNS domain names) means fewer characters to > type. I'd note that in the case of TOR, something like T.ALT or O.ALT > would be the same number of characters as .ONION. You're forgetting other issues, such as who manages .alt-allocations. I just can't repeat every argument each time, and if I don't have everybody go and say that clearly I only have one because I didn't put them all forward in each e-mail. Sorry, I'm not a parrot, and I had this specific discussion with you already over a year ago: http://www.ietf.org/mail-archive/web/dnsop/current/msg10876.html >> Correctly configured installations of the P2P name systems must >> never contact DNS servers about these pTLDs. > > It might be worthwhile stating this explicitly as in: > > "Installations of the P2P name systems MUST NOT contact DNS servers > about these pTLDs." Sure. But that depends a bit on your definition of "DNS server" -- if I run a dns2gns proxy that speaks DNS, is that a "DNS server"? If a Namecoin user configures his DNS server to support ".bit", is it still a "DNS server"? If we write "ordinary DNS servers", that might work. > perhaps adding that exposure to the DNS of these P2P names would > constitute a potential privacy/security risk. Sure. > However, as I understand it, this wouldn't appear to apply to GNS and > Namecoin ("GNS and Namecoin domains MAY use [the DNS tree hierarchy], > as they return DNS-compatible results; ..."), so I presume I'm > misunderstanding something -- apologies for not having time to delve > into the details of how those systems actually work (that's on my > list of things to do). GNS and (AFAIK) Namecoin can (or at least theoretically could) internally delegate names back to DNS. I.e. I could make BAR.example.gnu resolve to BAR.example.com (possibly bypassing the root zone by providing both NS and DNAME information in a combined record, or using full DNS resolution via CNAME). So these new name systems can integrate with legacy resolution, bypassing legacy issues such as the status of .IR depending on a US court decision... >> Yes, except thinking about it 'cannot ... administratively' also >> has not exactly the right ring to it. I'll change it to: >> >> "Names within pTLDs are not allocated by some designated >> administration" would be more precise. > > That's clearer, at least to me. :-) >> However, if say the socks proxy is "off", or the NSS is >> missconfigured, then the requests may unintentionally be leaked to >> DNS. > > OK. My concern was that I had somehow inferred that a potential > algorithm for transition to a P2P system was: > > get domain name query DNS for domain name if response is NXDOMAIN > then query P2P system for domain name P2P domain name handling else > DNS domain name handling endif > > (which would obviously be bad) Yes, very bad indeed ;-). > Perhaps in section 2, around (or replacing) the third bullet on > starting page 3, you could say something along the lines of: > > "o When a pTLD protocol has been implemented, existing software > libraries and APIs MUST intercept queries intended for the DNS and > MUST NOT extend regular DNS operation to ensure P2P names cannot leak > into the DNS." Well, it may not be a software library in charge (see Tor socks proxy), and the pTLD resolutions are obviously not "intended" for the DNS. So I'd write: When a pTLD protocol has been implemented, the implementation MUST intercept queries for the pTLD to ensure P2P names cannot leak into the DNS. Acceptable? Best regards, Christian
signature.asc
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
