In message <CAH1iCip=jko4-wimttkdns3v_8kzp0ptd13ksptzl6n7pph...@mail.gmail.com>
, Brian Dickson writes:
> --f403045fbba86cf7240547f82103
> Content-Type: text/plain; charset=UTF-8
>
> On Tue, Feb 7, 2017 at 1:48 PM, Mark Andrews <ma...@isc.org> wrote:
>
> >
> > In message <18f2eb0d-5bd0-4cc5-b02c-2e5ea0b8c...@fugue.com>, Ted Lemon
> > writes:
> > > Hm. When I look for foo.alt, what I get is NXDOMAIN, not SERVFAIL.
> > > When I validate, I get a secure denial of existence. This is the
> > > correct behavior. Why do you think we would get a SERVFAIL?
> >
> > Because your testing is incomplete.
> >
> > Go add a empty zone (SOA and NS records only) for alt to your
> > recursive server. This is what needs to be done to prevent
> > privacy leaks.
> >
> >
> Here are some possible alternatives (to having the empty zone be named
> "alt.").
>
> First: make the locally served empty zone be "empty.as112.arpa".
>
> Or, second method: have the DNAME RDATA be "alt.empty.as112.arpa", and the
> locally served zone be the same name.
Which does not work. If you are serving up a local
ALT. SOA ...
ALT. NS ...
ALT. DNAME alt.empty.as112.arpa.
then it will not have RRSIG records so it will not validate unless there
is a INSECURE delegation for .ALT.
I really don't see the point in having the DNAME there other than you
seem to want a DNAME there.
The public version of the insecure .ALT zone could have a DNAME but
we are not talking about those contents at the moment. We are
talking about what goes into the root zone to make this work.
> Or, third, have some other name for the zone (anything other than alt, or
> really anything that doesn't collide with a global name),
Nothing doesn't collide with a global name. This is all about carving
a namespace out of the global namespace.
> and then use a
> local DNAME from "empty.as112.arpa" (or "alt.empty,as112.arpa") to that
> zone's name (e.g. "homenet" or "homenet.local" or whatever you wish).
Homenet is still part of the global namespace. Once there is a delegation
and a RFC which states that it is not part of the global namespace then
you have other issues or should we start squatting on the homenet space?
> Since all of the above occur at or below the transition to unsigned, they
> should validate. (I need to test these, but I don't see why they wouldn't
> work, and all of the above avoid leaking queries to the root or to AS112
> servers.)
>
> Brian
>
>
>
> > Configure another recursive server to forward its queries to this
> > server and enable validation.
> >
> > Now ask for foo.alt from this second server.
> >
> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> >
>
> --f403045fbba86cf7240547f82103
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
> te">On Tue, Feb 7, 2017 at 1:48 PM, Mark Andrews <span dir=3D"ltr"><<a h=
> ref=3D"mailto:ma...@isc.org"; target=3D"_blank">ma...@isc.org</a>></span>=
> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bor=
> der-left:1px #ccc solid;padding-left:1ex"><div class=3D"HOEnZb"><div class=
> =3D"h5"><br>
> In message <<a href=3D"mailto:18F2EB0D-5BD0-4CC5-B02C-2E5EA0B8CC23@fugue=
> .com">18F2EB0D-5BD0-4CC5-B02C-<wbr>2e5ea0b8c...@fugue.com</a>>, Ted Lemo=
> n writes:<br>
> > Hm.=C2=A0 =C2=A0When I look for foo.alt, what I get is NXDOMAIN, not S=
> ERVFAIL.<br>
> > When I validate, I get a secure denial of existence.=C2=A0 =C2=A0This =
> is the<br>
> > correct behavior.=C2=A0 =C2=A0Why do you think we would get a SERVFAIL=
> ?<br>
> <br>
> </div></div>Because your testing is incomplete.<br>
> <br>
> Go add a empty zone (SOA and NS records only) for alt to your<br>
> recursive server.=C2=A0 This is what needs to be done to prevent<br>
> privacy leaks.<br>
> <br></blockquote><div><br></div><div>Here are some possible alternatives (t=
> o having the empty zone be named "alt.").</div><div><br></div><di=
> v>First: make the locally served empty zone be "empty.as112.arpa"=
> .</div><div><br></div><div>Or, second method: have the DNAME RDATA be "=
> ;alt.empty.as112.arpa", and the locally served zone be the same name.<=
> /div><div><br></div><div>Or, third, have some other name for the zone (anyt=
> hing other than alt, or really anything that doesn't collide with a glo=
> bal name), and then use a local DNAME from "empty.as112.arpa" (or=
> "alt.empty,as112.arpa") to that zone's name (e.g. "home=
> net" or "homenet.local" or whatever =C2=A0you wish).</div><d=
> iv><br></div><div>Since all of the above occur at or below the transition t=
> o unsigned, they should validate. (I need to test these, but I don't se=
> e why they wouldn't work, and all of the above avoid leaking queries to=
> the root or to AS112 servers.)</div><div><br></div><div>Brian</div><div><b=
> r></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:=
> 0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> Configure another recursive server to forward its queries to this<br>
> server and enable validation.<br>
> <br>
> Now ask for foo.alt from this second server.<br>
> <div class=3D"HOEnZb"><div class=3D"h5"><br>
> Mark<br>
> --<br>
> Mark Andrews, ISC<br>
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> PHONE: <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742">+61 2=
> 9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
> =A0INTERNET: <a href=3D"mailto:ma...@isc.org";>ma...@isc.org</a><br>
> </div></div></blockquote></div><br></div></div>
>
> --f403045fbba86cf7240547f82103--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
