On 7/7/21 7:54 PM, Warren Kumari wrote:
Obviously there is a tradeoff here -- privacy vs deployment. 1: while it's **possible** that there is a delegation point at the underscore label, (IMO) it is unlikely. If there is no delegation, you will simply be coming back to the same server again and again, and so you are not leaking privacy sensitive information.
There are deployments with delegations at _openpgpkey, such as _openpgpkey.posteo.de. This is how I would do such a deployment myself. As there are only hashes exposed, I don't see a privacy issue if no QNAME Minimization is done. (The point is that I would argue that such a delegation points is not unlikely.) Another example is _acme-challenge. About 0.1% of zones hosted at desec.io have a delegation point there. (Ok, that's not very frequent.) The draft for authenticated bootstrapping of DNSSEC delegations (https://datatracker.ietf.org/doc/draft-thomassen-dnsop-dnssec-bootstrapping/) does suggest a zone cut at an underscore name. However, that's not to say it would be a privacy-relevant one, so it seems fine to me when QNAME Minimization is not done in this case. It is unclear whether the future will bring underscore labels under which privacy-sensitive owner names may reside.
Should the advice above be strengthened to SHOULD / RECOMMENDED?
Especially because of the last reason above, I tend towards MAY. However, I would endorse SHOULD / RECOMMENDED if the wording is changed such that "skipping a split" is done "up to the lowest-level" underscore label. In other words, jumping from example.com to _25._tcp.example.com would be RECOMMENDED, but jumping from example.com to foobar._openpgpkey.example.com would not, because "foobar" is no an underscore label. Generally, if there are N consecutive underscore labels, minimization SHOULD be skipped for the N-1 of them which are closest to the root. Cheers, Peter -- Like our community service? 💛 Please consider donating at https://desec.io/ deSEC e.V. Kyffhäuserstr. 5 10781 Berlin Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop