So having just said that we should avoid re-visiting the long layer
9 discussion that occurred on dnsop, I do actually have a technical
concern about the document that was just pointed out to me by a
co-worker, and that was not actually discussed by the working group
(although David Conrad did make a related suggestion). There is
text in the document that says this:4. Caching DNS Servers: Caching servers SHOULD NOT attempt to look up records for .onion names. They MUST generate NXDOMAIN for all such queries. 5. Authoritative DNS Servers: Authoritative servers MUST respond to queries for .onion with NXDOMAIN. 6. DNS Server Operators: Operators MUST NOT configure an authoritative DNS server to answer queries for .onion. If they do so, client software is likely to ignore any results (see above). 7. DNS Registries/Registrars: Registrars MUST NOT register .onion names; all such requests MUST be denied.The problem with this text is that it doesn't quite do what I think we want. What we want is for a device that (incorrectly!) does a query on a .onion name to get an NXDOMAIN. If it does a DNSSEC query, we want it to be able to validate the NXDOMAIN. I think that this is what we intended, but this text doesn't actually accomplish that. What this text _does_ accomplish, which is also really important, is that it prevents queries from being sent, complete, all the way up to the root. I think that we want to ask for the following: 1. The root is set up to return NXDOMAIN with authenticated denial of existence. 2. Authoritative DNS servers should refuse to respond to these queries if they aren't authoritative. I don't think this needs to be said; if the server is authoritative for the root, it will respond with NXDOMAIN because the domain doesn't exist; if it's not authoritative for root, on what basis could it answer? 3. DNS caching servers should pre-load their cache with the NSEC records required to securely deny existence of .onion. 4. Operators should make sure their caching servers are set up this way. I think all the SHOULDs and MUSTs are inappropriate. We don't have the authority to tell the root operator what to put in the root zone, so this should say what we want, not say what the operator should do. And these are things that DNS servers ought to do, but I don't think there is a protocol issue here, and I don't think we can do more than encourage people to do the right thing here. In practice, what most protects end users is correct implementation on the host; once the query leaves the host the user's privacy has been violated; all that is left is to try to mitigate the thoroughness with which it has been violated. |