Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update .mm SLDs additions #1441

Closed
wants to merge 4 commits into from
Closed

Update .mm SLDs additions #1441

wants to merge 4 commits into from

Conversation

brian-peter-dickson
Copy link

  • Description of Organization

  • Reason for PSL Inclusion

  • DNS verification via dig

  • Run Syntax Checker (make test)

  • Each domain listed in the PRIVATE section has and shall maintain at least two years remaining on registration, and we shall keep the _PSL txt record in place

Submitter affirms the following:

  • We are listing any third party limits that we seek to work around in our rationale such as those between IOS 14.5+ and Facebook (see Issue #1245 as a well-documented example)
  • This request was not submitted with the objective of working around other third party limits
  • The Guidelines were carefully read and understood, and this request conforms
  • The submission follows the guidelines on formatting

For Private section requests that are submitting entries for domains that match their organization website's primary domain:

Seriously, carefully read the downline flow of the PSL and the guidelines.
Your request could very likely alter the cookie and certificate (as well as other) behaviours on your 
core domain name in ways that could be problematic for your business.

Rollback is really not predicatable, as those who use or incorporate the PSL do what they do, and when.
It is not within the PSL volunteers' control to do anything about that.  

The volunteers are busy with new requests, and rollbacks are lowest priority, so if something gets broken 
it will stay that way for an indefinitely long while.

(Link: about propogation/expectations)

  • Yes, I understand. I could break my organization's website cookies etc. and the rollback timing, etc is acceptable. Proceed.

Description of Organization

Organization Website:

Individual, not representing my employer.
DNS architect at GoDaddy.
Not affiliated with domain owner.
Acting as a volunteer to instantiate the SLDs for the CCTLD "mm".

Reason for PSL Inclusion

The current PSL entry for "mm." is only the wildcard ".mm".
This establishes the policy, but does not enumerate the corresponding SLDs that exist.
(Almost all of the other ICANN TLDs have non-wildcard entries at the SLD level.)
The use case is developing RPZ zones from the PSL, by prepending names.
(The specific current case is the CVE for "autodiscover" by mail users, failing upward to the 3LD level.)
Because RPZ zones are ordinary DNS zones, it is not possible to have an interior wildcard, as it won't work.
E.g. For ".mm", the RPZ record "foo.*.mm" won't match anything. However, instantiating it will allow matches,
such as for "foo.bar.mm", assuming "bar" is an actual SLD underneath "mm".

The addition of the SLDs does not alter the PSL rules for "mm".

DNS Verification via dig

I am not affiliated with the domain owners.
However, dig output can validate that the SLDs in question do actually exist.
; <<>> DiG 9.16.13 <<>> @a.nic.net.mm. com.mm. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44273
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com.mm. IN NS

;; ANSWER SECTION:
com.mm. 86400 IN NS d.nic.net.mm.
com.mm. 86400 IN NS a.nic.net.mm.
com.mm. 86400 IN NS b.nic.net.mm.
com.mm. 86400 IN NS c.nic.net.mm.

;; Query time: 17 msec
;; SERVER: 37.209.192.4#53(37.209.192.4)
;; WHEN: Tue Sep 28 13:56:39 PDT 2021
;; MSG SIZE rcvd: 109

; <<>> DiG 9.16.13 <<>> @a.nic.net.mm. edu.mm. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43459
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;edu.mm. IN NS

;; ANSWER SECTION:
edu.mm. 86400 IN NS b.nic.net.mm.
edu.mm. 86400 IN NS d.nic.net.mm.
edu.mm. 86400 IN NS a.nic.net.mm.
edu.mm. 86400 IN NS c.nic.net.mm.

;; Query time: 14 msec
;; SERVER: 37.209.192.4#53(37.209.192.4)
;; WHEN: Tue Sep 28 13:56:40 PDT 2021
;; MSG SIZE rcvd: 109

; <<>> DiG 9.16.13 <<>> @a.nic.net.mm. gov.mm. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4439
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;gov.mm. IN NS

;; ANSWER SECTION:
gov.mm. 86400 IN NS a.nic.net.mm.
gov.mm. 86400 IN NS b.nic.net.mm.
gov.mm. 86400 IN NS c.nic.net.mm.
gov.mm. 86400 IN NS d.nic.net.mm.

;; Query time: 15 msec
;; SERVER: 37.209.192.4#53(37.209.192.4)
;; WHEN: Tue Sep 28 13:56:40 PDT 2021
;; MSG SIZE rcvd: 109

; <<>> DiG 9.16.13 <<>> @a.nic.net.mm. net.mm. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12333
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;net.mm. IN NS

;; ANSWER SECTION:
net.mm. 86400 IN NS b.nic.net.mm.
net.mm. 86400 IN NS c.nic.net.mm.
net.mm. 86400 IN NS d.nic.net.mm.
net.mm. 86400 IN NS a.nic.net.mm.

;; Query time: 14 msec
;; SERVER: 37.209.192.4#53(37.209.192.4)
;; WHEN: Tue Sep 28 13:56:40 PDT 2021
;; MSG SIZE rcvd: 109

; <<>> DiG 9.16.13 <<>> @a.nic.net.mm. org.mm. NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63649
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;org.mm. IN NS

;; ANSWER SECTION:
org.mm. 86400 IN NS b.nic.net.mm.
org.mm. 86400 IN NS c.nic.net.mm.
org.mm. 86400 IN NS d.nic.net.mm.
org.mm. 86400 IN NS a.nic.net.mm.

;; Query time: 14 msec
;; SERVER: 37.209.192.4#53(37.209.192.4)
;; WHEN: Tue Sep 28 13:56:40 PDT 2021
;; MSG SIZE rcvd: 109

make test

Make test was done and all the results were "pass".

@dnsguru dnsguru changed the title Brian Peter Dickson -- mm SLDs additions Update .mm SLDs additions Sep 29, 2021
@dnsguru dnsguru self-assigned this Sep 29, 2021
@dnsguru dnsguru added the ❌FAIL - DNS VALIDATION Unable to confirm _PSL TXT = This PR # (also see #1439) label Sep 29, 2021
@dnsguru dnsguru linked an issue Sep 29, 2021 that may be closed by this pull request
How to help vs "help" maintain the list - _psl txt record DNS validation crucial #1439
Open
@dnsguru dnsguru removed a link to an issue Sep 29, 2021
How to help vs "help" maintain the list - _psl txt record DNS validation crucial #1439
Open
@dnsguru
Copy link
Member

dnsguru commented Oct 19, 2021

Closing, see #1439 - the DNS Validation portion of this is crucial to any changes in the 'ICANN section'. The time and focus / attention are appreciated @brian-peter-dickson - these can be re-opened if the NIC adds validation entries into the DNS so these can be verified.

@dnsguru dnsguru closed this Oct 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@dnsguru dnsguru

Labels
❌FAIL - DNS VALIDATION Unable to confirm _PSL TXT = This PR # (also see #1439)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@brian-peter-dickson @dnsguru @bdickson1-godaddy