IETF Logo Mail Archive

Re: [DNSOP] DNSSEC in local networks

Mark Andrews <marka@isc.org> Mon, 04 September 2017 20:45 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF6F112422F for <dnsop@ietfa.amsl.com>; Mon, 4 Sep 2017 13:45:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EMNUmjcfqQ3R for <dnsop@ietfa.amsl.com>; Mon, 4 Sep 2017 13:45:55 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 721F9120721 for <dnsop@ietf.org>; Mon, 4 Sep 2017 13:45:55 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 197AE3493BB; Mon, 4 Sep 2017 20:45:53 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id D1D5116005C; Mon, 4 Sep 2017 20:45:52 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 96F6616007F; Mon, 4 Sep 2017 20:45:52 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id DonGJSiaXdvB; Mon, 4 Sep 2017 20:45:52 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 03F1B16005C; Mon, 4 Sep 2017 20:45:52 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id A05018415E35; Tue, 5 Sep 2017 06:45:49 +1000 (AEST)
To: "Walter H." <walter.h@mathemainzel.info>
Cc: Jim Reid <jim@rfc1035.com>, dnsop WG <dnsop@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <150428805872.6417.9525310755360551475@ietfa.amsl.com> <59A9B760.2060209@mathemainzel.info> <alpine.DEB.2.11.1709012044210.2676@grey.csi.cam.ac.uk> <59A9BCA2.6060008@mathemainzel.info> <20170903043202.GA18082@besserwisser.org> <59AC4E42.9080600@mathemainzel.info> <60304450-DFA3-4982-B01D-CC33C49BDCFC@isc.org> <59f8c88caaf82a5884aa87223d49e7e4.1504505559@squirrel.mail> <3B75D240-13B9-4A94-B56D-24E83B4A4A8F@rfc1035.com> <3fe7bc511a990b0288b645dc176e1ef3.1504515284@squirrel.mail> <20170904090455.4249F8411CFC@rock.dv.isc.org> <c0c73dab49c6452c616c86656704ecd0.1504518603@squirrel.mail> <20170904122222.C270F8413534@rock.dv.isc.org> <efe320cf9580d4c1bb2b26dd1c294306.1504529679@squirrel.mail>
In-reply-to: Your message of "Mon, 04 Sep 2017 14:54:39 +0200." <efe320cf9580d4c1bb2b26dd1c294306.1504529679@squirrel.mail>
Date: Tue, 05 Sep 2017 06:45:49 +1000
Message-Id: <20170904204549.A05018415E35@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/2HmJWaFaa_X2eLH11zB1KXB6Ulc>
Subject: Re: [DNSOP] DNSSEC in local networks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Sep 2017 20:45:57 -0000

In message <efe320cf9580d4c1bb2b26dd1c294306.1504529679@squirrel.mail>, "Walter
 H." writes:
> On Mon, September 4, 2017 14:22, Mark Andrews wrote:
> >
> > In message <c0c73dab49c6452c616c86656704ecd0.1504518603@squirrel.mail>,
> > "Walter H." writes:
> >> where there anyone who said: "don't use it", 15 years ago?
> >
> > Yes.  There were lots that discourage the use of .local, lan,
> > .corp etc.  Just becaue you didn't hear from them doesn't mean
> > they weren't out there.
> 
> a discourage is not a "don't use" :-)

We gave them fair warning that and domain they choose could be
allocated in the future.  We told them to the advice you have been
getting today.  Use a zone registered to them.  They, like you are
today, are ignoring the advice.

> >> > 'home.arpa' is in the process of being registered so that it
> >> > can be used safely in the environment it is designed to be used in.
> >>
> >> yes, but commonly for residental networks, not company/enterprise
> >> networks,
> >> they want/need something shorter like ".corp", ".lan", ".local", ...
> >
> > Want maybe, need absolutely not.
> question: why isn't this the answer of a car dealer?

Because the car dealer is trying to take as much money off you as
they can.  We on the other hand are trying to save you money by
stopping you and everyone else getting into situations that will
cost you/them thousands of dollars to rectify in the future.

> > Everyone was told to register the domain you want to use, there was
> > no exception for active directory.
> 
> not really, at those days only a few TLDs where possible, the many TLDs
> came some years later ...

People were wanting to deploy more TLDs from the moment the Internet
was opened up to the public.

> by the way: where is the problem with .home or .corp?
> I ask this, because at my hoster I pre-reserved my "local domain" - a
> .home, that I have used for many years several zears ago and nothing
> happened ...
> 
> > IPv6 would have been deployed a lot sooner. :-)
> 
> not really, my ISP is still IPv4 only ..., my IPv6 connectivity is a
> HE-tunnel ...
> and the brand new OS from Microsoft still has the bugs inside: TEREDO, ...
> which I had to deactivate first, before it is usable with IPv6 at all ...

If you didn't have the relief valve of RFC 1918 addresses then yes
IPv6 would have come a lot quicker and stuff like TEREDO wouldn't
exist.

> > Except such systems exist.  Go look at what a Mac does.  ping for
> > test.local and look and port 5353 traffic and compare it to port 53
> > traffic.
> 
> I know, this RFC was written by Apple;
> 
> no Apple no problem, I would say :-)
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email