Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 21 March 2017 02:15 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8972D1316D9 for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 19:15:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UjQGk9fe5A0S for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 19:15:39 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4B6112944D for <dnsop@ietf.org>; Mon, 20 Mar 2017 19:15:39 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id E20077A3309; Tue, 21 Mar 2017 02:15:38 +0000 (UTC)
Date: Tue, 21 Mar 2017 02:15:38 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop <dnsop@ietf.org>
Message-ID: <20170321021538.GB25754@mournblade.imrryr.org>
Reply-To: dnsop@ietf.org
References: <60C85486-E351-4C42-ADEB-FCBB56F4EA27@fugue.com> <AB11455F-7E43-4CB3-9F13-DB6A09F739EB@vigilsec.com> <CEC8CC6A-861A-471C-B7FA-4BB05C81CCF0@gmail.com> <F7AA49EF-2708-4948-9B60-6660DA6BC841@vigilsec.com> <734EC35A-4B1F-43EB-BE37-C34CA46BDA26@fugue.com> <203D2BEA-1008-48A0-9CE2-1FD621C6117F@shinkuro.com> <3134EDC2-FB00-41EA-8338-6E6B196137F1@fugue.com> <572B4EBA-F37F-4E92-A252-44BAF5DE7FF5@shinkuro.com> <20170321004827.GA25754@mournblade.imrryr.org> <72896FC4-5F63-4880-8C4B-A941A63B91B6@fugue.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <72896FC4-5F63-4880-8C4B-A941A63B91B6@fugue.com>
User-Agent: Mutt/1.7.2 (2016-11-26)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7An3UMXvX7m7I_Z1dgI9b82n9x4>
Subject: Re: [DNSOP] WG review of draft-ietf-homenet-dot-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 02:15:41 -0000

On Mon, Mar 20, 2017 at 09:06:40PM -0400, Ted Lemon wrote:

> On Mar 20, 2017, at 8:48 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> > FWIW, when adding DANE support to Postfix,
> 
> The homenet use case is completely different.   Here we are talking about
> devices that routinely roam among operational domains with no basis for
> trust or even knowledge of the trustworthiness of the local resolver.

When I say "local", I don't mean on a nearby node on the local
network, I mean the loopback interface, i.e. a process on the same
device.

What's attractive here, is that real resolvers (local to the same
device) already have the requisite feature-set, and there's no need
to augment stub resolvers with features already handled by local
recursive resolvers.  If a device is too dumb to run a separate
resolver process, I don't expect it'll have a trustworthy DNSSEC
implementation in its stub resolver.

-- 
	Viktor.