Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

Steve Crocker <steve@shinkuro.com> Mon, 20 March 2017 20:57 UTC

Return-Path: <steve@shinkuro.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 857F41293DF for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 13:57:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YuCG11g8Y8Nl for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 13:57:21 -0700 (PDT)
Received: from execdsl.com (remote.shinkuro.com [50.56.68.178]) by ietfa.amsl.com (Postfix) with ESMTP id 352B8128954 for <dnsop@ietf.org>; Mon, 20 Mar 2017 13:57:21 -0700 (PDT)
Received: from dummy.name; Mon, 20 Mar 2017 20:57:20 +0000
Content-Type: multipart/alternative; boundary="Apple-Mail=_CA31479A-90A7-4D0A-8720-41CC7CDA93FA"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Steve Crocker <steve@shinkuro.com>
In-Reply-To: <734EC35A-4B1F-43EB-BE37-C34CA46BDA26@fugue.com>
Date: Mon, 20 Mar 2017 16:57:19 -0400
Cc: "Stephen D. Crocker" <steve@shinkuro.com>, Russell Housley <housley@vigilsec.com>, dnsop <dnsop@ietf.org>, Ralph Droms <rdroms.ietf@gmail.com>, Terry Manderson <terry.manderson@icann.org>
Message-Id: <203D2BEA-1008-48A0-9CE2-1FD621C6117F@shinkuro.com>
References: <1E14B142-680B-4E30-809B-68E03EB6E326@gmail.com> <61FD3EE3-3043-4AB1-9823-6A9D61B1438C@vigilsec.com> <BE2A3845-D8AA-433A-9F00-1056ECFD335F@fugue.com> <21C8F856-FE3F-42A6-A8ED-888D0797B68B@vigilsec.com> <60C85486-E351-4C42-ADEB-FCBB56F4EA27@fugue.com> <AB11455F-7E43-4CB3-9F13-DB6A09F739EB@vigilsec.com> <CEC8CC6A-861A-471C-B7FA-4BB05C81CCF0@gmail.com> <F7AA49EF-2708-4948-9B60-6660DA6BC841@vigilsec.com> <734EC35A-4B1F-43EB-BE37-C34CA46BDA26@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8V6_pFPuF9NUBO60Ubr8-3qTTGs>
Subject: Re: [DNSOP] WG review of draft-ietf-homenet-dot-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 20:57:24 -0000

Ted, et al,

I’ve been watching this dialog and staying silent, but since I’m referenced and quoted directly, let me offer some points.

First, neither my opinion as an individual nor my opinion as an official of ICANN should be considered definitive, normative or otherwise compelling except and unless the substance of what I say makes sense.  (Well, I guess when I speak officially as chair of ICANN’s board, it’s been coordinated and approved in advance and carries the weight of the organization, but I haven’t spoken in that capacity on this subject and I expect that if and when ICANN does speak officially on this subject, it’s likely to come from others.)

Second, speaking as an observer and with some familiarity with DNS, DNSSEC and with the process related to entering strings into the root zone, the homenet sequence seems backwards to me.  I would have expected the coordination to happen before or during the working group.  If the homenet spec is approved as a proposed standard but there’s no agreement to put .homenet into the root or there is a glitch somewhere else in the coordination, the IETF will be in the position of having published an unimplementable standard.  Running code is the hallmark of the IETF and a primary distinguishing characteristic, so I’m surprised and puzzled if this is the path the IETF is taking.

Third, having now read the homenet spec, I see what the point is, but I can also see a bunch of questions.  It looks like the idea is to establish a local DNS tree that is good only within a home or similar contained environment.  This is analogous to a 192.168.x.x environment.  To make this work, ignoring DNSSEC for a minute, it seems to me the DNS queries have to go to a DNS resolver that is acting as a local authoritative server for .homenet.  This is problematic because there are often multiple DNS stub resolvers operating within a single machine, and there’s no guarantee they will send their queries to a particular local DNS server.  The only way I see to force the issue is to intercept all queries headed for port 53 outside the local environment and examine them for .homenet.

Fourth, I’m not sure I understand what the issue is with DNSSEC.  If the queries are intercepted locally and if you trust the internal environment — an assumption you might want to ponder carefully as internal environments become ever more complicated and populated by devices and software from many, many sources — DNSSEC doesn’t come into play.  If the queries are not intercepted locally, you’ll get the official answer, viz NXDOMAIN.  I gather you want something else, and perhaps I didn’t read carefully enough to understand what that something else is and why it would be helpful.

What emerged most clearly for me in reading the homenet spec is the apparent desire to have a locally served domain, which seems similar in some respects to a classic split domain, and the real challenge, as best I can see, is characterizing the perimeter and internal topology.

And returning to the first point, let’s do indeed get people together to understand how the parts are supposed to fit together.  Over at ICANN we try very hard to be of service and we also take the security and stability of the DNS, and particularly the root, very seriously.  A non-standard request is almost going to be the beginning of lengthy discussion.  Our mind set will be aimed at getting it right, not arguing about who’s in charge.

Steve



> On Mar 20, 2017, at 4:15 PM, Ted Lemon <mellon@fugue.com> wrote:
> 
> On Mar 20, 2017, at 3:44 PM, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>> This document does not describe a collaborative approach.
> 
> The document specifies what the working group needs to have happen in order for the specification to work.   How the collaboration happens is out of scope for the homenet working group.   The working group understands that a process needs to be invented, and I believe that the document says so.
> 
>> Steve Crocker has already stated that he does not believe that entries that cannot be DNSSEC signed belong in the DNS root zone.  I know that others share this view.  For this reason, I do not think that the IETF should approve a document that specifies this processing until the root zone publication process is successful.
> 
> 
> Yes, I understand that Steve Crocker has said this.   And perhaps Steve Crocker's opinion should be considered normative.   However, like you, Steve didn't give a technical reason why this policy must be applied universally, even in the case of technical uses.
> 
> We have a legitimate question to answer here.   It seems reasonable to say that under the MoU, the IETF can designate a name for the use that homenet is trying to designate.   Maybe the IETF consensus will be that the IETF should not designate this particular use.   But it doesn't make sense to me that the IETF should decide not to try to do what the working group thinks is the right thing technically, because the process for doing this thing is not yet known.   If the IETF doesn't try to do this, the process will never be known.   So I don't see how this can be a valid technical objection to going forward with the proposal.
> 
>> Further, the intent is that .homenet will be used with the DNS protocol.  Section 3 of the document makes it very clear that users, applications, resolution APIs, and most resolvers will not to treat that domain name in a special in any way.  For this reason, I do not think it meets the definition of a special-use domain name in RFC 6761, which says:
>> 
>>    ... if a domain name has special properties that affect the
>>    way hardware and software implementations handle the name, that apply
>>    universally regardless of what network the implementation may be
>>    connected to, then that domain name may be a candidate for having the
>>    IETF declare it to be a Special-Use Domain Name and specify what
>>    special treatment implementations should give to that name.
>> 
>> So, I think that the desired outcome requires the use of the existing process to get it registered in the root zone and some standards-track RFC to describe the environment where:
>> 
>>        … Only a DNS server that is authoritative for the root ('.') or is
>>        configured to be authoritative for '.homenet' or a subdomain of
>>        '.homenet' will ever answer a query about '.homenet.’
> 
> I don't think this is a correct reading of RFC 6761.   If it were, we could drop most of the considerations in section 5 of the document.
> 
> As for the process, it may be that in the end, ICANN pushes back and says no, absolutely not, we won't do this.   But when they say that, they will give a reason.   It is their decision to make, not ours, as long as they don't violate the MoU.   Our decision is whether or not to ask them to make this decision.
> 
> Maybe there is a good reason not to ask them.   If so, you haven't yet stated that reason.
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop