IETF Logo Mail Archive

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

Michael StJohns <msj@nthpermutation.com> Thu, 15 December 2016 17:10 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E452A129B7D for <dnsop@ietfa.amsl.com>; Thu, 15 Dec 2016 09:10:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVEkHOX2GTpR for <dnsop@ietfa.amsl.com>; Thu, 15 Dec 2016 09:10:29 -0800 (PST)
Received: from mail-qt0-x242.google.com (mail-qt0-x242.google.com [IPv6:2607:f8b0:400d:c0d::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1054512940A for <dnsop@ietf.org>; Thu, 15 Dec 2016 09:10:29 -0800 (PST)
Received: by mail-qt0-x242.google.com with SMTP id n6so7760630qtd.0 for <dnsop@ietf.org>; Thu, 15 Dec 2016 09:10:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=j5NO7O86a/2GDBMw5FX2F3dWnWnMc/7iBGy6xvhcctk=; b=Fml4Dh0MaD1N9j5MrT64kWCmIZd/pFXklARkMD1gIsjhaH5b0lEwImcFSgJDbyujA1 tc+FZILYKLeGEqbuTbHcuMFoFUZ5UC4lU5ERYVnJBeY+LxEHuBksT8keMzvsRmxnCJiP MNjJXOCjnQ0lCZbTyP8IKhX1ikcbEBFawTYUWBxPa7nI/9JFt8L0RBeOhVTMRqt0NatG L0lkbLcy/lhnTqpBkJptUEa62cU9/35Axqsc8a94M3EgbFktsZ7b6feyLDIGy4/Fcex/ leFhLU5yfS0fZml380zwy8t2OdpDu/dM5UlopWxLjn4Z771/r1HegfxP2Vco09ACFsTy 8jCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=j5NO7O86a/2GDBMw5FX2F3dWnWnMc/7iBGy6xvhcctk=; b=txDN/Eq8P1/Lno1s+bOWDtVM54cK2zCDsNbsuh6ZaXRchc37p1dOUk+xlToBlkcFfJ zjVp7hO16wrE3wN+FH9rGaYvsXkSRwPVM/0J8dDwISXNfJRe7rTW120DnuRelurPK0JC 1+BcwymV1QDK0fCY8yk24zg8Ru2DM3sPJbjMmykDZq4q9CCtfT33Lz3LDQt+p2zpLLQV lxE7EZP2v690exsve7P19D+DxAUHmVg/b/A7M1Phh1lb9IBrSRLOPyYZLJWtATz7sRBN loFfSN5VIME5kAAlCuRBsF4grisJb6o7AF9qJibutIZCt8bOJPF4dgDqeZP9ir242Et4 y6wg==
X-Gm-Message-State: AIkVDXJ0c9U2vTHU25qAm+2XTMxd9isgMAsRmx9WjRdpnolQWFDVe9QgoK7oKGl/5SLNMw==
X-Received: by 10.237.48.139 with SMTP id 11mr1628076qtf.219.1481821827635; Thu, 15 Dec 2016 09:10:27 -0800 (PST)
Received: from ?IPv6:2601:152:4400:9b5f:609b:144f:cb12:1626? ([2601:152:4400:9b5f:609b:144f:cb12:1626]) by smtp.gmail.com with ESMTPSA id h47sm1482288qtc.27.2016.12.15.09.10.25 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Dec 2016 09:10:26 -0800 (PST)
To: dnsop@ietf.org
References: <4ab2a538-603e-4e7a-3be9-ad75ed459006@bellis.me.uk> <B192A1B3-03FF-43D1-AD30-12BBA2D65DF0@gmail.com> <9fe0e34d-51e9-bdf3-a650-d8b3681f1cd8@bellis.me.uk> <CAPt1N1=Z2xERw68-=iFGgYYnEO3eDW-8tvhmTmaf4+vU-24grQ@mail.gmail.com> <C059877D829F76429F49E0B48705D888F7FD2C7B@EXCH-01.CORP.CIRA.CA> <CA+nkc8Aj=Ut1-Wp1nu--9WYNNwWjoa6BnpdgazWYTOBLMwRyNQ@mail.gmail.com> <7e907b95-7c00-136d-6632-46ecac0f2edb@bellis.me.uk>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <f6040827-d9a9-4158-6f3e-efb5e30f8d4a@nthpermutation.com>
Date: Thu, 15 Dec 2016 12:10:28 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <7e907b95-7c00-136d-6632-46ecac0f2edb@bellis.me.uk>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9sNSgKVTC6-ITn7hLCYsOKRv3bw>
Subject: Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 17:10:31 -0000

On 12/15/2016 11:59 AM, Ray Bellis wrote:
>
> On 15/12/2016 16:57, Bob Harold wrote:
>> If an insecure delegation can be made in the root, then could a local
>> trust anchor be used by those who want their .homenet domain DNSSEC
>> validated?
> That's what I would have expected to happen.

Actually, you probably want to make a secure, delegation to an empty 
zone, so you can resolve the stuff that belongs to "." securely (e.g. 
prove that .homenet exists).  THEN you place a trust anchor specifically 
for .homenet to override the values you get from a homenet DS record in ".".

I *think* that would work with most validating resolvers.  I seem to 
remember a big argument many years ago as to whether enclosed trust 
anchors were additive (to the encloser), ignored (because they were 
enclosed), or over rode (replaced the encloser) for that branch of the 
tree but I don't remember the outcome or whether it became canon.

Mike


>
>> That seems easier than sharing keys or creating subdomains with
>> nsupdate.  But I don't know much about trust anchors.
> Shared keys would be a nightmare.
>
> Ray
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email