IETF Logo Mail Archive

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

Jacques Latour <jacques.latour@cira.ca> Thu, 15 December 2016 16:05 UTC

Return-Path: <jacques.latour@cira.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B47CF129FC8; Thu, 15 Dec 2016 08:05:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.496
X-Spam-Level:
X-Spam-Status: No, score=-5.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 56mufNPLXEwG; Thu, 15 Dec 2016 08:05:51 -0800 (PST)
Received: from mx2.cira.ca (mx2.cira.ca [192.228.22.117]) by ietfa.amsl.com (Postfix) with ESMTP id 3684D12A003; Thu, 15 Dec 2016 08:05:50 -0800 (PST)
X-Virus-Scanned: by SpamTitan at corp.cira.ca
Received: from EXCH-01.CORP.CIRA.CA ([fe80::2073:dbc0:bb14:ab50]) by EXCH-02.CORP.CIRA.CA ([fe80::3c25:d5f2:72b8:e35c%17]) with mapi id 14.03.0319.002; Thu, 15 Dec 2016 11:05:49 -0500
From: Jacques Latour <jacques.latour@cira.ca>
To: Ted Lemon <mellon@fugue.com>, HOMENET <homenet@ietf.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Thread-Topic: [homenet] WGLC on "redact" and "homenet-dot"
Thread-Index: AQHSQVQObsmgTk+n30i4l0b47tL3gqDjxrEAgA/BngCAEWajAIAEUYbw
Date: Thu, 15 Dec 2016 16:05:48 +0000
Message-ID: <C059877D829F76429F49E0B48705D888F7FD2C7B@EXCH-01.CORP.CIRA.CA>
References: <4ab2a538-603e-4e7a-3be9-ad75ed459006@bellis.me.uk> <B192A1B3-03FF-43D1-AD30-12BBA2D65DF0@gmail.com> <9fe0e34d-51e9-bdf3-a650-d8b3681f1cd8@bellis.me.uk> <CAPt1N1=Z2xERw68-=iFGgYYnEO3eDW-8tvhmTmaf4+vU-24grQ@mail.gmail.com>
In-Reply-To: <CAPt1N1=Z2xERw68-=iFGgYYnEO3eDW-8tvhmTmaf4+vU-24grQ@mail.gmail.com>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.16.4.142]
Content-Type: multipart/alternative; boundary="_000_C059877D829F76429F49E0B48705D888F7FD2C7BEXCH01CORPCIRAC_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/D-BDrTmO1NajZiaqW84sB3PXXOY>
Subject: Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 16:05:53 -0000

Ted, very clear summary, thank you.

I read the DNSSEC related homenet and dnsop comments and I don’t see how you can have DNSSEC validation for a homenet without a properly signed & delegated domain.  If we want a one shoe fits all solution then we need to have a single common domain used by all homenet, and all homenet need to use/share the same private homenet DNSSEC keys where these common keys can be validated against a common DS record inside the { homenet. home. homenet.arpa. etc } domain.

I think homenet users should have the choice of a generic homenet domain (as above, essentially an unsecure domain) or have the choice to use their own domain name for their homenet, ‘myhome.ca’ along with their own private keys and all. One domain per household. Then you could use your ‘myhome.ca’ DNSSEC infrastructure to secure your home IoT devices ☺

Where do you delegate homenet to? Advanced DNSSEC validation may check for proper delegation?

My 2 cents.

Jacques




From: homenet [mailto:homenet-bounces@ietf.org] On Behalf Of Ted Lemon
Sent: December-12-16 10:46 AM
To: HOMENET
Subject: Re: [homenet] WGLC on "redact" and "homenet-dot"

One thing that I think the working group should be aware of, although I don't know if this awareness will change anything, is that the situation with the .homenet allocation is less simple than we would prefer: it's not really simply a matter of adding .homenet to the special use domain names registry.   The reason is that we need DNS resolution to work properly for domains under .homenet, and this has to work even if a host is doing DNSSEC validation.

At present, if you were to configure a homenet router with .home or .homenet as the local domain, this would work perfectly nicely until you turned on DNSSEC validation, at which point all the names in either hierarchy would disappear.   The reason for this is that the root zone provides proof of nonexistence for nonexistent names in that zone.

It is possible to address this problem by requesting ICANN to put an insecure delegation in the root zone.   The problem is that from a process perspective, this is a _lot_ more heavyweight than doing a special-use domain name allocation, and has no guarantee of success.   This wasn't such an issue for .onion when we did it, because .onion _wants_ a secure denial of existence--we _never_ want a .onion query to actually happen if the name has been handed to a resolver that doesn't understand .onion explicitly.   This is not true for .homenet.

There are two approaches we can take to this.   One is to proceed--ask ICANN to do the delegation and see what happens.   The other is to take the more expedient, less satisfying approach: use .home.arpa instead of .homenet.   I'm not in love with this as an end solution, but it has the advantage that the IAB controls .arpa, and so we can get an unsecure delegation right away assuming the IAB agrees.   I see no reason to think they would not.   It's a bit more typing, and there is the problem that the fourth google result for arpa is "Advanced Research Projects Agency.   But it would work, and quickly, and would keep the whole process in the family.

The other alternative is to continue with the original plan: do the special-use names registry allocation, and send a liason to ICANN asking them to do the unsecure delegation.   The downside to this approach is that we won't know whether the outcome will be success or failure for a long time, possibly several years.   And the outcome could very well be failure.   The upside is that we get the name we all want; the downside is that we are a long way down the road with no win.

I should point out that whichever way we go, we already have solved the immediate problem: we have a name that HNCP can use, the potential liability for IETF is dealt with, and our prototypes can be made to work.   So I am personally okay with either decision.   Our AD, Terry, may have more of a sense of what ICANN will do (but to some extent he really can't know, because it's up to committees within ICANN to actually make this decision).   I'm mentioning this now not to derail the process, but simply to make it really clear what our expectations should be.   The reason that this didn't come up in Seoul is that it didn't actually click for me that we had a serious problem until several of us were chatting on the way out of the room, after the working group had already decided to proceed.

On Thu, Dec 1, 2016 at 9:02 AM, Ray Bellis <ray@bellis.me.uk<mailto:ray@bellis.me.uk>> wrote:


On 21/11/2016 13:25, Ralph Droms wrote:
> (Updated comments on draft-ietf-homenet-dot originally posted prior to the WG last call)

Thanks Ralph.

I'd like to remind the WG that the LC is due to run until Friday
December 16th, so please anyone else with comments please get them in.

Ray

_______________________________________________
homenet mailing list
homenet@ietf.org<mailto:homenet@ietf.org>
https://www.ietf.org/mailman/listinfo/homenet

v2.23.0 | Report a Bug | By Email