Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

Mark Andrews <marka@isc.org> Tue, 21 March 2017 06:09 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10961129530 for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 23:09:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A1aFDQBwi7Fq for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 23:09:24 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 159AC12951F for <dnsop@ietf.org>; Mon, 20 Mar 2017 23:09:24 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id BC04B349598; Tue, 21 Mar 2017 06:09:20 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id A8D9B160041; Tue, 21 Mar 2017 06:09:20 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 6A41A1600BD; Tue, 21 Mar 2017 06:09:20 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id jiqnMsnhQSZR; Tue, 21 Mar 2017 06:09:20 +0000 (UTC)
Received: from rock.dv.isc.org (50-193-53-102-static.hfc.comcastbusiness.net [50.193.53.102]) by zmx1.isc.org (Postfix) with ESMTPSA id 4A0C5160041; Tue, 21 Mar 2017 06:09:20 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id F219F671BDF7; Tue, 21 Mar 2017 17:09:14 +1100 (EST)
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <CAH1iCioEAfgS-Efj1OYsL1vG4STnwod=ARrtEKWsHYMCzRdq-Q@mail.gmail.com>
In-reply-to: Your message of "Mon, 20 Mar 2017 15:08:43 -0700." <CAH1iCioEAfgS-Efj1OYsL1vG4STnwod=ARrtEKWsHYMCzRdq-Q@mail.gmail.com>
Date: Tue, 21 Mar 2017 17:09:14 +1100
Message-Id: <20170321060914.F219F671BDF7@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/H8-YWmRlWuJaLM4sOFWdyisisXw>
Subject: Re: [DNSOP] WG review of draft-ietf-homenet-dot-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 06:09:26 -0000

In message <CAH1iCioEAfgS-Efj1OYsL1vG4STnwod=ARrtEKWsHYMCzRdq-Q@mail.gmail.com>, Brian Dickso
n writes:
> --===============2842493287922721238==
> Content-Type: multipart/alternative; boundary=94eb2c0685ce434e95054b30c544
> 
> --94eb2c0685ce434e95054b30c544
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> > Hi,
> > The INT Area Director who oversees the homenet WG, Terry Manderson, has
> > asked DNSOP participants to review
> > https://www.ietf.org/id/draft-ietf-homenet-dot-03.txt, "Special Use Top
> > Level Domain '.homenet=E2=80=99=E2=80=9D, with the following aspects in m=
> ind:
> > 1) in terms of RFC6761
> > 2) in terms of the _operational_ position of an unsigned entry in the roo=
> t
> > zone as requested in this document, to break the chain of trust for local
> > DNS resolution of .homenet names.
> >
> 
> I'd like to ask some questions about homenet and the TLD.
> 
> These are mostly clarification questions, but might (together) lead to an
> alternative solution.
> 
> 
>    1. The homenet TLD is intended to be used in such a way that queries
>    should never reach the root servers. Is this correct?

No.  Homenet DS are expected to reach the root.

>    2. The main issue driving the request for the insecure delegation, is
>    the ability to have a proof of insecurity anchored at the ICANN
>    root-of-trust, aka the KSK for the root zone. Is this correct?

Proof the the homenet exists as a zone and that it is insecurely delegated.

>    3. Resolvers doing "homenet" need to be able to serve current "proof"
>    responses, whose signatures' validity periods are "current". Is this
>    correct?
>    4. What is required for the above, is generation of DNSSEC records
>    including RRSIG(NS), NSEC, and RRSIG(NSEC), for "homenet" TLD.

NSEC and RRSIG(NSEC).  The NS records at the delegation are unsigned.
There also need to be servers that respond with NXDOMAIN for names
below homenet and return NS and SOA RRsets for homenet that the
delegating NS records for homenet point to.

Below is invalid as it is built on a incorrect set of assumptions.

> Since the queries are never meant to reach the root servers, the presence
> or absence of "homenet" in the root is mostly moot.
>
> The only technical requirement is that suitable DNSSEC records be
> generated, and that the special-purpose homenet DNS resolvers are able to
> have up-to-date copies of these DNSSEC records.
> 
> As a technical matter, this does not require publishing these records in
> the root zone, although that would be one way of achieving the necessary
> requirement.
> 
> Perhaps the homenet WG folks could talk to the ICANN folks about ways of
> accomplishing the above, without the need for publishing the unsigned
> delegation in the root zone?
> 
> The benefit of not publishing, is that any queries that do hit the root
> servers, would get a signed NXDOMAIN, which IMHO is a more correct response=
> .
> 
> (It also prevents the problem of what NS values would need to be used on
> the unsigned delegation.)
> 
> Brian
> 
> 
> 
> > This document is the product of the homenet WG, which has asked the IESG
> > to approve it for publication, so our comments are strictly advisory to t=
> he
> > IESG. There was some discussion of the draft on this list shortly after i=
> t
> > appeared, in November 2016, but it=E2=80=99s always the AD=E2=80=99s prer=
> ogative to ask for
> > additional review.
> >
> >
> > thanks,
> > Suzanne & Tim
> 
> --94eb2c0685ce434e95054b30c544
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr"><table width=3D"100%" style=3D"color:rgb(0,0,0);font-famil=
> y:times;font-size:medium"><tbody><tr><td><blockquote class=3D"gmail_quote" =
> style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pa=
> dding-left:1ex">Hi,<br class=3D"gmail-">The INT Area Director who oversees =
> the homenet WG, Terry Manderson, has asked DNSOP participants to review=C2=
> =A0<a rel=3D"nofollow" href=3D"https://www.ietf.org/id/draft-ietf-homenet-d=
> ot-03.txt" class=3D"gmail-">https://www.ietf.org/id/draft-ietf-homenet-dot-=
> 03.txt</a>, &quot;Special Use Top Level Domain &#39;.homenet=E2=80=99=E2=80=
> =9D, with the following aspects in mind:<br class=3D"gmail-">1) in terms of=
>  RFC6761<br class=3D"gmail-">2) in terms of the _operational_ position of a=
> n unsigned entry in the root zone as requested in this document, to break t=
> he chain of trust for local DNS resolution of .homenet names.<br class=3D"g=
> mail-"></blockquote><div><br></div><div>I&#39;d like to ask some questions =
> about homenet and the TLD.</div><div><br></div><div>These are mostly clarif=
> ication questions, but might (together) lead to an alternative solution.</d=
> iv><div><br></div><div><ol><li>The homenet TLD is intended to be used in su=
> ch a way that queries should never reach the root servers. Is this correct?=
> </li><li>The main issue driving the request for the insecure delegation, is=
>  the ability to have a proof of insecurity anchored at the ICANN root-of-tr=
> ust, aka the KSK for the root zone. Is this correct?</li><li>Resolvers doin=
> g &quot;homenet&quot; need to be able to serve current &quot;proof&quot; re=
> sponses, whose signatures&#39; validity periods are &quot;current&quot;. Is=
>  this correct?</li><li>What is required for the above, is generation of DNS=
> SEC records including RRSIG(NS), NSEC, and RRSIG(NSEC), for &quot;homenet&q=
> uot; TLD.</li></ol><div>Since the queries are never meant to reach the root=
>  servers, the presence or absence of &quot;homenet&quot; in the root is mos=
> tly moot.</div></div><div><br></div><div>The only technical requirement is =
> that suitable DNSSEC records be generated, and that the special-purpose hom=
> enet DNS resolvers are able to have up-to-date copies of these DNSSEC recor=
> ds.</div><div><br></div><div>As a technical matter, this does not require p=
> ublishing these records in the root zone, although that would be one way of=
>  achieving the necessary requirement.</div><div><br></div><div>Perhaps the =
> homenet WG folks could talk to the ICANN folks about ways of accomplishing =
> the above, without the need for publishing the unsigned delegation in the r=
> oot zone?</div><div><br></div><div>The benefit of not publishing, is that a=
> ny queries that do hit the root servers, would get a signed NXDOMAIN, which=
>  IMHO is a more correct response.</div><div><br></div><div>(It also prevent=
> s the problem of what NS values would need to be used on the unsigned deleg=
> ation.)</div><div><br></div><div>Brian</div><div><br></div><div>=C2=A0</div=
> ><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
> -left:1px solid rgb(204,204,204);padding-left:1ex">This document is the pro=
> duct of the homenet WG, which has asked the IESG to approve it for publicat=
> ion, so our comments are strictly advisory to the IESG. There was some disc=
> ussion of the draft on this list shortly after it appeared, in November 201=
> 6, but it=E2=80=99s always the AD=E2=80=99s prerogative to ask for addition=
> al review.<br class=3D"gmail-"><br class=3D"gmail-"><br class=3D"gmail-">th=
> anks,<br>Suzanne &amp; Tim</blockquote></td></tr></tbody></table></div>
> 
> --94eb2c0685ce434e95054b30c544--
> 
> 
> --===============2842493287922721238==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> --===============2842493287922721238==--
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org