IETF Logo Mail Archive

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

Steve Crocker <steve@shinkuro.com> Thu, 15 December 2016 19:23 UTC

Return-Path: <steve@shinkuro.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11B3A1299EE; Thu, 15 Dec 2016 11:23:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.795
X-Spam-Level:
X-Spam-Status: No, score=-4.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-2.896, SPF_HELO_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRy8CfEOqJqJ; Thu, 15 Dec 2016 11:23:02 -0800 (PST)
Received: from execdsl.com (remote.shinkuro.com [50.56.68.178]) by ietfa.amsl.com (Postfix) with ESMTP id 8228B129862; Thu, 15 Dec 2016 11:23:02 -0800 (PST)
Received: from dummy.name; Thu, 15 Dec 2016 19:23:01 +0000
Content-Type: multipart/alternative; boundary="Apple-Mail=_46A11758-7813-4C87-A61F-5D848D66D218"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Steve Crocker <steve@shinkuro.com>
In-Reply-To: <4A870505-070B-4065-B360-5A98485E4CEB@fugue.com>
Date: Thu, 15 Dec 2016 14:23:00 -0500
Message-Id: <313759CF-B72F-401D-BA26-79C214C30686@shinkuro.com>
References: <4ab2a538-603e-4e7a-3be9-ad75ed459006@bellis.me.uk> <B192A1B3-03FF-43D1-AD30-12BBA2D65DF0@gmail.com> <9fe0e34d-51e9-bdf3-a650-d8b3681f1cd8@bellis.me.uk> <CAPt1N1=Z2xERw68-=iFGgYYnEO3eDW-8tvhmTmaf4+vU-24grQ@mail.gmail.com> <C059877D829F76429F49E0B48705D888F7FD2C7B@EXCH-01.CORP.CIRA.CA> <4A870505-070B-4065-B360-5A98485E4CEB@fugue.com>
To: Ted Lemon <mellon@fugue.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KRwmXlEJ9KEj0MQGHdqQNcjAqLc>
Cc: "Stephen D. Crocker" <steve@shinkuro.com>, HOMENET <homenet@ietf.org>, Jacques Latour <jacques.latour@cira.ca>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 19:23:05 -0000

Ted,

I am truly confused by your note.  I sense I am missing something fundamental.

See specific questions below.

Thanks,

Steve

> On Dec 15, 2016, at 12:20 PM, Ted Lemon <mellon@fugue.com> wrote:
> 
> On Dec 15, 2016, at 11:05 AM, Jacques Latour <jacques.latour@cira.ca <mailto:jacques.latour@cira.ca>> wrote:
>> Where do you delegate homenet to? Advanced DNSSEC validation may check for proper delegation?  
> 
> I think we should ask ICANN to set up an unsecured delegation of .homenet to the AS112 servers.

I don’t understand what is meant by an “unsecured delegation.”  I also don’t understand what sort of delegation you want, irrespective of whether DNSSEC is involved.

I think there are two very big hurdles implicit in “I think we should ask ICANN to set up …”  One is the technical hurdle of whether this is a sensible thing technically with respect to the security and stability of the Internet.  It will take a fairly long time and a lot of analysis for ICANN to get comfortable with such a result, and I would not count on a positive outcome.

That’s the first hurdle.  The second hurtle may be even harder.  The only existing procedures for adding new delegations to the root are for:

o New ccTLDs, i.e. when new countries are created and get two letter codes from the ISO 3166 Maintenance Agency;

o New IDN ccTLDs via the Fast Track; and

o New gTLDs through the gTLD process.

The first two would not apply.  The window for the third was closed a while ago and we are studying when and how to reopen the window.  The process is geared toward prospective operators of registries.  A substantial fee is required, and an even more substantial investment in registry operation is required.

I suspect what’s intended here is something qualitatively different, e.g. some sort of entry in the root that returns a fixed result, not a pointer to name servers.  Aside from the technical questions I mentioned above, we would also have to sort out the policy questions, e.g. what are the rules for accepting such requests, what happens if there are competing requests, and perhaps others that aren’t occurring to me as I write this.

>   In order for names under .homenet to be validated by DNSSEC, it would be necessary for the validating resolver to have a trust anchor for any homenet on which it wants to do validation, and a means of differentiating between home nets so that it doesn’t use the wrong key to validate.

Yes, but the way the sentence is written suggests this would difficult or odd.  In a homenet environment, if you have a local name server responding to requests as an authority, it can sign those requests as the authority.  The requesting resolver will have to have the public key associated with the authority.  This is a configuration matter.  When the requesting resolver is told which resolver on the edge of the homenet is authoritative for the homenet environment, it should also learn that resolver’s public key.  This seems like a DHCP issue.

>   But that’s out of scope for this discussion: the point of this discussion is simply to figure out whether we want to do the hard thing or the easy thing: .homenet or home.arpa.

I don’t see a difference between .homenet or home.arpa in this regard.

v2.23.0 | Report a Bug | By Email