Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

Ted Lemon <> Tue, 21 March 2017 01:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A1DEF1316A2 for <>; Mon, 20 Mar 2017 18:25:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2Jwtw7rUiKhM for <>; Mon, 20 Mar 2017 18:25:43 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A98BA12943D for <>; Mon, 20 Mar 2017 18:25:43 -0700 (PDT)
Received: by with SMTP id p64so124692909qke.1 for <>; Mon, 20 Mar 2017 18:25:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=nTHvbPSvjp8IjGTQcpKni/eHMQ0760qFz3ECC+GBEuc=; b=nIOmem8Pze4Xbio5btAugIjrrUUHDTJf/mBxCOvl/FWi7tOETKAgHRCVVg2DwzQA6S 7b+tUMnSvcZ5CkKXZholUA/x49WW2w8ExtfuAUUU7XMHs71oayTovvo6VGHfpnB7kDaZ mgGGav1mlNM0xFuuOQkwSZf28BqLhUBmakzhlbP1/Ns/njhcJ2sl61WiVmbk1NMWQ2a/ W3VvVR8yAJSAdJ4lnqJmfnZbkWROTZiPMmpmohvqdFk6FiFA+1UO0Ds5l1Svy9Xp9pMo jCBIXP5zRIHCCWAB//76o646hoarwnsriZ7Bi5teht9tKr8uxLSJ81y0cVQhiE/3nVo+ sYrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=nTHvbPSvjp8IjGTQcpKni/eHMQ0760qFz3ECC+GBEuc=; b=fBwYDlf2q/Ps8OZG7rO13F9+VjhVnVOaN2KOjW6XlDduOZ8L8RBu1mMKelm8bpt4Th vRvw4sfV4BVQb0Cwejkow0t6plqfPO95F6GwtcIJcU/aVcFgmovWgcRuT6ADHSI6shD5 Gsn3EqygwUAWLAML7mzSIRJb+11dDMmcrZToQ10MhIHzNExiDU1xS57UXgHARBmtuHna ArXvdJRZAk+xvheBZWxgEbuhIQA0BfSqXONND/APThoVbE0uFgIq0ktjNu59CBdkcIed RWEvY8S3rA3d0WJwD4aGnIhL1tr9AwlfZWcj0WSmAEk4d0Y1M7CpVHCFRMHCjIl8+5NO abWQ==
X-Gm-Message-State: AFeK/H2xjDMPDGrfO61mOoWws9KjFq3wB4s4wIZXbtcwns2Z5Ty01uu9btd6vVGuGjjFWA==
X-Received: by with SMTP id d23mr29524749qkb.172.1490059542883; Mon, 20 Mar 2017 18:25:42 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id a39sm13654497qka.43.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Mar 2017 18:25:42 -0700 (PDT)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9DE03EBC-1668-482E-96D9-804342DDBD6B"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 20 Mar 2017 21:25:40 -0400
In-Reply-To: <>
Cc: " WG" <>
To: Brian Dickson <>
References: <>
X-Mailer: Apple Mail (2.3259)
Archived-At: <>
Subject: Re: [DNSOP] WG review of draft-ietf-homenet-dot-03
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Mar 2017 01:25:46 -0000

I'm curious what Russ and Steve think about this as an alternative.   It seems a bit byzantine to me, but I can't say that I object to it on principal.   It does create a lot of extra work for ICANN, though, and it would be a bit more brittle than just doing an unsigned delegation: we now have to have some way to get current versions of these signatures into the homenet resolver.

Further comments inline.

On Mar 20, 2017, at 6:08 PM, Brian Dickson <> wrote:
> What is required for the above, is generation of DNSSEC records including RRSIG(NS), NSEC, and RRSIG(NSEC), for "homenet" TLD.


> Since the queries are never meant to reach the root servers, the presence or absence of "homenet" in the root is mostly moot.


> The only technical requirement is that suitable DNSSEC records be generated, and that the special-purpose homenet DNS resolvers are able to have up-to-date copies of these DNSSEC records.


> As a technical matter, this does not require publishing these records in the root zone, although that would be one way of achieving the necessary requirement.


> Perhaps the homenet WG folks could talk to the ICANN folks about ways of accomplishing the above, without the need for publishing the unsigned delegation in the root zone?

Strictly speaking I think this is something the IESG would have to do.  I don't object to this as a solution, but operationally I think it's a lot more work.   It may be that it's worth doing it, since it might be applicable to other special-use name allocations.

> The benefit of not publishing, is that any queries that do hit the root servers, would get a signed NXDOMAIN, which IMHO is a more correct response.

Yes.   I'm not sure that's enough to justify the extra work.