Re: [DNSOP] [homenet] My assessment of .homenet as described during the WG session yesterday.

[Mark Andrews <marka@isc.org>]

In message <CAH1iCiozhJ3CxRDXh8R1kfv40SZvA2MqPmsstx__+34BRowwUw@mail.gmail.com>, Brian Dickson writes:
> On Wed, Mar 29, 2017 at 5:07 PM, Mark Townsley <mark@townsley.net> wrote:
>
> >
> > > On Mar 29, 2017, at 10:07 AM, Michael Richardson
> <mcr+ietf@sandelman.ca>
> > wrote:
> > >
> > >
> > > Terry Manderson <terry.manderson@icann.org> wrote:
> > >> B) seek a .homenet special use domain WITHOUT the delegation request
> > >> AND ask the IETF/IESG/IAB to commence the discussion with the ICANN
> > >> community to achieve an insecure delegation
> > >
> > >> c) seek a <SOMETHING>.arpa insecure special use delegation
> > >
> > >> d) go for "B" and if that doesn't work shift to "C"
> > >
> > > Is there some reason we can not proceed with "C", concurrently with (B).
> >
> > I think that would require a new consensus call. There was a lot of work
> > done to get to the point of agreeing on a path forward at the last IETF,
> > and this path would be rather different than that.
> >
> > > This might cause stub resolvers to have to have two cases
> > > (SOMETHING.arpa, and .homenet) eventually, but at least we could deploy
> > > and attempt interop with SOMETHING.arpa NOW, and it would more clearly
> > > permit "home." to be removed from code.
> > >
> >
> > /chair-hat-off
> >
> > I don’t think we want to have two defaults in our specs. It’s bad enough
> > that we are already going to end up with .home and .homenet depending on
> > the version of code used or forked from, I really don’t want to do anything
> > that could lead to a third if we can avoid it.
> >
> > - Mark
> >
>
> Taking a STRICTLY devil's advocate position here:
>
> Isn't it the case that the thing that knows what the <homenet> label is,
> should be able to masquerade on behalf of anything that isn't aware of the
> divergence of the three possible values for <homenet>? If you end up with
> some boxes thinking it is ".home", some ".homenet", and some
> ".homenet.arpa", as long as one of them knows about all three, it should
> be possible to resolve the differences.
>
> The scope of the namespace is "the home network", and never reaches the
> real DNS (roots), so at worst it would be folding the three fake
> namespaces into a unified (three-headed) fake namespace.

Can we please stop with this "and never reaches the real DNS (roots)"
garbage.  Queries for homenet/DS *will* reach the roots.  That is
how DNSSEC validation is designed to work.  They *need* to be
answered with a signed NOERROR NODATA response.  Lots of Linux
distributions ship with DNSSEC validation enabled for on machine
clients and they are also configured to forward to the nameservers
that are returned by DHCP.

These machines behave *exactly* like a validating stub resolver from
the DNSSEC perspective.  This isn't something that will be in the
future.  It is the PRESENT.

> I.e. avoid it if you can, but if you can't, I think the issues are
> solvable, even if they get a little funky/ugly under the hood.
>
> None of that should be visible to users, I don't think.
>
> Brian
>
> P.S. Guide to implementers - never expose multiple handles for the same
> object; over-exuberant users may be tempted to try to "clean up" the
> duplicates.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org