Re: [DNSOP] [homenet] My assessment of .homenet as described during the WG session yesterday.

Mark Andrews <marka@isc.org> Thu, 30 March 2017 05:20 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6878B129522; Wed, 29 Mar 2017 22:20:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PP_MIME_FAKE_ASCII_TEXT=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6IrfwjqTSVG; Wed, 29 Mar 2017 22:20:12 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7276E12948D; Wed, 29 Mar 2017 22:20:12 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 73E8D24AE08; Thu, 30 Mar 2017 05:20:07 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 5B20A16003A; Thu, 30 Mar 2017 05:20:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 4541816004F; Thu, 30 Mar 2017 05:20:07 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id TLRklVDkJlmu; Thu, 30 Mar 2017 05:20:07 +0000 (UTC)
Received: from rock.dv.isc.org (107-1-12-170-ip-static.hfc.comcastbusiness.net [107.1.12.170]) by zmx1.isc.org (Postfix) with ESMTPSA id E413616003A; Thu, 30 Mar 2017 05:20:06 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 008D66A4B0BE; Thu, 30 Mar 2017 16:20:05 +1100 (AEDT)
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Mark Townsley <mark@townsley.net>, Michael Richardson <mcr+ietf@sandelman.ca>, HOMENET <homenet@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, Terry Manderson <terry.manderson@icann.org>
From: Mark Andrews <marka@isc.org>
References: <DAC83E33-A206-4EAA-BC96-E26ACCC013A6@icann.org> <29150.1490800075@obiwan.sandelman.ca> <D04E5190-AEE4-4F0A-9879-A913D5E65C28@townsley.net> <CAH1iCiozhJ3CxRDXh8R1kfv40SZvA2MqPmsstx__+34BRowwUw@mail.gmail.com>
In-reply-to: Your message of "Wed, 29 Mar 2017 23:41:00 -0500." <CAH1iCiozhJ3CxRDXh8R1kfv40SZvA2MqPmsstx__+34BRowwUw@mail.gmail.com>
Date: Thu, 30 Mar 2017 16:20:05 +1100
Message-Id: <20170330052006.008D66A4B0BE@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QSi_nAcbLc8KiXyAiVxEZOSoR9w>
Subject: Re: [DNSOP] [homenet] My assessment of .homenet as described during the WG session yesterday.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 05:20:14 -0000

In message <CAH1iCiozhJ3CxRDXh8R1kfv40SZvA2MqPmsstx__+34BRowwUw@mail.gmail.com>om>, Brian Dickson writes:
> On Wed, Mar 29, 2017 at 5:07 PM, Mark Townsley <mark@townsley.net> wrote:
>
> >
> > > On Mar 29, 2017, at 10:07 AM, Michael Richardson
> <mcr+ietf@sandelman.ca>
> > wrote:
> > >
> > >
> > > Terry Manderson <terry.manderson@icann.org> wrote:
> > >> B) seek a .homenet special use domain WITHOUT the delegation request
> > >> AND ask the IETF/IESG/IAB to commence the discussion with the ICANN
> > >> community to achieve an insecure delegation
> > >
> > >> c) seek a <SOMETHING>.arpa insecure special use delegation
> > >
> > >> d) go for "B" and if that doesn't work shift to "C"
> > >
> > > Is there some reason we can not proceed with "C", concurrently with (B).
> >
> > I think that would require a new consensus call. There was a lot of work
> > done to get to the point of agreeing on a path forward at the last IETF,
> > and this path would be rather different than that.
> >
> > > This might cause stub resolvers to have to have two cases
> > > (SOMETHING.arpa, and .homenet) eventually, but at least we could deploy
> > > and attempt interop with SOMETHING.arpa NOW, and it would more clearly
> > > permit "home." to be removed from code.
> > >
> >
> > /chair-hat-off
> >
> > I don’t think we want to have two defaults in our specs. It’s bad enough
> > that we are already going to end up with .home and .homenet depending on
> > the version of code used or forked from, I really don’t want to do anything
> > that could lead to a third if we can avoid it.
> >
> > - Mark
> >
>
> Taking a STRICTLY devil's advocate position here:
>
> Isn't it the case that the thing that knows what the <homenet> label is,
> should be able to masquerade on behalf of anything that isn't aware of the
> divergence of the three possible values for <homenet>? If you end up with
> some boxes thinking it is ".home", some ".homenet", and some
> ".homenet.arpa", as long as one of them knows about all three, it should
> be possible to resolve the differences.
>
> The scope of the namespace is "the home network", and never reaches the
> real DNS (roots), so at worst it would be folding the three fake
> namespaces into a unified (three-headed) fake namespace.

Can we please stop with this "and never reaches the real DNS (roots)"
garbage.  Queries for homenet/DS *will* reach the roots.  That is
how DNSSEC validation is designed to work.  They *need* to be
answered with a signed NOERROR NODATA response.  Lots of Linux
distributions ship with DNSSEC validation enabled for on machine
clients and they are also configured to forward to the nameservers
that are returned by DHCP.

These machines behave *exactly* like a validating stub resolver from
the DNSSEC perspective.  This isn't something that will be in the
future.  It is the PRESENT.

> I.e. avoid it if you can, but if you can't, I think the issues are
> solvable, even if they get a little funky/ugly under the hood.
>
> None of that should be visible to users, I don't think.
>
> Brian
>
> P.S. Guide to implementers - never expose multiple handles for the same
> object; over-exuberant users may be tempted to try to "clean up" the
> duplicates.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org