IETF Logo Mail Archive

Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

Paul Wouters <paul@nohats.ca> Mon, 20 March 2017 22:19 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1BBF1293F9 for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 15:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cIy0Wop3JoHk for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 15:19:52 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B495129496 for <dnsop@ietf.org>; Mon, 20 Mar 2017 15:19:52 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3vn9Nj2ZWtz3c0 for <dnsop@ietf.org>; Mon, 20 Mar 2017 23:19:49 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1490048389; bh=QoWFpQo1vYN/iCOcIJ0wL0d8QI0aNn84QoYV0RCGKPg=; h=Date:From:To:Subject:In-Reply-To:References; b=OKsLVX0ZRP3+0etQ+SR7jek6oC4dG7TC9FFMrXIUWTTYFAuUV2+WZGQPeh9s5JLYr LJD5dWylqiySyw4QmsyPIW7LKnT3csupvs8G4ltMnuddVUqHrbRMnG8pjZLq0YwZIs EfCymFPo2unQCIhCF1nCaWQT2jI8C41eu22eJ/GQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id oGE99dGCwA_n for <dnsop@ietf.org>; Mon, 20 Mar 2017 23:19:47 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Mon, 20 Mar 2017 23:19:46 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id ADEFA39D3A1; Mon, 20 Mar 2017 18:19:45 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca ADEFA39D3A1
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 90C62414493E for <dnsop@ietf.org>; Mon, 20 Mar 2017 18:19:45 -0400 (EDT)
Date: Mon, 20 Mar 2017 18:19:45 -0400
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <572B4EBA-F37F-4E92-A252-44BAF5DE7FF5@shinkuro.com>
Message-ID: <alpine.LRH.2.20.999.1703201816140.542@bofh.nohats.ca>
References: <1E14B142-680B-4E30-809B-68E03EB6E326@gmail.com> <61FD3EE3-3043-4AB1-9823-6A9D61B1438C@vigilsec.com> <BE2A3845-D8AA-433A-9F00-1056ECFD335F@fugue.com> <21C8F856-FE3F-42A6-A8ED-888D0797B68B@vigilsec.com> <60C85486-E351-4C42-ADEB-FCBB56F4EA27@fugue.com> <AB11455F-7E43-4CB3-9F13-DB6A09F739EB@vigilsec.com> <CEC8CC6A-861A-471C-B7FA-4BB05C81CCF0@gmail.com> <F7AA49EF-2708-4948-9B60-6660DA6BC841@vigilsec.com> <734EC35A-4B1F-43EB-BE37-C34CA46BDA26@fugue.com> <203D2BEA-1008-48A0-9CE2-1FD621C6117F@shinkuro.com> <3134EDC2-FB00-41EA-8338-6E6B196137F1@fugue.com> <572B4EBA-F37F-4E92-A252-44BAF5DE7FF5@shinkuro.com>
User-Agent: Alpine 2.20.999 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TaqrfuZlGS58WO2VqkAojfxEFfg>
Subject: Re: [DNSOP] WG review of draft-ietf-homenet-dot-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Mar 2017 22:19:55 -0000

On Mon, 20 Mar 2017, Steve Crocker wrote:

> If you assume the local environment is going to get complicated and that signing of the local domain will become important in order to guard against hijacking by errant devices inside the perimeter, it looks to me there will have to be a local trust anchor. For devices brought into the environment, DHCP already assigns the IP address and the DNS servers.  It can “easily” be augmented to hand out the public key of the local hierarchy.  Or, I suppose, since I’ve just posited that the DHCP server will tell the new device which DNS server to use, the device could then query the DNS server to find out if it has a signed .homenet domain and what its public key is.

I am assuming that if stubs are validating, then they must also support
excluding special queries from validation, such as mDNS, .onion and
.homenet.

The .homenet queries should never reach real DNS servers, so I would
not think an insecure delegation in the root is required. If the DNS
resolver doesn't know how to handle .homenet, it is already as wrong
as it can be, regardless of the type of answer.

I thought the reason to ask for a Special Names domain was to ensure
no one else can register and launch .homenet in the future.

Paul

v2.23.0 | Report a Bug | By Email