IETF Logo Mail Archive

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

"John Levine" <johnl@taugh.com> Wed, 14 December 2016 22:06 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6646129EF0 for <dnsop@ietfa.amsl.com>; Wed, 14 Dec 2016 14:06:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kq5DiGn4vlpu for <dnsop@ietfa.amsl.com>; Wed, 14 Dec 2016 14:06:43 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0B53129BEA for <dnsop@ietf.org>; Wed, 14 Dec 2016 14:04:52 -0800 (PST)
Received: (qmail 35912 invoked from network); 14 Dec 2016 22:04:56 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 14 Dec 2016 22:04:56 -0000
Date: Wed, 14 Dec 2016 22:04:28 -0000
Message-ID: <20161214220428.1688.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
In-Reply-To: <ef9fe1fc-6dc1-5208-994b-19c3b248d42d@nthpermutation.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TiiAIR4CVBbFpXElJPwvTNhvqfE>
Cc: homenet@ietf.org, msj@nthpermutation.com
Subject: Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2016 22:06:45 -0000

>Here's the reasoning:   Either your home router understands .homenet or 
>it doesn't.  If it doesn't, then your homenet shouldn't be using 
>.homenet and any .homenet lookups to the real world should fail.  If it 
>does, then it should trap .homenet queries and do with it what it will.

But it's worse than that -- if your client software does DNSSEC
validation it needs to understand that homenet is a special case and
it's OK not to validate.  This brings us to one of the knottiest parts
of special use names, which is that they're all handled differently.
For .onion, it's generally handled in a SOCKS proxy in the
application, for .local it's handled by mDNS, and for .localhost it's
special cased in the stub client library.  (There are of course other
ways one could do it, e.g., a .onion proxy on a LAN could intercept
AAAA lookups, and return link-local addresses it serves.)

One model is that DNSSEC is so complex that applications depend on the
cache and if it sets the AD bit, you trust the result.  Another is
that memory is cheap and you put a complete DNSSEC verifier in the
application libraries, so they need to get all of the DNSSEC goop and
decide for themselves whether they believe it.

In the former model, you're right, the cache can tell virtuous lies
about .homenet addresses and there's no need to put anything in the
root.  In the latter case, you're pretty much schrod.  Since there's
no way to do a DNSSEC chain from the root to a zillion random homenet
setups, an unsigned root delegation says that an unsigned result isn't
necessarily wrong, but of course it doesn't say that it's right,
either.

This is a situation that DNSSEC wasn't set up to solve, unless you're
going to wave your hands and invent some sort of DHCP extension where
the router can hand out local trust anchors.  I realize we have RFC
3318, but I don't get the impression that this is a scenario it can
handle without implausible amounts of manual preconfiguration just
to get your mobile phone on your home wifi.

So having said all this, I agree with Steve that an unsigned delegation
is a bad idea, not because all unsigned delegations are necessarily
bad, but because this one wouldn't solve enough problems to be worth
the ugly and ambiguous precedent it'd set.

R's,
John

v2.23.0 | Report a Bug | By Email