IETF Logo Mail Archive

Re: [DNSOP] DNSSEC in local networks

Mark Andrews <marka@isc.org> Mon, 04 September 2017 09:05 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8243A1321AA for <dnsop@ietfa.amsl.com>; Mon, 4 Sep 2017 02:05:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9ltKDLJtOha for <dnsop@ietfa.amsl.com>; Mon, 4 Sep 2017 02:05:02 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBF15126DFE for <dnsop@ietf.org>; Mon, 4 Sep 2017 02:05:02 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id 055FD24AE34; Mon, 4 Sep 2017 09:04:51 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 9AB3216005C; Mon, 4 Sep 2017 09:04:57 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 871D116007E; Mon, 4 Sep 2017 09:04:57 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qn9TVw6XFVAR; Mon, 4 Sep 2017 09:04:57 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 31CCD16005C; Mon, 4 Sep 2017 09:04:57 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 4249F8411CFC; Mon, 4 Sep 2017 19:04:55 +1000 (AEST)
To: "Walter H." <walter.h@mathemainzel.info>
Cc: Jim Reid <jim@rfc1035.com>, dnsop WG <dnsop@ietf.org>
From: Mark Andrews <marka@isc.org>
References: <150428805872.6417.9525310755360551475@ietfa.amsl.com> <59A9B760.2060209@mathemainzel.info> <alpine.DEB.2.11.1709012044210.2676@grey.csi.cam.ac.uk> <59A9BCA2.6060008@mathemainzel.info> <20170903043202.GA18082@besserwisser.org> <59AC4E42.9080600@mathemainzel.info> <60304450-DFA3-4982-B01D-CC33C49BDCFC@isc.org> <59f8c88caaf82a5884aa87223d49e7e4.1504505559@squirrel.mail> <3B75D240-13B9-4A94-B56D-24E83B4A4A8F@rfc1035.com> <3fe7bc511a990b0288b645dc176e1ef3.1504515284@squirrel.mail>
In-reply-to: Your message of "Mon, 04 Sep 2017 10:54:44 +0200." <3fe7bc511a990b0288b645dc176e1ef3.1504515284@squirrel.mail>
Date: Mon, 04 Sep 2017 19:04:55 +1000
Message-Id: <20170904090455.4249F8411CFC@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/X4AWtDKZ0xn15qT80Itg-edGlAg>
Subject: Re: [DNSOP] DNSSEC in local networks
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Sep 2017 09:05:04 -0000

In message <3fe7bc511a990b0288b645dc176e1ef3.1504515284@squirrel.mail>, "Walter
 H." writes:
> On Mon, September 4, 2017 10:26, Jim Reid wrote:
> >
> >> On 4 Sep 2017, at 07:12, Walter H. <Walter.H@mathemainzel.info> wrote:
> >>
> >> by the way: why are you discussing about DNSSEC for names that are used
> >> only locally?
> >
> > Why do you seem to assume there are never, ever any DNS security issues on
> > the local net?
> 
> when there are troubles on the local net, DNS security issues are the less
> problem ...
> 
> I'd say: "either you trust the local net or not";
> 
> > Why would someone want to deliberately configure things to prevent
> > DNSSEC-aware applications and resolvers from working on the local net?
> 
> because of its strange signature procedure: a zone doesn't have to be
> resigned, when it changes ...

And no one said you have to use DNSSEC to sign any zone.  The
discussion is around making DNSSEC validating software work without
having to update all of it to support people using home.arpa.  That's
starts by having a delegation for home.arpa.

Mark

> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email