IETF Logo Mail Archive

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

Michael StJohns <msj@nthpermutation.com> Wed, 14 December 2016 17:37 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99D92129432 for <dnsop@ietfa.amsl.com>; Wed, 14 Dec 2016 09:37:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xpKHvZ6N96Vf for <dnsop@ietfa.amsl.com>; Wed, 14 Dec 2016 09:37:53 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16632129541 for <dnsop@ietf.org>; Wed, 14 Dec 2016 09:37:50 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id x190so29257964qkb.0 for <dnsop@ietf.org>; Wed, 14 Dec 2016 09:37:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=S1IZrOLV28m+IPh284DGg+TEoer18oRtOlNTCmr6qt4=; b=18gtSsl9vBCSt+q+2Heulqa5HlsTMUT8V95Mw4FT04lkREhfHmEzVz5abxQU3rIZiy Gg8cHz9iHjdLLFlp6/bDkF1/eOJvi6n2LNVE2yK3v8jfBz0Z0kqjqtVTcNBtSlXaB2DO Rjdt4LvBfhe6a0ni/QQj2IwaTnh32ejTbpd0Y2rchKgoQ0vPFpmjaa+m9r7YwDW7vvrm CPYTlCQY1VVx8jRx4iVhe7JQIH3DL2TQ1tNRsyJpYgDFXmZVzj6a+ICX0Wwbctj9A2Mp s3ERzMfT4KevXHUh14dXawGDjMraIANm1M/vs1A5EzWxBl/0G0g/ApknH30idQiDhb8s FOIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=S1IZrOLV28m+IPh284DGg+TEoer18oRtOlNTCmr6qt4=; b=hxRoxjxtQg7gqgXCS9GcAo/BdeX/PZSK167f1nS2VXE29zGrJkSQeqcKFgo34A6/IV 1Vg6OtdWLrbNv1LUa+nT5IMz2KbzMmfJZ8ba31SPkP1cntjEV3Xxlra9M2+LNuTR7+T9 U+ot78AjVY29D6WMy4OfiUDSGd7q6XMlZ5efq8pkfeBQtMM+9F8y6/i7VOZ+Rvxfdq/H N8fdjhU8nAxzLBqD9EQ1F10ax/vHI4keM0U/b/oznewhZlMCJOJWOx7JCXAvnuL47NcK wlbltQhWabDVu8BkScV38G+jS7z49UmCxm4Uyeeid8SJcSG2FDz0flYBMAtsAxzYDp0U P9wQ==
X-Gm-Message-State: AKaTC03r+sAPaLeQvbY82bE+06uPBGNmr06ifWXN0/SxVQfQwny4zciv7HwBAUVnp+a6Cg==
X-Received: by 10.55.147.67 with SMTP id v64mr41413975qkd.138.1481737069640; Wed, 14 Dec 2016 09:37:49 -0800 (PST)
Received: from ?IPv6:2601:152:4400:9b5f:609b:144f:cb12:1626? ([2601:152:4400:9b5f:609b:144f:cb12:1626]) by smtp.gmail.com with ESMTPSA id t17sm32107572qtc.36.2016.12.14.09.37.48 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Dec 2016 09:37:48 -0800 (PST)
To: dnsop@ietf.org
References: <4ab2a538-603e-4e7a-3be9-ad75ed459006@bellis.me.uk> <E773C5B4-BA00-488C-9854-C729B671DFBD@gmail.com> <95E95A61-2079-498B-91C6-E98B50B84044@shinkuro.com> <CAPt1N1nCWgEtsMY4s669CHicWppyz9wCVYA9HR0QR_rGOPXSfA@mail.gmail.com> <CE36578B-780B-4222-B5A8-F6A252259234@shinkuro.com> <CAPt1N1n+PcuJ+AU-6U4TFiJvjNWz1PRNNp+y=zbnMSxZVKZ57A@mail.gmail.com> <ef9fe1fc-6dc1-5208-994b-19c3b248d42d@nthpermutation.com> <4B3D095D-8535-4F6B-88C5-3E1F5CB98E13@shinkuro.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <28b72891-1a84-b1a3-cc4c-77421713f450@nthpermutation.com>
Date: Wed, 14 Dec 2016 12:37:50 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <4B3D095D-8535-4F6B-88C5-3E1F5CB98E13@shinkuro.com>
Content-Type: multipart/alternative; boundary="------------712BB005B0D3C6B0782310A3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YEjlTUfUZ4Q214t7MBGSbd-Hgf8>
Subject: Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2016 17:37:55 -0000

On 12/14/2016 12:34 PM, Steve Crocker wrote:
> Mike,
>
> A query to the root for .homenet results in a *signed* answer that 
> .homenet does not exist.  This should suffice for the purpose you have 
> in mind.

Yup - that's my comment:

    The third way is to do no delegation from the root for .homenet and
    just ensure that that name never gets registered and published.


>
> Ralph,
>
> Re moving to the homenet list, I will try to send the same info there 
> once I have time to sign up for that list.

Actually, I think Ray was probably more right on where this - 
specifically - should be discussed.  Once done, then Homenet needs to 
consider what to do about the guidance.

Mike


>
> Steve
>
>> On Dec 14, 2016, at 12:23 PM, Michael StJohns <msj@nthpermutation.com 
>> <mailto:msj@nthpermutation.com>> wrote:
>>
>> On 12/14/2016 12:07 PM, Ted Lemon wrote:
>>> I hope it was obvious that I was pretty confident that you actually 
>>> had a reason.   :)
>>>
>>> The issue what what you are saying is that sometimes it is 
>>> technically correct for a name to not be validatable.   The reason 
>>> we want an unsecured delegation for .homenet is that .homenet can't 
>>> be validated using the root trust anchor, because the name is has no 
>>> globally unique meaning.   So the reason that you've given doesn't 
>>> apply to this case, although I completely agree with your reason as 
>>> it applies to the case of names that are globally unique.
>>
>> I went back and forth on this three times in 3 minutes "Steve's 
>> right, no Ted's right, no, Steve's right" before settling on "I think 
>> Steve is mostly right, but there may be an alternative third approach".
>>
>> Here's the reasoning:   Either your home router understands .homenet 
>> or it doesn't.  If it doesn't, then your homenet shouldn't be using 
>> .homenet and any .homenet lookups to the real world should fail.  If 
>> it does, then it should trap .homenet queries and do with it what it 
>> will.
>>
>> Doing it Steve's way removes one attack surface for non-compliant 
>> routers on home networks and for all the rest of the networks (e.g. 
>> feeding a user a URL with a .homenet name on a fake webpage).
>>
>> However, I think doing it Steve's way requires a *real* TLD zone for 
>> .homenet, if for no other reason than to include NSEC and NSEC3 
>> records indicating an empty domain.
>>
>> The third way is to do no delegation from the root for .homenet and 
>> just ensure that that name never gets registered and published.
>>
>> "If it's stupid and it works, it's not stupid".
>>
>> Mike
>>
>>>
>>> On Wed, Dec 14, 2016 at 11:59 AM, Steve Crocker <steve@shinkuro.com 
>>> <mailto:steve@shinkuro.com>> wrote:
>>>
>>>     The latter.  All DNS answers at all levels should be signed to
>>>     assure the querier of the integrity of the answer.  This has
>>>     been the goal and best practice for a very long time.  For
>>>     example, it was the explicit objective of the quote substantial
>>>     DNSSEC effort funded by the US Dept of Homeland Security
>>>     starting in 2004.
>>>
>>>     Within ICANN, in 2009 we made it a formal requirement of all new
>>>     gTLDs must be signed.  The ccTLDs are not subject to ICANN rules
>>>     but they have been gradually moving toward signed status.  Most
>>>     of the major ccTLDs are signed and many of the others are too. 
>>>     Detailed maps are created every week by ISOC.
>>>
>>>     I will also try to contribute to the homenet mailing list.
>>>
>>>     Steve
>>>
>>>     Sent from my iPhone
>>>
>>>     On Dec 14, 2016, at 11:36 AM, Ted Lemon <mellon@fugue.com
>>>     <mailto:mellon@fugue.com>> wrote:
>>>
>>>>     Is this a matter of religious conviction, or is there some
>>>>     issue with unsecured delegations in the root that you are
>>>>     assuming is so obvious that you don't need to tell us about it?
>>>>       :)
>>>>
>>>>     On Wed, Dec 14, 2016 at 11:18 AM, Steve Crocker
>>>>     <steve@shinkuro.com <mailto:steve@shinkuro.com>> wrote:
>>>>
>>>>         I am strongly opposed to unsecured delegations in the root
>>>>         zone.  No matter what the problem is, an unsecured
>>>>         delegation is not the answer.
>>>>
>>>>         Steve
>>>>
>>>>>         On Dec 14, 2016, at 11:11 AM, Suzanne Woolf
>>>>>         <suzworldwide@gmail.com <mailto:suzworldwide@gmail.com>>
>>>>>         wrote:
>>>>>
>>>>>         Hi all,
>>>>>
>>>>>         DNSOP participants who are interested in the special use
>>>>>         names problem might want to review
>>>>>         draft-ietf-homenet-redact
>>>>>         (https://datatracker.ietf.org/doc/draft-ietf-homenet-redact/
>>>>>         <https://datatracker.ietf.org/doc/draft-ietf-homenet-redact/>)
>>>>>         and draft-ietf-homenet-dot
>>>>>         (https://datatracker.ietf.org/doc/draft-ietf-homenet-dot/
>>>>>         <https://datatracker.ietf.org/doc/draft-ietf-homenet-dot/>)
>>>>>         for the WGLC on them in the HOMENET wg.
>>>>>
>>>>>         WGLC comments should go to the WG list, homenet@ietf.org
>>>>>         <mailto:homenet@ietf.org>.
>>>>>
>>>>>         If you do, it will also be helpful to look at RFC 7788,
>>>>>         which specifies the Home Networking Control Protocol for
>>>>>         homenets.
>>>>>
>>>>>         The redact draft is intended to remove the inadvertent
>>>>>         reservation of “.home” as the default namespace for
>>>>>         homenets in RFC 7788.
>>>>>
>>>>>         The homenet-dot draft is intended to provide a request
>>>>>         under RFC 6761 for “.homenet” as a special use name to
>>>>>         serve as a default namespace for homenets. It also asks
>>>>>         IANA for an unsecured delegation in the root zone to avoid
>>>>>         DNSSEC validation failures for local names under
>>>>>         “.homenet”. The root zone request to IANA has caused some
>>>>>         discussion within the WG, as there’s no precedent for such
>>>>>         a request.
>>>>>
>>>>>         Terry Manderson mentioned the homenet-dot draft briefly at
>>>>>         the mic in Seoul.
>>>>>
>>>>>         The WGLC ends this week.
>>>>>
>>>>>
>>>>>         Suzanne
>>>>>
>>>>>>         Begin forwarded message:
>>>>>>
>>>>>>         *From: *Ray Bellis <ray@bellis.me.uk
>>>>>>         <mailto:ray@bellis.me.uk>>
>>>>>>         *Subject: **[homenet] WGLC on "redact" and "homenet-dot"*
>>>>>>         *Date: *November 17, 2016 at 11:27:08 PM EST
>>>>>>         *To: *HOMENET <homenet@ietf.org <mailto:homenet@ietf.org>>
>>>>>>
>>>>>>         This email commences a four week WGLC comment period on
>>>>>>         draft-ietf-homenet-redact and draft-ietf-homenet-dot
>>>>>>
>>>>>>         Please send any comments to the WG list as soon as possible.
>>>>>>
>>>>>>         Whilst there was a very strong hum in favour of
>>>>>>         ".homenet" vs anything
>>>>>>         else during the meeting, and there's some discussion of
>>>>>>         that ongoing
>>>>>>         here on the list - I'd like us to please keep the
>>>>>>         discussion of the
>>>>>>         choice of domain separate from other substantive comment
>>>>>>         about the
>>>>>>         drafts' contents.
>>>>>>
>>>>>>         thanks,
>>>>>>
>>>>>>         Ray
>>>>>>
>>>>>>         _______________________________________________
>>>>>>         homenet mailing list
>>>>>>         homenet@ietf.org <mailto:homenet@ietf.org>
>>>>>>         https://www.ietf.org/mailman/listinfo/homenet
>>>>>>         <https://www.ietf.org/mailman/listinfo/homenet>
>>>>>
>>>>>         _______________________________________________
>>>>>         DNSOP mailing list
>>>>>         DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>>>>>         https://www.ietf.org/mailman/listinfo/dnsop
>>>>>         <https://www.ietf.org/mailman/listinfo/dnsop>
>>>>
>>>>
>>>>         _______________________________________________
>>>>         DNSOP mailing list
>>>>         DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>>>>         https://www.ietf.org/mailman/listinfo/dnsop
>>>>         <https://www.ietf.org/mailman/listinfo/dnsop>
>>>>
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dnsop
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email