Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 21 March 2017 01:24 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 885591316A3 for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 18:24:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=WapdNXvb; dkim=pass (1024-bit key) header.d=yitter.info header.b=V4jJszLT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9rlChg3xHih for <dnsop@ietfa.amsl.com>; Mon, 20 Mar 2017 18:23:59 -0700 (PDT)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E18D1316A2 for <dnsop@ietf.org>; Mon, 20 Mar 2017 18:23:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 0F1B2BB803 for <dnsop@ietf.org>; Tue, 21 Mar 2017 01:23:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1490059438; bh=Jae90MklJTrDwnusCP5XMbQZjf4j7SJBGisitqMB3iQ=; h=Date:From:To:Subject:References:In-Reply-To:From; b=WapdNXvbX1FSjjkCPmkwBSXcYbcdTDIgrWazFtCcrkXAhKR/n4KFhl3ILTCQ/zE14 Lq4zYiCYUpNkwLJWDq7mvctP1rmj/T/eqqKyYCXUOjlLw2j8sQepSsEf4HWYVYDmlj 7IHHylqgMsdFgrybdETd44FRbR6CQoJacVBRHEkY=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pp2B-1J-6FkY for <dnsop@ietf.org>; Tue, 21 Mar 2017 01:23:55 +0000 (UTC)
Date: Mon, 20 Mar 2017 21:23:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1490059435; bh=Jae90MklJTrDwnusCP5XMbQZjf4j7SJBGisitqMB3iQ=; h=Date:From:To:Subject:References:In-Reply-To:From; b=V4jJszLTYjvcDnuirlHVOalGq7KirgAaBarvWVvk72BM0nuKvVVuhmHknWN0F74uh uluCojfnrNOIALCgPuVjEJDHGXKn24nFdgtuwX/AjY/skuP0Hkf3TBW6hXVJN44PRc zHDbzfBVEJG3b2cRzWXgA0/w3sEfe1KZqNca+4cQ=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20170321012352.GI27276@mx4.yitter.info>
References: <21C8F856-FE3F-42A6-A8ED-888D0797B68B@vigilsec.com> <60C85486-E351-4C42-ADEB-FCBB56F4EA27@fugue.com> <AB11455F-7E43-4CB3-9F13-DB6A09F739EB@vigilsec.com> <CEC8CC6A-861A-471C-B7FA-4BB05C81CCF0@gmail.com> <F7AA49EF-2708-4948-9B60-6660DA6BC841@vigilsec.com> <734EC35A-4B1F-43EB-BE37-C34CA46BDA26@fugue.com> <203D2BEA-1008-48A0-9CE2-1FD621C6117F@shinkuro.com> <3134EDC2-FB00-41EA-8338-6E6B196137F1@fugue.com> <572B4EBA-F37F-4E92-A252-44BAF5DE7FF5@shinkuro.com> <alpine.LRH.2.20.999.1703201816140.542@bofh.nohats.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.20.999.1703201816140.542@bofh.nohats.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Z3gSbAy51xHrxth1b9m133plHvg>
Subject: Re: [DNSOP] WG review of draft-ietf-homenet-dot-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 01:24:01 -0000

On Mon, Mar 20, 2017 at 06:19:45PM -0400, Paul Wouters wrote:
> I am assuming that if stubs are validating, then they must also support
> excluding special queries from validation, such as mDNS, .onion and
> .homenet.
> 

What possible basis do you have for this?  This is in effect a
requirement that every validating stub (or resolver?  I dunno) be
upgraded to support homenet.

That _might_ be ok, but it's not in the design parameters of the
original work AFAICT.

> The .homenet queries should never reach real DNS servers

But they're going to.  We've had local since at least the neolithic
age, in Internet terms, and yet the global DNS still sees those
queries.

> not think an insecure delegation in the root is required. If the DNS
> resolver doesn't know how to handle .homenet, it is already as wrong
> as it can be, regardless of the type of answer.

This doesn't follow.  If the resolver gets it wrong in the case of a
provably-unsigned answer, it can just continue its resolution as it
ever wanted.  It won't be able to validate, since it does not have a
local trust anchor.  But it'll work.

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com