[DNSOP] My assessment of .homenet as described during the WG session yesterday.

Terry Manderson <terry.manderson@icann.org> Tue, 28 March 2017 17:32 UTC

Return-Path: <terry.manderson@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6BD7E129704; Tue, 28 Mar 2017 10:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id czHkeWf7ULtR; Tue, 28 Mar 2017 10:32:35 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10C1612944B; Tue, 28 Mar 2017 10:32:35 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org ( by PMBX112-W1-CA-2.pexch112.icann.org ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 28 Mar 2017 10:32:32 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Tue, 28 Mar 2017 10:32:32 -0700
From: Terry Manderson <terry.manderson@icann.org>
To: HOMENET <homenet@ietf.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: My assessment of .homenet as described during the WG session yesterday.
Thread-Index: AQHSp+lHBXnknGGzd0m0I5wpP+R/Qw==
Date: Tue, 28 Mar 2017 17:32:31 +0000
Message-ID: <DAC83E33-A206-4EAA-BC96-E26ACCC013A6@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3573603150_1408478111"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ardyFEyeFbtJsaxnOU9vTHfJNSQ>
Subject: [DNSOP] My assessment of .homenet as described during the WG session yesterday.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2017 17:32:40 -0000


Wearing the INT AD hat.

Firstly, thank you to the DNSOP WG for the deep review, thoughts, and considered responses to my request for review.

Secondly, my apologies for not sharing my throughs before the HOMENET session. It would have been impractical to do so as this is a very (VERY) fluid situation with IETF leadership also engaged in discussions.

This is simply an iteration of my description of the current situation as delivered yesterday. Do be aware that conversations are continuing and you should NOT take this as a declarative statement. During the HOMENET WG session I specified that for this topic I am comfortable answering _ clarifying _ questions. The same applies here. My answers may or may not change due to the fluid nature of the concern and I hope you appreciate that.

My summary of the situation is this.

1) .homenet _COULD_ be added to the special use domain registry based on RFC6761 

2) The expected future operation of HOMENET resolution for DNSSEC validating stub resolvers requires a break in the DNSSEC chain of trust.

3) To achieve "2", the document _additionally_ asks IANA to insert an insecure delegation into the root zone

4) The ask for "3" is not covered in IETF policy terms, in fact it tries to put an entry into someone else's registry (the root zone), and will require a set of collaborative discussions with the ICANN community and a new process that handles this situation. There are no expectations that this process will be defined in a reasonable time for the uses of HOMENET.

Options, possibly not an exhaustive list

A) seek a .homenet special use domain with the request for an insecure delegation in the root zone. (This is what the document asks for NOW, and here we are)

B) seek a .homenet special use domain WITHOUT the delegation request AND ask the IETF/IESG/IAB to commence the discussion with the ICANN community to achieve an insecure delegation

c) seek a <SOMETHING>.arpa insecure special use delegation

d) go for "B" and if that doesn't work shift to "C"

Each of these have different positive and negatives in a raw technical sense, UI design desires, and policy and political frames.

Again, this situation is fluid and as discussions evolve I will provide more information when it is appropriate. In the mean-time I would very much like everyone to take a calming breath and understand that I am taking a very pragmatic view of this concern.