Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

Ted Lemon <> Tue, 21 March 2017 01:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EDA4713161E for <>; Mon, 20 Mar 2017 18:06:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QOZF27WTDmca for <>; Mon, 20 Mar 2017 18:06:45 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E229E1294D0 for <>; Mon, 20 Mar 2017 18:06:44 -0700 (PDT)
Received: by with SMTP id n21so120854220qta.1 for <>; Mon, 20 Mar 2017 18:06:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=nE7A4rhgz/I7/aA4gjVM/EGbLecp6xI/cZD5kXHRSa0=; b=dfkfVgWzuCrTQmkeodrfMmVCVKDrrZBTm/85BhEsdUDcgKsTC1OUi3sFQKcFXF1n+Y EklyYns1s7oE2vSV/AJAnyJWfFS4CTYvQCFzoMViTMHbmubgWFt9ACzfHhkbpkQN9G0/ Pd6trMqUghU1HsMidHpcpNMe5SYTzzjsd4j6L4C9Y2s8L8neMdfwo6hcETNlwmyGWvYi 4fD0MMIYosWlUvy4V9mnpfd9FcL3DxIoPa2UbmX05jYgh9NUjs4a7/oxC/APRUVkLMlq AdVkcCsi1tdWcdqzTqsogcB/qurqZR8ggvgtMHfFezhvnsclyrD9voUCnhIQQdyqseC4 WLqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=nE7A4rhgz/I7/aA4gjVM/EGbLecp6xI/cZD5kXHRSa0=; b=I9JXDXcNoMiAaqWNjDyzVCCK3mvgzn22AwXlsJbZwMpxOtaoiGemDYZJRyi0gYI341 eNJdkwa4UhpLxtmScNT4YHLRJZ+9X78bVkpjEsCPjyztLX69X0RS1afaWCWcyfIc+OTS 0+H1VQkdohyIv6pDfQmBOdqN24PnoUOKeHkBBqomC4Vyh8CfN6RBvM3kFqX3fEwEkDWr n1i0AsxPVF5B74Okg3IBlEZApvsnC2JW38+eAkc4tCr+/VTVUxD1bPGnmtQ6vHjg2gIZ qlsuCERWmF6gRCy9OQreMj4g4K45f4USFhBxXgiqXmEMWOw/pWn/JzetW2n0Jcn+3PD+ 4ucw==
X-Gm-Message-State: AFeK/H0cPfjF/L9CVDTctH0AXl/vA07kxnt8mJFguRyVQBj4DuYRGoJHNkub33Ozk7RotA==
X-Received: by with SMTP id f51mr28500490qte.164.1490058403696; Mon, 20 Mar 2017 18:06:43 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id h40sm13617930qtb.59.2017. for <> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Mar 2017 18:06:42 -0700 (PDT)
From: Ted Lemon <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F9D0921A-2052-4A7E-A908-73B3D74295FC"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 20 Mar 2017 21:06:40 -0400
References: <> <> <> <> <> <> <> <> <> <> <>
To: dnsop <>
In-Reply-To: <>
Message-Id: <>
X-Mailer: Apple Mail (2.3259)
Archived-At: <>
Subject: Re: [DNSOP] WG review of draft-ietf-homenet-dot-03
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 Mar 2017 01:06:47 -0000

On Mar 20, 2017, at 8:48 PM, Viktor Dukhovni <> wrote:
> FWIW, when adding DANE support to Postfix,

Viktor, forgive me, but this is such a completely different use case than what we are talking about.   In this case, the Postfix mailer and the recursive validating resolver are both operated by the same entity.  You can use TSIG and be satisfied, or even trust the IP address if you are naive.

The homenet use case is completely different.   Here we are talking about devices that routinely roam among operational domains with no basis for trust or even knowledge of the trustworthiness of the local resolver.   In this case, trusting the local resolver could be anywhere from completely safe, to an opportunity to have your butt sniffed by your employer, to a completely corrupt Wifi hotspot that's been set up specifically to attack your device.   Trusting the network in this case is simply nonsensical, and there is no trust relationship that could make TSIG work.