IETF Logo Mail Archive

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

Michael StJohns <msj@nthpermutation.com> Wed, 14 December 2016 17:23 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9158129E93 for <dnsop@ietfa.amsl.com>; Wed, 14 Dec 2016 09:23:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l-ORQDtF32Qw for <dnsop@ietfa.amsl.com>; Wed, 14 Dec 2016 09:23:54 -0800 (PST)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72D811298BA for <dnsop@ietf.org>; Wed, 14 Dec 2016 09:23:54 -0800 (PST)
Received: by mail-qt0-x230.google.com with SMTP id p16so29451388qta.0 for <dnsop@ietf.org>; Wed, 14 Dec 2016 09:23:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=s0b6iIPFtcZja8sgyRLwd4RLFn+Scee0sfs9ukxkfd0=; b=KPHZzCKp7Uy6SIqvsjqpu7/CMOgt/HCrCZznm00z8S4eLpSonkflf1tRhZwrm8DZ16 3lwZib6bW8P7YEx+PqQLdx+QENkgJHBNhfoTpx9MZa2uUDQf9egs7M5NUysS3QkA1+Xz ZfN8/9jPPibYmFE3wve2KgsurACqEBc68MZJw+lgDJppvX5dZgnYY6aWCFgk4g0apzoF bu8BtDC+FhgbyWBO/GaeDYMRrXzkPutwR9fHeA8CKVSfzVotGYte/DMZdxMrpPC9RILh ZP1TYKmkrdN2GYCPpUhXC1a0QKuX7DIWkZJJxmP0tfSL0BpaCz/yPHOiLrmfx4GuJunc MF2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=s0b6iIPFtcZja8sgyRLwd4RLFn+Scee0sfs9ukxkfd0=; b=psrNZmm6dv/USiaCvBE7Ed8aTDp//fBKYIvfoaqQRmtvT7eW6YMw1jfa8Pj7Jo5vOP KCEDtIVfR26epfOY0R6Sw8hPHdCr4kCttzj/RkRfR6yxHHkJJCJv3F3tn2Ja56pvA79d DVGZwwdlKnIWjtSjc/brvhqbySxckeF3l1OnH/t9ZBrgiZyUIGJuoIlri7yNpranRP6U Y4w7+NX+GzAGdqauE1iZrpRJpr0G6gGUbETH3ug3HoTyuNQkj3H1OXlM7vTaOUJSmWIS Q2OA6Qwm8J6610bf3OPvyDpcN/WCtJpcbQkgJXHw8EmaKRXzLK1b20Ou7CUD0Hbdu+f+ oX6g==
X-Gm-Message-State: AKaTC02zg1ERnNP4G4Y66blm2BjWWRNfRcNhSfQsO+jPO9MsLxLFyGyrqRHucC4X8d91mg==
X-Received: by 10.200.34.73 with SMTP id p9mr101779841qtp.25.1481736233213; Wed, 14 Dec 2016 09:23:53 -0800 (PST)
Received: from ?IPv6:2601:152:4400:9b5f:609b:144f:cb12:1626? ([2601:152:4400:9b5f:609b:144f:cb12:1626]) by smtp.gmail.com with ESMTPSA id q199sm32150723qke.31.2016.12.14.09.23.51 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Dec 2016 09:23:52 -0800 (PST)
To: dnsop@ietf.org
References: <4ab2a538-603e-4e7a-3be9-ad75ed459006@bellis.me.uk> <E773C5B4-BA00-488C-9854-C729B671DFBD@gmail.com> <95E95A61-2079-498B-91C6-E98B50B84044@shinkuro.com> <CAPt1N1nCWgEtsMY4s669CHicWppyz9wCVYA9HR0QR_rGOPXSfA@mail.gmail.com> <CE36578B-780B-4222-B5A8-F6A252259234@shinkuro.com> <CAPt1N1n+PcuJ+AU-6U4TFiJvjNWz1PRNNp+y=zbnMSxZVKZ57A@mail.gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <ef9fe1fc-6dc1-5208-994b-19c3b248d42d@nthpermutation.com>
Date: Wed, 14 Dec 2016 12:23:54 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CAPt1N1n+PcuJ+AU-6U4TFiJvjNWz1PRNNp+y=zbnMSxZVKZ57A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------A28221197AC4A69387D6FCCF"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lpuvFw8q3TcRZS4UB2MxlSh0xkE>
Subject: Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2016 17:23:57 -0000

On 12/14/2016 12:07 PM, Ted Lemon wrote:
> I hope it was obvious that I was pretty confident that you actually 
> had a reason.   :)
>
> The issue what what you are saying is that sometimes it is technically 
> correct for a name to not be validatable.   The reason we want an 
> unsecured delegation for .homenet is that .homenet can't be validated 
> using the root trust anchor, because the name is has no globally 
> unique meaning.   So the reason that you've given doesn't apply to 
> this case, although I completely agree with your reason as it applies 
> to the case of names that are globally unique.

I went back and forth on this three times in 3 minutes "Steve's right, 
no Ted's right, no, Steve's right" before settling on "I think Steve is 
mostly right, but there may be an alternative third approach".

Here's the reasoning:   Either your home router understands .homenet or 
it doesn't.  If it doesn't, then your homenet shouldn't be using 
.homenet and any .homenet lookups to the real world should fail.  If it 
does, then it should trap .homenet queries and do with it what it will.

Doing it Steve's way removes one attack surface for non-compliant 
routers on home networks and for all the rest of the networks (e.g. 
feeding a user a URL with a .homenet name on a fake webpage).

However, I think doing it Steve's way requires a *real* TLD zone for 
.homenet, if for no other reason than to include NSEC and NSEC3 records 
indicating an empty domain.

The third way is to do no delegation from the root for .homenet and just 
ensure that that name never gets registered and published.

"If it's stupid and it works, it's not stupid".

Mike

>
> On Wed, Dec 14, 2016 at 11:59 AM, Steve Crocker <steve@shinkuro.com 
> <mailto:steve@shinkuro.com>> wrote:
>
>     The latter.  All DNS answers at all levels should be signed to
>     assure the querier of the integrity of the answer.  This has been
>     the goal and best practice for a very long time.  For example, it
>     was the explicit objective of the quote substantial DNSSEC effort
>     funded by the US Dept of Homeland Security starting in 2004.
>
>     Within ICANN, in 2009 we made it a formal requirement of all new
>     gTLDs must be signed.  The ccTLDs are not subject to ICANN rules
>     but they have been gradually moving toward signed status.  Most of
>     the major ccTLDs are signed and many of the others are too. 
>     Detailed maps are created every week by ISOC.
>
>     I will also try to contribute to the homenet mailing list.
>
>     Steve
>
>     Sent from my iPhone
>
>     On Dec 14, 2016, at 11:36 AM, Ted Lemon <mellon@fugue.com
>     <mailto:mellon@fugue.com>> wrote:
>
>>     Is this a matter of religious conviction, or is there some issue
>>     with unsecured delegations in the root that you are assuming is
>>     so obvious that you don't need to tell us about it?   :)
>>
>>     On Wed, Dec 14, 2016 at 11:18 AM, Steve Crocker
>>     <steve@shinkuro.com <mailto:steve@shinkuro.com>> wrote:
>>
>>         I am strongly opposed to unsecured delegations in the root
>>         zone.  No matter what the problem is, an unsecured delegation
>>         is not the answer.
>>
>>         Steve
>>
>>>         On Dec 14, 2016, at 11:11 AM, Suzanne Woolf
>>>         <suzworldwide@gmail.com <mailto:suzworldwide@gmail.com>> wrote:
>>>
>>>         Hi all,
>>>
>>>         DNSOP participants who are interested in the special use
>>>         names problem might want to review draft-ietf-homenet-redact
>>>         (https://datatracker.ietf.org/doc/draft-ietf-homenet-redact/
>>>         <https://datatracker.ietf.org/doc/draft-ietf-homenet-redact/>)
>>>         and draft-ietf-homenet-dot
>>>         (https://datatracker.ietf.org/doc/draft-ietf-homenet-dot/
>>>         <https://datatracker.ietf.org/doc/draft-ietf-homenet-dot/>)
>>>         for the WGLC on them in the HOMENET wg.
>>>
>>>         WGLC comments should go to the WG list, homenet@ietf.org
>>>         <mailto:homenet@ietf.org>.
>>>
>>>         If you do, it will also be helpful to look at RFC 7788,
>>>         which specifies the Home Networking Control Protocol for
>>>         homenets.
>>>
>>>         The redact draft is intended to remove the inadvertent
>>>         reservation of “.home” as the default namespace for homenets
>>>         in RFC 7788.
>>>
>>>         The homenet-dot draft is intended to provide a request under
>>>         RFC 6761 for “.homenet” as a special use name to serve as a
>>>         default namespace for homenets. It also asks IANA for an
>>>         unsecured delegation in the root zone to avoid DNSSEC
>>>         validation failures for local names under “.homenet”. The
>>>         root zone request to IANA has caused some discussion within
>>>         the WG, as there’s no precedent for such a request.
>>>
>>>         Terry Manderson mentioned the homenet-dot draft briefly at
>>>         the mic in Seoul.
>>>
>>>         The WGLC ends this week.
>>>
>>>
>>>         Suzanne
>>>
>>>>         Begin forwarded message:
>>>>
>>>>         *From: *Ray Bellis <ray@bellis.me.uk <mailto:ray@bellis.me.uk>>
>>>>         *Subject: **[homenet] WGLC on "redact" and "homenet-dot"*
>>>>         *Date: *November 17, 2016 at 11:27:08 PM EST
>>>>         *To: *HOMENET <homenet@ietf.org <mailto:homenet@ietf.org>>
>>>>
>>>>         This email commences a four week WGLC comment period on
>>>>         draft-ietf-homenet-redact and draft-ietf-homenet-dot
>>>>
>>>>         Please send any comments to the WG list as soon as possible.
>>>>
>>>>         Whilst there was a very strong hum in favour of ".homenet"
>>>>         vs anything
>>>>         else during the meeting, and there's some discussion of
>>>>         that ongoing
>>>>         here on the list - I'd like us to please keep the
>>>>         discussion of the
>>>>         choice of domain separate from other substantive comment
>>>>         about the
>>>>         drafts' contents.
>>>>
>>>>         thanks,
>>>>
>>>>         Ray
>>>>
>>>>         _______________________________________________
>>>>         homenet mailing list
>>>>         homenet@ietf.org <mailto:homenet@ietf.org>
>>>>         https://www.ietf.org/mailman/listinfo/homenet
>>>>         <https://www.ietf.org/mailman/listinfo/homenet>
>>>
>>>         _______________________________________________
>>>         DNSOP mailing list
>>>         DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>>>         https://www.ietf.org/mailman/listinfo/dnsop
>>>         <https://www.ietf.org/mailman/listinfo/dnsop>
>>
>>
>>         _______________________________________________
>>         DNSOP mailing list
>>         DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/dnsop
>>         <https://www.ietf.org/mailman/listinfo/dnsop>
>>
>>
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email