Re: [DNSOP] Validating stubs? Was: Re: WG review of draft-ietf-homenet-dot-03

George Michaelson <> Wed, 22 March 2017 23:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0C99A1270A7 for <>; Wed, 22 Mar 2017 16:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id A__YyylOdM-P for <>; Wed, 22 Mar 2017 16:19:19 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 275C0126C83 for <>; Wed, 22 Mar 2017 16:19:19 -0700 (PDT)
Received: by with SMTP id r69so28208730vke.2 for <>; Wed, 22 Mar 2017 16:19:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+iKrttGA9vPGm87ibBmp6AK0GsYB1zPo7AyZbB2jkng=; b=ZUcT+ll3gWTJaZ/kI9g9wEroE+lm7ISP+sljXtRe5b9MlvqjT1WHsbSolGoRGlCay0 nIPYiUAiSuQ0YYiP485/sf/1deyCXKjVM2wuqURNHPzPlzaj8TP73iiI0CvbjJRueE7I JQwsAoAsAKd0PeXGTsLJVU0Y4Wn4OF74BgXPgQthAS8KLHxgY6HyEhiKApd/6d9+2Qqa r90MH14UhQux68OjwfrjGPaFW4NvPVS96N5+tci5PQuxgmAT/d9kWNLCx1urmKAMNk80 PgQvWS+MUBNgn3DeFCVoILGkm530xlVpNsam80BSwFBmC0xtTxququvUdNUizcqEnusl GRig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+iKrttGA9vPGm87ibBmp6AK0GsYB1zPo7AyZbB2jkng=; b=tv2vUYlrwxilaGXzAHQoMY2TUWw8Ieh7HaW4oawYjo/pLVYNIkV6RDDo8lnfs2vnwj mk3TUrnmCOE8yPrn3vebapc+TcFCg7K9x6rQ8vnRDmyP0LbF4YpGnghU4UJPYbm9IyC1 vzEVx4uvwY2Mx9dbCboMThHfsdVQcx8ng8OvmGSFCKcJEON/gMpOdMJMyFoQi9yvcELB TmuE+kbe3UM9Jp6oPiUbim2gnYXEeqOpBqmZUtCN7k7ksFLoTs49I6HV74A4Bfreyvan kcZhIB/fqou4gx1xKB7Q+ae/ifjKHHKLVaMCsLxwzSluzzmOxNa13VM9ltXO+C+k9puU GBVQ==
X-Gm-Message-State: AFeK/H0r8Cd6+n+IIOhrdlB1ZkNRTPdI8ea+yVUiDiq26COCcPQdTW/QSEGpshYfjlgyB01VAeJqC9v5r8+Chg==
X-Received: by with SMTP id a189mr6876294vkh.1.1490224758166; Wed, 22 Mar 2017 16:19:18 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 22 Mar 2017 16:19:17 -0700 (PDT)
X-Originating-IP: [2001:dc0:a000:4:e441:91bb:2c01:6c82]
In-Reply-To: <>
References: <>
From: George Michaelson <>
Date: Thu, 23 Mar 2017 09:19:17 +1000
Message-ID: <>
To: Brian Dickson <>
Cc: " WG" <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Subject: Re: [DNSOP] Validating stubs? Was: Re: WG review of draft-ietf-homenet-dot-03
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Mar 2017 23:19:22 -0000

Your question is well timed. with DNSSEC keyroll happening, the
question: "what level of 5011 deployement" exists is unanswerable with
authority because the architects did not consider signalling of
capability sufficiently trustable. So we have no direct measure of
capability, and a weak, indirect sense of deployment from other
signals of capabilities which would imply post-5011 capable code, but
cannot say if a locally maintained hand-installed TA is in use.

So the question "is it assumed" is a good one. I think the answer is
"yes, we design for the assumption DNS now is enabled for 5011, or
else is owning its problems"


On Thu, Mar 23, 2017 at 9:08 AM, Brian Dickson
<> wrote:
> I was thinking about the DNSSEC validation by stubs, with respect to the
> homenet discussion.
> And, I was wondering about various trust anchor options (other than ICANN's
> current root trust anchor).
> It occurred to me, that any non-ICANN trust anchor, would possibly require
> 5011 key rolls under certain circumstances.
> Which begs the question: are validating stub resolvers presumed to be
> 5011-capable?
> But, I realize, the issue of 5011 capability also exists for the root trust
> anchor.
> So, the dilemma is:
> Can we assume 5011 stub support regardless?
> If not, does this make the DNSSEC issue for homenet moot, since the root KSK
> will be rolled in the near future (for some value of "near future"), and
> break stub validation?
> On the other hand, if 5011 support by stubs is assumed, there is one
> interesting option:
> Establish a trust anchor for homenet (whatever name is used), AND publish
> the private keys.
> This creates the ability to have a master DNS authority server, in any given
> homenet instance, sign the data in the homenet zone. The default software
> could/would need to ship with the trust anchor, and the private key. The
> out-of-the-box behavior would just work, and would verify/validate properly
> for validating stubs that ship with the homenet trust anchor.
> There would then be the ability for users running their own homenet
> networks, to do the equivalent of changing the default password -- they
> would be able to do a 5011 key roll, which would cause the default trust
> anchor to be replaced with a unique trust anchor for that specific homenet.
> It's not part of the homenet standard (yet), but might be worth thinking
> about.
> Again, the main question is, has an assumption about 5011 support in stubs
> been made, and is it a valid assumption?
> If not, to re-emphasize, then the "unsigned delegation" thing isn't even
> necessary, since the stub resolvers won't be able to validate ANYTHING.
> Brian
> _______________________________________________
> DNSOP mailing list