Re: [DNSOP] Validating stubs? Was: Re: WG review of draft-ietf-homenet-dot-03
George Michaelson <ggm@algebras.org> Wed, 22 March 2017 23:19 UTC
Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C99A1270A7 for <dnsop@ietfa.amsl.com>; Wed, 22 Mar 2017 16:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A__YyylOdM-P for <dnsop@ietfa.amsl.com>; Wed, 22 Mar 2017 16:19:19 -0700 (PDT)
Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 275C0126C83 for <dnsop@ietf.org>; Wed, 22 Mar 2017 16:19:19 -0700 (PDT)
Received: by mail-vk0-x229.google.com with SMTP id r69so28208730vke.2 for <dnsop@ietf.org>; Wed, 22 Mar 2017 16:19:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+iKrttGA9vPGm87ibBmp6AK0GsYB1zPo7AyZbB2jkng=; b=ZUcT+ll3gWTJaZ/kI9g9wEroE+lm7ISP+sljXtRe5b9MlvqjT1WHsbSolGoRGlCay0 nIPYiUAiSuQ0YYiP485/sf/1deyCXKjVM2wuqURNHPzPlzaj8TP73iiI0CvbjJRueE7I JQwsAoAsAKd0PeXGTsLJVU0Y4Wn4OF74BgXPgQthAS8KLHxgY6HyEhiKApd/6d9+2Qqa r90MH14UhQux68OjwfrjGPaFW4NvPVS96N5+tci5PQuxgmAT/d9kWNLCx1urmKAMNk80 PgQvWS+MUBNgn3DeFCVoILGkm530xlVpNsam80BSwFBmC0xtTxququvUdNUizcqEnusl GRig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+iKrttGA9vPGm87ibBmp6AK0GsYB1zPo7AyZbB2jkng=; b=tv2vUYlrwxilaGXzAHQoMY2TUWw8Ieh7HaW4oawYjo/pLVYNIkV6RDDo8lnfs2vnwj mk3TUrnmCOE8yPrn3vebapc+TcFCg7K9x6rQ8vnRDmyP0LbF4YpGnghU4UJPYbm9IyC1 vzEVx4uvwY2Mx9dbCboMThHfsdVQcx8ng8OvmGSFCKcJEON/gMpOdMJMyFoQi9yvcELB TmuE+kbe3UM9Jp6oPiUbim2gnYXEeqOpBqmZUtCN7k7ksFLoTs49I6HV74A4Bfreyvan kcZhIB/fqou4gx1xKB7Q+ae/ifjKHHKLVaMCsLxwzSluzzmOxNa13VM9ltXO+C+k9puU GBVQ==
X-Gm-Message-State: AFeK/H0r8Cd6+n+IIOhrdlB1ZkNRTPdI8ea+yVUiDiq26COCcPQdTW/QSEGpshYfjlgyB01VAeJqC9v5r8+Chg==
X-Received: by 10.31.227.198 with SMTP id a189mr6876294vkh.1.1490224758166; Wed, 22 Mar 2017 16:19:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.72.218 with HTTP; Wed, 22 Mar 2017 16:19:17 -0700 (PDT)
X-Originating-IP: [2001:dc0:a000:4:e441:91bb:2c01:6c82]
In-Reply-To: <CAH1iCiq6nVGMpv7c1UVc8SurOWLQK1DViETof4W06tRXes=rSA@mail.gmail.com>
References: <CAH1iCiq6nVGMpv7c1UVc8SurOWLQK1DViETof4W06tRXes=rSA@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
Date: Thu, 23 Mar 2017 09:19:17 +1000
Message-ID: <CAKr6gn247yo6EG6G+P013htKTJ8P6gVzo9LnbeU0hBW6YHGYaA@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mtsbfHRzdoaeETXivnuafl7Quro>
Subject: Re: [DNSOP] Validating stubs? Was: Re: WG review of draft-ietf-homenet-dot-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 23:19:22 -0000
Your question is well timed. with DNSSEC keyroll happening, the question: "what level of 5011 deployement" exists is unanswerable with authority because the architects did not consider signalling of capability sufficiently trustable. So we have no direct measure of capability, and a weak, indirect sense of deployment from other signals of capabilities which would imply post-5011 capable code, but cannot say if a locally maintained hand-installed TA is in use. So the question "is it assumed" is a good one. I think the answer is "yes, we design for the assumption DNS now is enabled for 5011, or else is owning its problems" -G On Thu, Mar 23, 2017 at 9:08 AM, Brian Dickson <brian.peter.dickson@gmail.com> wrote: > I was thinking about the DNSSEC validation by stubs, with respect to the > homenet discussion. > > And, I was wondering about various trust anchor options (other than ICANN's > current root trust anchor). > > It occurred to me, that any non-ICANN trust anchor, would possibly require > 5011 key rolls under certain circumstances. > > Which begs the question: are validating stub resolvers presumed to be > 5011-capable? > > But, I realize, the issue of 5011 capability also exists for the root trust > anchor. > > So, the dilemma is: > > Can we assume 5011 stub support regardless? > If not, does this make the DNSSEC issue for homenet moot, since the root KSK > will be rolled in the near future (for some value of "near future"), and > break stub validation? > > On the other hand, if 5011 support by stubs is assumed, there is one > interesting option: > > Establish a trust anchor for homenet (whatever name is used), AND publish > the private keys. > > This creates the ability to have a master DNS authority server, in any given > homenet instance, sign the data in the homenet zone. The default software > could/would need to ship with the trust anchor, and the private key. The > out-of-the-box behavior would just work, and would verify/validate properly > for validating stubs that ship with the homenet trust anchor. > > There would then be the ability for users running their own homenet > networks, to do the equivalent of changing the default password -- they > would be able to do a 5011 key roll, which would cause the default trust > anchor to be replaced with a unique trust anchor for that specific homenet. > > It's not part of the homenet standard (yet), but might be worth thinking > about. > > Again, the main question is, has an assumption about 5011 support in stubs > been made, and is it a valid assumption? > > If not, to re-emphasize, then the "unsigned delegation" thing isn't even > necessary, since the stub resolvers won't be able to validate ANYTHING. > > Brian > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Validating stubs? Was: Re: WG review of d… Brian Dickson
- Re: [DNSOP] Validating stubs? Was: Re: WG review … George Michaelson
- Re: [DNSOP] Validating stubs? Was: Re: WG review … Ted Lemon
- Re: [DNSOP] Validating stubs? Was: Re: WG review … Mark Andrews