Re: [DNSOP] ALT-TLD and (insecure) delgations.

[Bob Harold <rharolde@umich.edu>]

On Mon, Feb 6, 2017 at 10:37 PM, Brian Dickson <
brian.peter.dickson@gmail.com> wrote:

> TL;DR: it is possible to have a signed DNAME in the root for alt (to
> empty.as112.arpa), AND have a local signed alt. Things under this local alt
> can be signed or unsigned.
>
> On Fri, Feb 3, 2017 at 1:09 PM, Mark Andrews <marka@isc.org> wrote:
>
>>
>> In message <CAH1iCiqXohb_7LsQ2EMo8ZB-t20mKq_nUDS8vebhtSXoM13DTg@mail.
>> gmail.com>
>> , Brian Dickson writes:
>> >
>> >    - I am in favor of AS112 for ALT
>> >    - For AS112, I prefer the AS112++ method (DNAME)
>> >    - I do not see why the DNAME would/should not be DNSSEC signed
>> >    - Any local use of ALT can be served locally and signed using an
>> >    alternative trust anchor
>>
>> You need a insecure delegation for ALT for the purposes we want to
>> use ALT for.
>>
>> Go setup a test rig where you have a signed root with ALT as you
>> described.  A validiting recursive server which also serves foo.alt.
>> A second validating recursive server which forwards all queries to
>> the first recursive server.  All servers are configured with a trust
>> anchor for the test root zone and are validating responses.  Try
>> to perform a lookup on foo.alt.
>>
>
> I spent some time mocking up a variety of configurations.
>
> My original assertion stands; the particulars on making it work are
> perhaps not interesting to everyone.
> However, it falls in the "pics or it didn't happen" category, so here's
> what I did to make it work.
>
> 1 - set up a general resolver with the standard ICANN root trust anchor.
> Call it "X".
> 2 - set up a local "fake root server" which delegates to a "local alt
> server". Call this fake root server "F"
> 3 - set up a local "alt server" which serves the local "alt" domain
> (including any delegations, etc). Cal this "A".
> 3 - set up a second resolver, with appropriate trust anchor(s), that uses
> a "fake root server" instead of the real root. Call this "Y".
> 4 - set up a forwarder, which is configured to always forward to "X",
> except for the zone "alt", where it forwards to "Y". Make sure the
> necessary trust anchors are configured. Call this "Z".
>
> Z->Y if QNAME matches "alt" or "*.alt" (and validates with local trust
> anchors)
> Z->X otherwise (and validates using the ICANN root trust anchor).
>
> When I do this, I get real answers for everything but "alt". For anything
> at or under "alt", I get my own local copy.
>
> Everything validates (or is from below an insecure delegation point).
>
>
>>
>> The second recursive server is the validating client that needs to
>> be able to get a answer other than BOGUS.  As we want to allow
>> foo.alt to be unsigned there can't be any other trust anchors,
>> including negative, configured.
>>
>
> In the above scenario, you CAN have an unsigned foo.alt, and it will not
> get BOGUS.
>
> If you want me to send you configs, just drop me a line.
>
>>
>> Only solutions which allow content from the foo.alt zone to be
>> successfully resolved are acceptable.
>>
>> The following will not work with the above rig:
>> * No delegation for ALT.
>> * A secure delegation for ALT.
>> * A DNAME for ALT in the root zone.
>>
>> Mark
>
>
> The problem is with your set-up, not the ability to have a working
> local-alt set-up.
>
> You need to put "foo.alt" somewhere OTHER than on the validating recursive
> server (which knows how to find the local "alt" stuff.)
>
> TIL you can't mix authority and recursive on the same server, when you are
> the target of a forwarder.
>
> If the two are separated, it works correctly, including using an alternate
> trust anchor for "alt".
>
> Brian
>
> That's a lot of overhead just to get a local .alt domain.

What I envision for the future is an insecure delegation of .alt, and an
option in future cable modems to enable a local "homenet.alt" domain, which
would just work, even if some stub resolvers in the house are validating.
The cable modem is already a recursive resolver or forwarder, and dhcp
server, so it seems a logical place for the local domain.

-- 
Bob Harold