IETF Logo Mail Archive

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

Ted Lemon <mellon@fugue.com> Thu, 15 December 2016 04:02 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07A35129F17 for <dnsop@ietfa.amsl.com>; Wed, 14 Dec 2016 20:02:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ppy99-n26iWX for <dnsop@ietfa.amsl.com>; Wed, 14 Dec 2016 20:02:08 -0800 (PST)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C98A129F0C for <dnsop@ietf.org>; Wed, 14 Dec 2016 20:02:08 -0800 (PST)
Received: by mail-wm0-x231.google.com with SMTP id a197so144259236wmd.0 for <dnsop@ietf.org>; Wed, 14 Dec 2016 20:02:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5qrEseCyUYL+di7FQ5As9BdPHJGT8bWyeTe4zt9sV9A=; b=QSJUXu4nU8nt2fWza1Zhsa5JfTpFiHYD7+Sww5GWcuIZ9qQtC3MbHxosqdp5O8+qOU 9E+7OtQiuUATCD3pC3QgNeDnL58+F/bxgsgp7GT5LvXNqn2g04TwIcwAAA8PyjlYKyXm hyvyKP3qIa73aMkuCMWqhFQbqhHiNvdobzo5QjKsQo5F1aI65GEaibr2Opn5/HsBzeZF /VI7Nu+LzSUjxY9hluRXnjDeMNvcc5vZcGMKv8WoPlaqmLb70LJACHoe0838H+NYFecB 7OlTZWQugTLc3DpMLHUntDTfaT3fqSgXsao3dF4IIfV3w1YEkxjcweh8kgt9BdbQ72B/ rR6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5qrEseCyUYL+di7FQ5As9BdPHJGT8bWyeTe4zt9sV9A=; b=eXblTxdjS6bufb+irwCycaSp5GdN/qIy/zkaI6XnmB6pQUaDxgddFeBDtKMmNIFDn8 6isY0v0YU6S5IlbntWF/ziEOnVycYn3qbz2FWRIGApvJcn/OmFjmOKwbP0UfgQlpDOZ+ elyYLfmUjZ3x+qTSnCI4aYy2bt97ZQzOx/zQNkhCBr6FR7zvqt7008QKZCObKdZ65JlV L//89v3SkTyR4QsoGPT1gB9KPO8xN0trfZqHY2wbQ6xnQ/DRZGu0Tv0uQh6DoUjKwZm3 4pIncxbypH09vBSAi21+QlG/XLbIl584Tux3JUZyHcfmVZzUNOuP51+dvOzgSKoEsj04 WctQ==
X-Gm-Message-State: AKaTC01f4qxYrdWunGnAw6X6XYlHNTwGvP03WBt0LmPs+rlOqkj8OjhhrD7buOv1fU1/kuoRMVSHJImp39RahQ==
X-Received: by 10.46.7.9 with SMTP id 9mr60536ljh.75.1481774526903; Wed, 14 Dec 2016 20:02:06 -0800 (PST)
MIME-Version: 1.0
Received: by 10.25.165.8 with HTTP; Wed, 14 Dec 2016 20:01:26 -0800 (PST)
In-Reply-To: <CAH1iCirFZtCWVkMqFp8Fb=wJLzmBNb2k5PfxKBRNUtgVR7cMXA@mail.gmail.com>
References: <20161214220428.1688.qmail@ary.lan> <9EC2695D-5CC5-479F-9998-27810608E71E@fugue.com> <CAH1iCioPZiO78j478BV7t=pTN9LZXQbweeBZQF2w3O1gKwx3XA@mail.gmail.com> <20161215011803.A2B705CE7CAA@rock.dv.isc.org> <CAH1iCir6R=DG+RM1BoMn1s31x3ZoN4bHLO7dWdVL-yCD3u3R0A@mail.gmail.com> <CAPt1N1=Mw=LSQ+dwFX2MFKTzSHMzWKAMLrW9fQPaAggMb+GJ-A@mail.gmail.com> <CAH1iCirFZtCWVkMqFp8Fb=wJLzmBNb2k5PfxKBRNUtgVR7cMXA@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Wed, 14 Dec 2016 23:01:26 -0500
Message-ID: <CAPt1N1nHmrRwAGGJCTwD=PhW1w=QHHSnvi1D3GN4kNxHSgapEA@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Content-Type: multipart/alternative; boundary="f403045ec30a504aee0543aa8497"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xNen52fnSiqS5Ivxdq94Xmy3ArU>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, John Levine <johnl@taugh.com>, HOMENET <homenet@ietf.org>, Michael StJohns <msj@nthpermutation.com>
Subject: Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 04:02:11 -0000

A stub resolver is expected to query a caching resolver, not the root.   So
all that is required for this to work is that the resolver advertised on
the homenet claim authority for the zone, and that there be an unsecured
delegation that validates that the homenet resolver can give to the stub
resolver.   Stub resolvers that query the root themselves will fail.   This
is a feature--that behavior is broken.

On Wed, Dec 14, 2016 at 10:30 PM, Brian Dickson <
brian.peter.dickson@gmail.com> wrote:

> On Wed, Dec 14, 2016 at 6:37 PM, Ted Lemon <mellon@fugue.com> wrote:
>
>> Brian, there's no need for the complexity you are describing.   The
>> unsecured delegation of .homenet would just point to AS112.   Any trust
>> anchor bootstrapping would not involve the root at all.
>>
>
> Is the intent just to have a global NXDOMAIN, provided with no DNSSEC?
>
> That works at preventing homenet from working unless every resolver inside
> the home network is homenet-aware.
> (And yes, I realize as currently specified in RFC 7778, that is a
> requirement.)
>
> However, I don't believe that is only (or optimal) path for the homenet.
>
> Their stated goal is that they want everything to work, plug-and-play.
>
> What I'm proposing will (I believe) actually produce a working network as
> long as a single resolver is homenet-aware.
> It automatically gets non-homenet-aware resolvers to point at
> homenet-aware resolvers (ie homenet routers), as long as the default
> address for homenet routers' DNS service, is the same as the value assigned
> in the AS112-like delegation.
>
> I.e. it turns a broken hybrid of "today" networks plus a "homenet", into a
> fully functional homenet with a minimum of deployments/upgrades/replacements.
> It also minimizes the "broken Christmas light" aka "missing terminator"
> class of problem, if any host is running its own recursive resolver (which
> would then fail to properly integrate into the homenet.)
>
> (Also, I think having things with built-in firmware-based crappy resolvers
> actually work without any patching, would be nice.)
>
> I agree that an unsigned delegation is sufficient for non-hybrid
> homenet-aware gear to provide hosts a correct homenet experience.
>
> Brian
>

v2.23.0 | Report a Bug | By Email