Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"
Mark Andrews <marka@isc.org> Thu, 15 December 2016 01:18 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48304129ECB; Wed, 14 Dec 2016 17:18:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.797
X-Spam-Level:
X-Spam-Status: No, score=-9.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAK1036UB08Z; Wed, 14 Dec 2016 17:18:10 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C441F1294AB; Wed, 14 Dec 2016 17:18:10 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 877033493BB; Thu, 15 Dec 2016 01:18:08 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 76C6916000F; Thu, 15 Dec 2016 01:18:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 5D9E516006E; Thu, 15 Dec 2016 01:18:08 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id O04aQWyEZDhu; Thu, 15 Dec 2016 01:18:08 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 518C116000F; Thu, 15 Dec 2016 01:18:07 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id A2B705CE7CAA; Thu, 15 Dec 2016 12:18:03 +1100 (EST)
To: Brian Dickson <brian.peter.dickson@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <20161214220428.1688.qmail@ary.lan> <9EC2695D-5CC5-479F-9998-27810608E71E@fugue.com> <CAH1iCioPZiO78j478BV7t=pTN9LZXQbweeBZQF2w3O1gKwx3XA@mail.gmail.com>
In-reply-to: Your message of "Wed, 14 Dec 2016 16:43:52 -0800." <CAH1iCioPZiO78j478BV7t=pTN9LZXQbweeBZQF2w3O1gKwx3XA@mail.gmail.com>
Date: Thu, 15 Dec 2016 12:18:03 +1100
Message-Id: <20161215011803.A2B705CE7CAA@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yEVgO6ZRVCIFdI96pnsPhtwUQiU>
Cc: John Levine <johnl@taugh.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Ted Lemon <mellon@fugue.com>, homenet@ietf.org, msj@nthpermutation.com
Subject: Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 01:18:12 -0000
In message <CAH1iCioPZiO78j478BV7t=pTN9LZXQbweeBZQF2w3O1gKwx3XA@mail.gmail.com> , Brian Dickson writes: > > On Wed, Dec 14, 2016 at 4:09 PM, Ted Lemon <mellon@fugue.com> wrote: > > > On Dec 14, 2016, at 5:04 PM, John Levine <johnl@taugh.com> wrote: > > > > But it's worse than that -- if your client software does DNSSEC > > validation it needs to understand that homenet is a special case and > > it's OK not to validate. > > > > [etc] > > > > > > That is precisely why we need an unsecured delegation. > > > > > > > I agree that in the current world, an unsigned delegation is required. > > I would humbly suggest that use of an AS112-like set of well-known names > and IP addresses, would be the preferred way of DOING that delegation. > > A well-known address set would allow homenet-aware devices to be pre-loaded > with the address of the NS, while non-aware would learn it through the > delegation. > > If it were possible to have the names be served by root servers (as a > consequence of being in the set of domains served by the root servers), > then the glue data would be signed and validate-able, which is about as > good as you can get (security-wise), while making homenet strictly local. > > (Within a given homenet, the well known IP(s) could be handled via anycast > or similar mechanisms, presuming the homenet mechanisms support things like > that.) > > My personal recommendation would be non-RFC-1918 well known addresses. > > This ensures that for queries that leak from non-1918 space sourced > queries, that the delegation is to an address that is guaranteed to be > reachable, even if the local set-up is badly broken. > > That IP would be configured to give itself as the answer to any query, and > be configured to provide (rate-limed) HTTP (wild-card) responses, > that serve up the RFC for how to set up homenet. (If that RFC doesn't > exist, that really should be next on the WG milestones.) > > All roads would then lead to the answer to the question, which is, "How do > I get this stuff to work?". > > Brian Why is this any better than a referral to the existing root servers and a empty locally served .homenet zone with the previously mentioned constraint of only enabling it when the namespace is not being forwarded. We do this for all the default local zones so this will just be a extra name in the list of empty local zones that are automatically configured. A 5 minute job to commit to all the branches once the name is approved. Other vendors do similar. The root servers will always need to be answering for homenet/DS. The locally served .homenet zone will stop most of the leaks for *.homenet at the ISP level. If there are too many leaks after 5 years (give ISPs time to deploy the new servers) then consider a AS112 like solution but I don't think it will be needed. Mark > PS For the DNSSEC-aware humans: > > I think this exposes an unforeseen edge case, not covered in the design of > DNSSEC. > > I think what would have been ideal, would have been the ability to securely > delegate to a well-known name/address, but without a secure entry point. > I.e. where parent/child NS use different RRTYPEs, and the parent NS is > signed (along with glue), and there is no DS. > > The child could exist as an island of security, and have a self-signed > DNSKEY (or KSK/ZSK pair). -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [homenet] WGLC on "redact" and "homenet-dot" Ray Bellis
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ralph Droms
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ray Bellis
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ted Lemon
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ralph Droms
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ted Lemon
- Re: [homenet] WGLC on "redact" and "homenet-dot" james woodyatt
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ted Lemon
- Re: [homenet] WGLC on "redact" and "homenet-dot" Mark Andrews
- Re: [homenet] WGLC on "redact" and "homenet-dot" james woodyatt
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ted Lemon
- Re: [homenet] WGLC on "redact" and "homenet-dot" james woodyatt
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ted Lemon
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ralph Droms
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Steve Crocker
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ted Lemon
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ralph Droms
- [DNSOP] Fwd: [homenet] WGLC on "redact" and "home… Suzanne Woolf
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Ted Lemon
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Steve Crocker
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Steve Crocker
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Michael StJohns
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ralph Droms
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ray Bellis
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Steve Crocker
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Michael StJohns
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ted Lemon
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ralph Droms
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Suzanne Woolf
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Jaap Akkerhuis
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Ted Lemon
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Ray Bellis
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… John Levine
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Jim Reid
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Jaap Akkerhuis
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ray Bellis
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Ray Bellis
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… John Levine
- Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "… John Levine
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… John Levine
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ralph Droms
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ted Lemon
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ray Bellis
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ted Lemon
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Brian Dickson
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Brian Dickson
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… John R Levine
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… John R Levine
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… John R Levine
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… George Michaelson
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… John R Levine
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… John R Levine
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Juliusz Chroboczek
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Juliusz Chroboczek
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Juliusz Chroboczek
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Juliusz Chroboczek
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… John Levine
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… John Levine
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… John Levine
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Brian Dickson
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Brian Dickson
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Brian Dickson
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Brian Dickson
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Juliusz Chroboczek
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Juliusz Chroboczek
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… John R Levine
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… John R Levine
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Juliusz Chroboczek
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Juliusz Chroboczek
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Jacques Latour
- Re: [homenet] WGLC on "redact" and "homenet-dot" Jacques Latour
- Re: [homenet] [DNSOP] WGLC on "redact" and "homen… Bob Harold
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Bob Harold
- Re: [homenet] [DNSOP] WGLC on "redact" and "homen… Ray Bellis
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ray Bellis
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Michael StJohns
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ted Lemon
- Re: [homenet] WGLC on "redact" and "homenet-dot" Suzanne Woolf
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Suzanne Woolf
- Re: [homenet] WGLC on "redact" and "homenet-dot" Andrew Sullivan
- Re: [homenet] [DNSOP] WGLC on "redact" and "homen… Steve Crocker
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Steve Crocker
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… james woodyatt
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… james woodyatt
- Re: [homenet] [DNSOP] WGLC on "redact" and "homen… Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Mark Andrews
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Mark Andrews
- Re: [homenet] [DNSOP] WGLC on "redact" and "homen… Mark Andrews
- Re: [homenet] [DNSOP] WGLC on "redact" and "homen… Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… John R Levine
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… John R Levine
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "… Ted Lemon
- Re: [homenet] [DNSOP] iterative vs. forwarder, wa… John R Levine
- Re: [DNSOP] [homenet] iterative vs. forwarder, wa… John R Levine
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Michael StJohns
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Jacques Latour
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Mark Andrews
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Suzanne Woolf
- Re: [homenet] [DNSOP] WGLC on "redact" and "homen… Suzanne Woolf
- Re: [DNSOP] [homenet] iterative vs. forwarder, wa… william manning
- Re: [homenet] [DNSOP] iterative vs. forwarder, wa… william manning
- Re: [homenet] WGLC on "redact" and "homenet-dot" Ray Bellis
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… David Conrad
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… william manning
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… David Conrad
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… william manning
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Ralf Weber
- [DNSOP] reducing the crap going to the root Jim Reid
- Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "… Shane Kerr
- Re: [DNSOP] reducing the crap going to the root Burkov Dmitry
- Re: [DNSOP] reducing the crap going to the root Jim Reid
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Stephane Bortzmeyer
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Jaap Akkerhuis
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Ted Lemon
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Mark Andrews
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Stephane Bortzmeyer
- Re: [DNSOP] [homenet] WGLC on "redact" and "homen… Jaap Akkerhuis