Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa
Mark Andrews <marka@isc.org> Wed, 13 December 2017 22:09 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 875711274A5 for <dnsop@ietfa.amsl.com>; Wed, 13 Dec 2017 14:09:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id itZDk7pLuj-0 for <dnsop@ietfa.amsl.com>; Wed, 13 Dec 2017 14:09:21 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47402128954 for <dnsop@ietf.org>; Wed, 13 Dec 2017 14:09:18 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id DC6D83AF56F; Wed, 13 Dec 2017 22:09:15 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id C906B160041; Wed, 13 Dec 2017 22:09:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id B151716007E; Wed, 13 Dec 2017 22:09:15 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id p7eOy7v7225c; Wed, 13 Dec 2017 22:09:15 +0000 (UTC)
Received: from [172.30.42.89] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id AF168160041; Wed, 13 Dec 2017 22:09:14 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <EC253232-3713-426E-9300-20AE38C8BE4F@hopcount.ca>
Date: Thu, 14 Dec 2017 09:09:12 +1100
Cc: Ted Lemon <mellon@fugue.com>, Paul Vixie <paul@redbarn.org>, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <C5CC943C-8ABF-45C9-AC3A-606B4F4A99FE@isc.org>
References: <20171211090051.qjoruin7nkdjsnvd@nic.fr> <5A2E4B7C.50509@redbarn.org> <20171211091800.wonjnvhl3xrx6r4s@nic.fr> <118C37A8-0DEF-460B-8A79-AAE470D3CED8@hopcount.ca> <1B37BBA1-D141-441A-855E-1ACFF2DC15BD@fugue.com> <EC253232-3713-426E-9300-20AE38C8BE4F@hopcount.ca>
To: Joe Abley <jabley@hopcount.ca>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yXxf7H24sVtqBsN8k7cbQrlVocM>
Subject: Re: [DNSOP] DNS privacy and AS 112: the case of home.arpa
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2017 22:09:23 -0000
Section 7 says: "In order to be fully functional, there must be a delegation of 'home.arpa' in the '.arpa' zone [RFC3172]. This delegation MUST NOT be signed, MUST NOT include a DS record, and MUST point to one or more black hole servers, for example BLACKHOLE-1.IANA.ORG and BLACKHOLE-2.IANA.ORG. The reason that this delegation must not be signed is that not signing the delegation breaks the DNSSEC chain of trust, which prevents a validating stub resolver from rejecting names published under 'home.arpa' on a homenet name server." Thats a INSECURE DELEGATION and machines that return NXDOMAIN for *.HOME.ARPA. Note it says “for example”. The names of the servers the zone is delegated to are NOT proscribed there, just the functionality. RFC 6303 has similar requirements and IANA was able to co-ordinate those delegation. "As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA namespaces, the zones listed above will need to be delegated as insecure delegations, or be within insecure zones. This will allow DNSSEC validation to succeed for queries in these spaces despite no t being answered from the delegated servers.” Mark > On 14 Dec 2017, at 8:46 am, Joe Abley <jabley@hopcount.ca> wrote: > > On 11 Dec 2017, at 19:50, Ted Lemon <mellon@fugue.com> wrote: > >> On Dec 11, 2017, at 11:17 AM, Joe Abley <jabley@hopcount.ca> wrote: >>> Note though that the homenet document specifically requests a delegation. >> >> Please do not read more into the document than was intended. What Mark is saying looks to me like an accurate representation of what we intended. The goal is simply for it to be the case that there is not an unsigned delegation for home.arpa, which means that it has to point _somewhere_. I am a bit frustrated to hear that this is turning into a substantial amount of effort. It should be extremely simple. There is no wrong answer for what the delegation looks like other than "signed." > > So it's fine if the delegation is secure (which is I presume what you mean by signed) but lame? > > The document actually specifies quite clearly that the delegation "MUST NOT include a DS record" which seems to be different from what you are saying. It also specifies that the delegation "MUST point to one or more black hole servers", which is pretty vague language following a MUST. > > I appreciate that the intention of homenet may well have been clear, but the text in section 7 is definitely not clear. I think actually it would have been reasonable for IANA to send it back as ambiguous before it got to the RFC Editor queue. > > > Joe > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] DNS privacy and AS 112: the case of home.… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Paul Vixie
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Paul Vixie
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] [Ext] Re: DNS privacy and AS 112: the… Kim Davies
- Re: [DNSOP] [Ext] DNS privacy and AS 112: the cas… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Joe Abley
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Ted Lemon
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Mark Andrews
- Re: [DNSOP] DNS privacy and AS 112: the case of h… Stephane Bortzmeyer