Re: [DNSOP] My assessment of .homenet as described during the WG session yesterday.

Terry Manderson <terry.manderson@icann.org> Thu, 30 March 2017 20:46 UTC

Return-Path: <terry.manderson@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9480512943C; Thu, 30 Mar 2017 13:46:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Bfs57mp61AI; Thu, 30 Mar 2017 13:46:42 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C8201294F8; Thu, 30 Mar 2017 13:46:42 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 30 Mar 2017 13:46:39 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Thu, 30 Mar 2017 13:46:39 -0700
From: Terry Manderson <terry.manderson@icann.org>
To: HOMENET <homenet@ietf.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] My assessment of .homenet as described during the WG session yesterday.
Thread-Index: AQHSqZa6BXnknGGzd0m0I5wpP+R/Qw==
Date: Thu, 30 Mar 2017 20:46:39 +0000
Message-ID: <07190227-DC82-4B1A-93CE-DF66AEB5111D@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="B_3573787598_212650162"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zpTxvSzXh8ENLTuLS6NieW_KjI8>
Subject: Re: [DNSOP] My assessment of .homenet as described during the WG session yesterday.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 20:46:46 -0000

Dear WGs (HOMENET and DNSOP)

Based on the reviews from many folk, the discussions in DNSOP and HOMENET, the clarifying questions and responses during the HOMENET session at IETF98, a number of other DNS expert level discussions I have had, and the IAB statement [1] my final assessment on the HOMENET domain is as follows.

A TLD request is not the ideal architectural direction that would encompass the goals of the greater Internet along with the ethos and scope of the IETF.

I shall be returning the document (draft-ietf-homenet-dot) to the WG to consider and find consensus on a domain under .ARPA

The already stated technical assessment is a .ARPA subdomain can satisfy the requirement for a special use domain, in addition to being resolvable in the DNS with the requested characteristics. The WG should consider the situations where the name of the device is escalated to the user, not that I believe the WG should engage in UI/UX design, but to ensure that if it is desired by the WG that the name be suitably obfuscated, HOMENET features should exist to ensure that.

Thanks
Terry

[1] https://www.iab.org/documents/correspondence-reports-documents/2017-2/iab-statement-on-the-registration-of-special-use-names-in-the-arpa-domain/


On 29/03/2017, 3:32 AM, "DNSOP on behalf of Terry Manderson" <dnsop-bounces@ietf.org on behalf of terry.manderson@icann.org> wrote:

    Dear HOMENET and DNSOP WG(s),
    
    Wearing the INT AD hat.
    
    Firstly, thank you to the DNSOP WG for the deep review, thoughts, and considered responses to my request for review.
    
    Secondly, my apologies for not sharing my throughs before the HOMENET session. It would have been impractical to do so as this is a very (VERY) fluid situation with IETF leadership also engaged in discussions.
    
    This is simply an iteration of my description of the current situation as delivered yesterday. Do be aware that conversations are continuing and you should NOT take this as a declarative statement. During the HOMENET WG session I specified that for this topic I am comfortable answering _ clarifying _ questions. The same applies here. My answers may or may not change due to the fluid nature of the concern and I hope you appreciate that.
    
    My summary of the situation is this.
    
    1) .homenet _COULD_ be added to the special use domain registry based on RFC6761 
    
    2) The expected future operation of HOMENET resolution for DNSSEC validating stub resolvers requires a break in the DNSSEC chain of trust.
    
    3) To achieve "2", the document _additionally_ asks IANA to insert an insecure delegation into the root zone
    
    4) The ask for "3" is not covered in IETF policy terms, in fact it tries to put an entry into someone else's registry (the root zone), and will require a set of collaborative discussions with the ICANN community and a new process that handles this situation. There are no expectations that this process will be defined in a reasonable time for the uses of HOMENET.
    
    
    Options, possibly not an exhaustive list
    
    A) seek a .homenet special use domain with the request for an insecure delegation in the root zone. (This is what the document asks for NOW, and here we are)
    
    B) seek a .homenet special use domain WITHOUT the delegation request AND ask the IETF/IESG/IAB to commence the discussion with the ICANN community to achieve an insecure delegation
    
    c) seek a <SOMETHING>.arpa insecure special use delegation
    
    d) go for "B" and if that doesn't work shift to "C"
    
    
    Each of these have different positive and negatives in a raw technical sense, UI design desires, and policy and political frames.
    
    Again, this situation is fluid and as discussions evolve I will provide more information when it is appropriate. In the mean-time I would very much like everyone to take a calming breath and understand that I am taking a very pragmatic view of this concern.
    
    Cheers,
    Terry
    INT AD