Re: [homenet] securing zone transfer
Mark Andrews <marka@isc.org> Tue, 11 June 2019 02:21 UTC
Return-Path: <marka@isc.org>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D91161200E0 for <homenet@ietfa.amsl.com>; Mon, 10 Jun 2019 19:21:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1v1Bu4w4_RB for <homenet@ietfa.amsl.com>; Mon, 10 Jun 2019 19:21:20 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2D8D12008D for <homenet@ietf.org>; Mon, 10 Jun 2019 19:21:19 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id AB7773AB044; Tue, 11 Jun 2019 02:21:19 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 9C4DE1600A6; Tue, 11 Jun 2019 02:21:19 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 88A2B1600A5; Tue, 11 Jun 2019 02:21:19 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id C2lFXI0ft7C5; Tue, 11 Jun 2019 02:21:19 +0000 (UTC)
Received: from [172.30.42.68] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id B9C53160047; Tue, 11 Jun 2019 02:21:18 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <11031.1560173254@localhost>
Date: Tue, 11 Jun 2019 12:21:16 +1000
Cc: homenet@ietf.org, Ray Bellis <ray@bellis.me.uk>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B981077F-9657-4E37-9951-B9F7E7A470BD@isc.org>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <73d98e8d-4496-98dd-350f-28b93692b1bc@bellis.me.uk> <3195.1559964971@localhost> <C0205C3D-6FA4-4B39-9602-5AF4EC4D3BF5@fugue.com> <12925.1560033121@localhost> <50CFC4D7-83A5-4B1B-84B3-7DEDE37BB443@fugue.com> <11031.1560173254@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/3DLi3mrTeMRZ3IstGhOn9jV0Z2w>
Subject: Re: [homenet] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 02:21:22 -0000
> On 10 Jun 2019, at 11:27 pm, Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > Ted Lemon <mellon@fugue.com> wrote: >> For dns updates, SIG(0) works fine. I have code you can steal that >> works with mbedtls and ecdsa. Signing and validation. But I think TLS >> client certs can also work. Proving the front end servers identity >> sounds like the hard part. > > Just to ask again clearly: > > 1a) is it possible to authorize an AXFR transfer by SIG(0)? Yes. > 1b) is it possible to authorize an SOA query by SIG(0)? Yes. > 2) is anyone doing AXFR over TLS (DPRIVE)? > > {3) is RFC3007 really the most recent text on dynamic DNS?} What has changed to need a more recent RFC? Once you can identify the requesting party, which SIG(0) and TSIG can do, the rest is policy. I suppose we could have DHCP clients send KEY rdata as part of the DHCP request for DHCP servers to insert in the reverse zone when addresses / prefixes are allocated to allow the clients to use SIG(0) UPDATE requests to update reverse zones. This would allow for more than PTR records to be added to reverse zones. I did write a I-D about this for PD but got no traction[1]. The technique would work equally well for individual addresses. All it really requires is a DHCP code point to be allocated. [1] https://datatracker.ietf.org/doc/draft-andrews-dnsop-pd-reverse/ >>> On Jun 8, 2019, at 6:32 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote: >>> >>> >>> Ted Lemon <mellon@fugue.com> wrote: >>>>> Can we use TLS for authorization, assuming that we have trusted >>>>> certificates >>>>> at both ends? Perhaps this is more of a: did anyone implement this? >>> >>>> How is trust established? Sure, doing TSIG over TLS is no problem. >>> >>> Certificates are exchanged/created at manufacturing time (IDevID), and then >>> optionally updated to LDevID. The certificate contains the name of the zone >>> which the HNA is authoritative for (or a control record pins the >>> certificate). >>> >>> TSIG requires a shared secret, thus a database of shared secrets available >>> online. I don't want to do TSIG over TLS, I want to not do TSIG, or >>> if I have to use TSIG for mechanical reasons, I want to derive the secret >>> From the TLS. >>> >>> I need to authorize the following: >>> 1) DNS update of some data (NS, DS, AAAA that NS points to) by >>> Distribution Master (cloud/public system) >>> 2) SOA query by Distribution Master by HNA. >>> 3) AXFR by Distribution Master by HNA. >>> >>> -- >>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works >>> -= IPv6 IoT consulting =- > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [homenet] securing zone transfer Daniel Migault
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ray Bellis
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Mark Andrews
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] [EXT] securing zone transfer Jacques Latour
- Re: [homenet] [EXT] securing zone transfer Ted Lemon
- Re: [homenet] [EXT] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] [EXT] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] [EXT] securing zone transfer Daniel Migault
- Re: [homenet] number of devices in homenet Daniel Migault
- Re: [homenet] [EXT] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] webauthn for routers (was: securing… MIchael Thomas
- Re: [homenet] webauthn for routers (was: securing… Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] webauthn for routers Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] [EXT] securing zone transfer Ray Hunter (v6ops)