Re: [homenet] Eric Rescorla's Discuss on draft-ietf-homenet-dot-13: (with DISCUSS)
Eric Rescorla <ekr@rtfm.com> Fri, 01 September 2017 14:42 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99597132FB4 for <homenet@ietfa.amsl.com>; Fri, 1 Sep 2017 07:42:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.699
X-Spam-Level:
X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ma6Y0w-Z1dqv for <homenet@ietfa.amsl.com>; Fri, 1 Sep 2017 07:42:14 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9BCD13293A for <homenet@ietf.org>; Fri, 1 Sep 2017 07:42:14 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id s62so2081495ywg.0 for <homenet@ietf.org>; Fri, 01 Sep 2017 07:42:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XcbXqakI5GenzW/ABCl9EV6gD/McJiDrLarovLBHT08=; b=J5fZ4DS7yzM5uybehQqU1X9LAd1sBrqGmuH/TT1Jfi+QRewEDLJn597ox/SWN152XG aQsa+ayHWH8Q0HTvU/ePrpXYYcP5G3/3PfYzybWVNoGNq/i+QkCzr/E9Yivf9DIv6Qmn Wk1ZzVX5CVDIGnW5trX37Iq6TFuFfbsNzQB3QZly4RPjnpZQK/8N4q6zffIWbdSiC7CP ZuiuWZOLUUlwrp+RMhL9+a4NzqV7dtl/bS3eYreqD+9scvvc2aZuMOnMwDJXI8eMfbgv tvctqDE+458sEXOHDb1czSoBaEnLoASh8YvSFHXQSfcAmYJKZ4SzKM7Vd+RQk4uQHjwf U9Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XcbXqakI5GenzW/ABCl9EV6gD/McJiDrLarovLBHT08=; b=AQPH7+YZNVNUlnbr9n+wBM41032PxQ2Y8keHMYcXhDbN57DAfFXMj8OFb8SHrk5Elj WciQaM2w/pA7w8dbPevvHDO4fOg3BllEPuOy/yCUcIg9YaesnurKvSbZieMCJVq7ERO2 vsmnP4fcXEhR9vxQVFI6m8H1CZHmhnojc9kuSfcAtp9B4pSrX99jm19CC5f8qNASkNQo 5bimXo+zbnEKt2lMMkbVeocixgPH5cBtnfgqlAEgJcugqnWMTZxByDqIgtIkTMgnSPgV 4u1jpFy23sY3ErcIYUDYgfrMz3N3XxlyTY2sar9nVMBtrM4MrrCtZQdKqy7XniI8g+SY hbQQ==
X-Gm-Message-State: AHPjjUjww5w2PNVifNibpwXDqn/9ZxyXQ8gAtkbnFb18iKuvgBbHQhUk QCdGms6Spiljw2cl6TXkldQijm4ERoOMJ80=
X-Google-Smtp-Source: ADKCNb6YJlLXoIUv1mVrPWbz9LAx2qoTqVlK2G8zygwuHgYihYBm9XILVhmSEgi5qpA852ypM3+ybEKMN0d3GCYdPys=
X-Received: by 10.13.204.66 with SMTP id o63mr2026626ywd.321.1504276933909; Fri, 01 Sep 2017 07:42:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.218.130 with HTTP; Fri, 1 Sep 2017 07:41:33 -0700 (PDT)
In-Reply-To: <20170901023908.E7C0F83ED0E3@rock.dv.isc.org>
References: <150413520708.16860.14531912464478386147.idtracker@ietfa.amsl.com> <20170901023908.E7C0F83ED0E3@rock.dv.isc.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 01 Sep 2017 08:41:33 -0600
Message-ID: <CABcZeBP4mNtCLEqcfa4p-1SGLDR2NLJPBJE5W1DaPBMR2m74FQ@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-homenet-dot@ietf.org, homenet-chairs@ietf.org, homenet@ietf.org, ray@bellis.me.uk
Content-Type: multipart/alternative; boundary="001a114f25d24a36b5055821c466"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/3nbYPXR1y_GeBtxm8zaHqcRQqvQ>
Subject: Re: [homenet] Eric Rescorla's Discuss on draft-ietf-homenet-dot-13: (with DISCUSS)
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Sep 2017 14:42:17 -0000
On Thu, Aug 31, 2017 at 8:39 PM, Mark Andrews <marka@isc.org> wrote: > > In message <150413520708.16860.14531912464478386147. > idtracker@ietfa.amsl.com>, > Eric Rescorla writes: > > Eric Rescorla has entered the following ballot position for > > draft-ietf-homenet-dot-13: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria. > html > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-homenet-dot/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > A. Recursive resolvers at sites using 'home.arpa.' MUST > > transparently support DNSSEC queries: queries for DNSSEC > > records and queries with the DO bit set ([RFC4035] section > > 3.2.1). While validation is not required, it is strongly > > encouraged: a caching recursive resolver that does not > > validate answers that can be validated may cache invalid > > data. This in turn will prevent validating stub resolvers > > from successfully validating answers. > > > > I don't understand the rationale for this requirement. As I understand it > > from this document, stuff ending in home.arpa cannot be DNSSEC validated, > > so what's it the business of this document to levy the requirement on > > sites which support home.arpa that they do anything with DNSSEC at all. > > Wrong the responses can be validated. The output of the validation > step is one of secure, insecure, or bogus. With the exception of > home.arpa/DS and without private trust anchors being installed the > output of that validation should be insecure for all answers from > home.arpa. home.arpa/DS should validate as secure NODATA. > > In particular validation of the home.arpa/DS is important as it > prevents the cache being poisoned with answers which prevent the > stub proving that the home.arpa is supposed to exist and that it > doesn't have a chain of trust from the root. > I don't see how this is different from any other kind of resolution. -Ekr > Mark > > > _______________________________________________ > > homenet mailing list > > homenet@ietf.org > > https://www.ietf.org/mailman/listinfo/homenet > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >
- [homenet] Eric Rescorla's Discuss on draft-ietf-h… Eric Rescorla
- Re: [homenet] Eric Rescorla's Discuss on draft-ie… Mark Andrews
- Re: [homenet] Eric Rescorla's Discuss on draft-ie… Eric Rescorla
- Re: [homenet] Eric Rescorla's Discuss on draft-ie… Warren Kumari
- Re: [homenet] Eric Rescorla's Discuss on draft-ie… Eric Rescorla