IETF Logo Mail Archive

Re: [homenet] securing zone transfer

Ted Lemon <mellon@fugue.com> Sat, 08 June 2019 23:37 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E4A3120052 for <homenet@ietfa.amsl.com>; Sat, 8 Jun 2019 16:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RjVwbMxFSUZR for <homenet@ietfa.amsl.com>; Sat, 8 Jun 2019 16:36:58 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7C09120090 for <homenet@ietf.org>; Sat, 8 Jun 2019 16:36:58 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id a27so3548234qkk.5 for <homenet@ietf.org>; Sat, 08 Jun 2019 16:36:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=CjBYb5I6QfLaE6nNW5BqmmEjmrVf3SORJCnFFeoOIe4=; b=vZepZ/pOy+lvJo/s5k3v4XnbsUiPdog24j9g8v4FKWlbkOaLUdsSLcK+Rn2fW2Udxm VVOH42SlmNotKRzBP6/ifmrKepbRsIaIons7fRrrhgLrV9yBuewAoFwYndNyISQ43Zle UrmJFA5rrlL/FjYVntU/rHtGqQIFhuyI9Isuvhoc98JWX9dYTzHx5M/7OWNUIJeJF3SZ a25FOnIUEwhI87w1c8lDbed7SxEooHqHi+eHUlPVVBi7rnnEYqZqcO5JfPNxuUcKhdV3 d/5fa+wqC5NvKc1DZt96x6/miFjHE5kAdhlOaH4ZMmKdWu0FCzvXyTux4aVb58AjLJef rB2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=CjBYb5I6QfLaE6nNW5BqmmEjmrVf3SORJCnFFeoOIe4=; b=HAjRp04APbtfzpxSExi+cPId2Np2Bb9G8oPKbKh2Zt8mPVxfwJGA3yGu+nRCQDrD+V vONpdwgJ6P6RIKEV/0hlpD96l9gS1sdOdKvnmxYBzk+Mbe5FARYJgiErIIFK/6P2TJg+ vYfjmCrIo8mhLxySQKXGLdZNAR4HUElmzLDFWGAJb2U7Gab3r+bt6ZYjzU++CTM9cnY4 MViH3RyhnqkZJyhQdrqthJ9889/8uCe7BF8S5ENdRpcEPWF1zuvIPO0JS2ri91CF95Vc 63ahymRR9/+imxYrVK5f/S3fK5fURhmZRlpv20fow3TflxsAbh2a0eGZ8nLzr7gIdsvP 4ZOA==
X-Gm-Message-State: APjAAAWvhqRWcBCy5IbBIB4DvwNNFqGsQvpLPG2sjlLzJtcrdEL5X/5e qntw84UYl/WTNPpi4+HjeZrIE2Zvp6U=
X-Google-Smtp-Source: APXvYqxJr7izjEji/dPXNwtRhtU31V1RX2YCtD0Xq9iF7YXmDeYAQQ5qIt3Dgpq6k5ndzypZWyOG1A==
X-Received: by 2002:a05:620a:1106:: with SMTP id o6mr31228540qkk.272.1560037017430; Sat, 08 Jun 2019 16:36:57 -0700 (PDT)
Received: from ?IPv6:2600:380:8d5b:40a1:f0bf:ff8e:3101:44cd? ([2600:380:8d5b:40a1:f0bf:ff8e:3101:44cd]) by smtp.gmail.com with ESMTPSA id e133sm3828329qkb.76.2019.06.08.16.36.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 08 Jun 2019 16:36:56 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Ted Lemon <mellon@fugue.com>
X-Mailer: iPhone Mail (16G43)
In-Reply-To: <12925.1560033121@localhost>
Date: Sat, 08 Jun 2019 19:36:33 -0400
Cc: Ray Bellis <ray@bellis.me.uk>, homenet@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <50CFC4D7-83A5-4B1B-84B3-7DEDE37BB443@fugue.com>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <73d98e8d-4496-98dd-350f-28b93692b1bc@bellis.me.uk> <3195.1559964971@localhost> <C0205C3D-6FA4-4B39-9602-5AF4EC4D3BF5@fugue.com> <12925.1560033121@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/8hWEEhku7oVq9WhkL-4jqsGSUS8>
Subject: Re: [homenet] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jun 2019 23:37:02 -0000

For dns updates, SIG(0) works fine. I have code you can steal that works with mbedtls and ecdsa. Signing and validation.  But I think TLS client certs can also work.  Proving the front end servers identity sounds like the hard part. 

Sent from my iPhone

> On Jun 8, 2019, at 6:32 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Ted Lemon <mellon@fugue.com> wrote:
>>> Can we use TLS for authorization, assuming that we have trusted
>>> certificates
>>> at both ends?  Perhaps this is more of a: did anyone implement this?
> 
>> How is trust established?   Sure, doing TSIG over TLS is no problem.
> 
> Certificates are exchanged/created at manufacturing time (IDevID), and then
> optionally updated to LDevID.  The certificate contains the name of the zone
> which the HNA is authoritative for (or a control record pins the
> certificate).
> 
> TSIG requires a shared secret, thus a database of shared secrets available
> online.   I don't want to do TSIG over TLS, I want to not do TSIG, or
> if I have to use TSIG for mechanical reasons, I want to derive the secret
> From the TLS.
> 
> I need to authorize the following:
>  1) DNS update of some data (NS, DS, AAAA that NS points to) by
>     Distribution Master (cloud/public system)
>  2) SOA query by Distribution Master by HNA.
>  3) AXFR by Distribution Master by HNA.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email