Re: [homenet] Paul Wouters' Discuss on draft-ietf-homenet-naming-architecture-dhc-options-21: (with DISCUSS)
Daniel Migault <mglt.ietf@gmail.com> Mon, 24 October 2022 02:45 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34905C14F745; Sun, 23 Oct 2022 19:45:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epCg7prLu_ow; Sun, 23 Oct 2022 19:45:04 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D7FEC14F739; Sun, 23 Oct 2022 19:45:04 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id e15so6771324iof.2; Sun, 23 Oct 2022 19:45:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KSFCUKRKcj+6Vnrx/cLDVWwirHL27j6kveJiKAgJkkw=; b=oKl1/wNiSy0/9LRRAneA+P9+SeewkRJW9gbUnQn8hVxKWTKP2on/HwPtwjd6aWUIDd zfD80/M2AK7X7yP/7qkj35Si9ahEytbe5lmMzKmIZFR1uTo0f9w4LTjWFMiV/1VKLJGV yWEXIrFpimwhy5GJzHC2wf239CjzHOy0pOt83BDNe6xL1UmOsxPOTdS3JqezPyfsQinJ avUAt/kBuz/Yp69KL4TDOL7Dvv6cyTyxQfv9/2hXEiIOmyVE/nbIK4Ec3k7O0em8YX6I 9PUYK2bqBjVIapg19cpwGB8mK9AaYYQAw0ILV+ol2T2o7nDul6ozmGWc8qAENf+mRV5Q nsdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KSFCUKRKcj+6Vnrx/cLDVWwirHL27j6kveJiKAgJkkw=; b=f5n+z87fSOFxmJCVRVar2gFQiKvdm1+dNq5xl+KHDJLZeLkfVMLLymyl3vFI4upZ9E PwgyHmh+8mG6Wgop/UGqwQ0DqpyxH4Zu/GT1Ce+RhWLhjc9z8UwADO8qtljsW+nVkDJp ttYd5BzQHZACqY+fIl6+VYjvZn/d/gw8Mon23z4bbIhpdp6XK8wAkRklmL2a0sudQma0 xJRfnXhYr0i9E3A5PfZWTrkcTChXEGmkC/n9yLW00ligamUgAGTL3A+mfGeNCnPRSqcG vSgTYlc4tVEf3ZZRRE2UmuVff1o2RF6V69L9sLmYVaJhIXXBUGLMEf5MFfhfURYQEofc 9X/w==
X-Gm-Message-State: ACrzQf1fTsdxidtX4w0XChRxBOAS+Sez4cepv/ULBuXvDjiu9T9eY/RZ ZaIIbBLvdlRM6UQ/i9UrpFJ4HXzoUr0ighXj6x2PKd4ZkPk=
X-Google-Smtp-Source: AMsMyM6ApguAWJMSPLIQIILxrtedIF8O2QJUl0oTlsx8M0H/YKJEXZHzk+F/w5yASGOTWQYCpY7XPk3Ol33cxKaeH/Y=
X-Received: by 2002:a6b:be86:0:b0:6b9:7a46:479f with SMTP id o128-20020a6bbe86000000b006b97a46479fmr18949619iof.130.1666579503157; Sun, 23 Oct 2022 19:45:03 -0700 (PDT)
MIME-Version: 1.0
References: <166624546383.55524.17919861797763262507@ietfa.amsl.com> <CADZyTk=GD1k9RfdLoddCWqKCr8yQvoOm1+df0gAzp92oKRWzdw@mail.gmail.com> <CAGL5yWYoMaFxL+UWwYDkYaJ2Y6tckH_0n2HL4wLxYTMCZsctbQ@mail.gmail.com>
In-Reply-To: <CAGL5yWYoMaFxL+UWwYDkYaJ2Y6tckH_0n2HL4wLxYTMCZsctbQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Sun, 23 Oct 2022 22:44:52 -0400
Message-ID: <CADZyTkmXunv9oZyGtwq0LKBtEHLVdcW4qGOcYtSCvkhbHXxs1w@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: The IESG <iesg@ietf.org>, draft-ietf-homenet-naming-architecture-dhc-options@ietf.org, homenet-chairs@ietf.org, homenet@ietf.org, stephen.farrell@cs.tcd.ie
Content-Type: multipart/alternative; boundary="0000000000004698c105ebbec7a3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/DKjnYh4mmB32VM3mW1Kapt65sm4>
Subject: Re: [homenet] Paul Wouters' Discuss on draft-ietf-homenet-naming-architecture-dhc-options-21: (with DISCUSS)
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 02:45:08 -0000
Hi Paul, Thanks for the feedback. This is interesting. Please see my responses. I do not see any need to add some text, but I am happy to do so if you think that is needed. Yours, Daniel On Sun, Oct 23, 2022 at 8:57 PM Paul Wouters <paul.wouters@aiven.io> wrote: > > On Thu, Oct 20, 2022 at 4:04 PM Daniel Migault <mglt.ietf@gmail.com> > wrote: > >> Hi Paul, >> >> Some brief element of response to your questions. While you are raising >> comments within a DISCUSS see your comment as a very high level question on >> what is the content of the draft with many questions related not to that >> draft. I am happy to respond, but there is nothing actionable that can be >> done, so please be more specific. >> ---------------------------------------------------------------------- >> >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> This might be my misunderstanding >> >> of homenet, so hopefully easy to resolve. >>> >>> The HNA (hidden primary?) to DM (primary) DNS communication using DNS >>> Update >>> needs some kind of authentication, TSIG or SIG0 ? >> >> no >> >>> While TLS gives you privacy, >>> the DNS Update cannot be done with only TLS (as far as I understand it). >> >> please develop, but just in case, we do not use dns update to synchronize >> the zone. we use AFXR/IXRF over TLS define din XoT. >> >>> I >>> don't see any DHCP options to relay authentication information for >>> automatic >>> deployment? >> >> >> The FQDN "Distribution Manager FQDN" and "Reverse Distribution Manager FQDN" >> are sufficent to set a TLS session. >> >> So I don't understand how this would startup and be able to setup a >>> secure DNS update channel ? >>> >> >> TLS needs only names. The certificates binds the names to a key used for >> the authentication. >> > > So you are using transport security as a means for data authentication. > > > https://datatracker.ietf.org/doc/html/rfc5936#section-5 states: > > Ensuring that an AXFR client does not accept a forged copy of a zone > is important to the security of a zone. If a zone operator has the > opportunity, protection can be afforded via dedicated links, physical > or virtual via a VPN among the authoritative servers. But there are > instances in which zone operators have no choice but to run AXFR > sessions over the global public Internet. > > Besides best attempts at securing TCP connections, DNS > implementations SHOULD provide means to make use of "Secret Key > Transaction Authentication for DNS (TSIG)" [RFC2845 <https://datatracker.ietf.org/doc/html/rfc2845>] and/or "DNS > Request and Transaction Signatures ( SIG(0)s )" [RFC2931 <https://datatracker.ietf.org/doc/html/rfc2931>] to allow > AXFR clients to verify the contents. These techniques MAY also be > used for authorization. > > So you are going against the RFC 5936 SHOULD. > > I even had to look this up because I didn't know you could do an AXFR as a > secondary > from a primary without DNS level authentication. Apparently you can, but > you SHOULD not. > > That is what we do. TLS provides enough security to replace TSIG / SIG(0). > Unauthenticated AXFR is meant for zones that are open to the public and > dns clients that want > to grab a copy. It's not really meant for the actual primary <-> secondary > channel. You might > find that some DNS software insists on authentication if configured as > secondary, as ACLs to > just limit on IP address is really considered too weak. > > While using mutually authenticated TLS > might be an option these days, most DoH/DoT/DoQ I believe only consider > their use for privacy > of unauthenticated connections. I'm not sure there are implementations and > configurations out > there that deploy DoH/DoT/DoQ with mutually authenticated TLS., > > so we only considered DoT in the document. Other protocols are left for future work and only mentioned as potential examples. OARC35 [1] announced ongoing support for XoT by NSD, Unbound, BIND, PowerDNS and [2] is the commit "New configuration variables for client-side certificate". I believe we can reasonably say mutual authentication is on its way to become widely available. [1] https://indico.dns-oarc.net/event/38/contributions/857/attachments/802/1470/oarc35-xot-slides.pdf [2] https://github.com/NLnetLabs/nsd/commit/044c4b5d267dba69996267164395c6ed799e389b > Paul > -- Daniel Migault Ericsson
- [homenet] Paul Wouters' Discuss on draft-ietf-hom… Paul Wouters via Datatracker
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault