Re: [homenet] Updating DNS [was: How many people have installed the homenet code?]

Ted Lemon <mellon@fugue.com> Thu, 12 May 2016 03:00 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6234D12D0AD for <homenet@ietfa.amsl.com>; Wed, 11 May 2016 20:00:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zNVu3a8zYZ5l for <homenet@ietfa.amsl.com>; Wed, 11 May 2016 20:00:09 -0700 (PDT)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0833F12B033 for <homenet@ietf.org>; Wed, 11 May 2016 20:00:09 -0700 (PDT)
Received: by mail-lf0-x229.google.com with SMTP id j8so64187272lfd.2 for <homenet@ietf.org>; Wed, 11 May 2016 20:00:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=7TaMGC1ZQrCt0KfvypXqIX8ySBD0SR6zOOdpBuVNJnA=; b=SAV7b3zwaKcF3ejGaBC+XU5YUAsU0k1d7JjiWCvkbJS5Kf6jplZB3zfxREv0pxaAwZ zfgWnVJ1ClNrsuE9Ll6UZLnLommQIZBXNsAbXvg8FLEhJ9IAXI85dyoJVGXBIEGxjyOH zzMierOkcJJnbKuAMf1RgQ1Ry5hr00yqX5a3WLFdGdU7XH9LPbO6PsJpzVIoc2iad8BO xXIfqcdZ2TvPOQV7ovi3pH7Xc2vxfhS5VifOfzepU+ctZmB36ve63XysktKZJ7jrfkka 1gX0CQdRUHbCxusoGEDDejwhC6FFc8cDp2P83FuFPkqyb5nGQEeg24fWGXr9O9E8sCeo 6Vuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=7TaMGC1ZQrCt0KfvypXqIX8ySBD0SR6zOOdpBuVNJnA=; b=GGGDcj8OVqip1DL7ieNQiCEOdPrh+2go4iPy4nkHHfBjVAvozgonzilnVZo4Q3XGcB amhiZ0iKwHAOpPC+0Di+nQlKZ+OlzV7+ytxyAgmeguYA0qOPpVTH5rjsnDVi1gFYMQUC V4lZHwwRLTF29q9BSVcERxm2xa3Bsg79KArVcUzxqtExnSATiphF1otDz0i3tubuSsRB 4MQV5VuqF+JFrErytEoObwEghBqR6mudE57wcuF2yQM2YexXJynWPhdtvnQSIetcjBvn GqEvBYwCnUcQX6MX10d+86ZeDGBSB8xcfrrRs9nKxbSN8L5POfpS1/T2FvRu6QgSPhlR Yv+Q==
X-Gm-Message-State: AOPr4FV+o5azj11mbJpmTs2aeIGrlagzSHEUoi3F9rQBPEWA3Jaoy+8VKYDA7FdWcHfZ4Ehoofu4xK1fPd41DQ==
MIME-Version: 1.0
X-Received: by 10.25.17.234 with SMTP id 103mr3150894lfr.145.1463022007254; Wed, 11 May 2016 20:00:07 -0700 (PDT)
Received: by 10.25.153.135 with HTTP; Wed, 11 May 2016 20:00:07 -0700 (PDT)
Received: by 10.25.153.135 with HTTP; Wed, 11 May 2016 20:00:07 -0700 (PDT)
In-Reply-To: <CAPt1N1=05ozMZk3h+HMSc0Js7SdzPvCB-wQhp_dRSUpNsBJxeA@mail.gmail.com>
References: <6E709688-414A-4AFB-AEAE-56BAE0469583@coote.org> <87oa93vz8e.wl-jch@pps.univ-paris-diderot.fr> <917CFE11-2386-4B0D-8A81-F87764AC09A4@coote.org> <87lh47vtpe.wl-jch@pps.univ-paris-diderot.fr> <02CF43FB-CF81-4C0C-84E1-A8DFB27B3F8C@coote.org> <87lh44fff7.wl-jch@pps.univ-paris-diderot.fr> <48A9C52C-85BC-4123-A3ED-FB269AD03126@iki.fi> <87eg9wfctc.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1nq1CTMmQHFQXnaFY73SyRPKpWagiMVfrHODakbeT2Wxw@mail.gmail.com> <87a8kj3r7p.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1nN+ih8xpBV_-T_JaGtbBG6d5zYqW==tph8yN_UB34NNw@mail.gmail.com> <56DB4264-1769-443A-86F2-BB0BE0ED9693@ecs.soton.ac.uk> <EMEW3|87dc38b1e390496e02166dafe2490d8as44D0U03tjc|ecs.soton.ac.uk|56DB4264-1769-443A-86F2-BB0BE0ED9693@ecs.soton.ac.uk> <57333B3F.7000009@globis.net> <CC759790-4F9B-47B8-A42C-A85F78AC9773@jisc.ac.uk> <57335AB6.8060305@globis.net> <87mvnwh81u.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1nu98pXdDzVgZ2yW7xe8mwA=O+zmoGS8XLs_NLbNUaKFQ@mail.gmail.com> <87inykh6n9.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1kSKEqjsG5KN165h6YUALbY4eeRYb3Y_9ye3mN_RSnbyg@mail.gmail.com> <87d1osh39h.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1ksB1wCEfjqCVAn_Eca4Bh5vPy3SEO3bBGOWHJfX6zXxg@mail.gmail.com> <878tzgh17r.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1kGtUGP68e44FOH6yuw0AvDmK8A4bNW+1YpXv31ywzvQw@mail.gmail.com> <8737pogv92.wl-jch@pps.univ-paris-diderot.fr> <20160512003356.B79B2489A437@rock.dv.isc.org> <CAPt1N1nOFM5cQd+WXTtJR9-Gg=ztyCeDqC7RRFhcfhzyGZX-zg@mail.gmail.com> <20160512025653.884C1489E1B3@rock.dv.isc.org> <CAPt1N1=05ozMZk3h+HMSc0Js7SdzPvCB-wQhp_dRSUpNsBJxeA@mail.gmail.com>
Date: Wed, 11 May 2016 23:00:07 -0400
Message-ID: <CAPt1N1mg8u97zngjdQ5=5LFcnN6gr64V3rGs20-0eyuiVDsBiA@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
To: Mark Andrews <marka@isc.org>
Content-Type: multipart/alternative; boundary=001a113fb5800aa64005329c5bfe
Archived-At: <http://mailarchive.ietf.org/arch/msg/homenet/KgQZaPnBrdbieYCnTE6q8h_D0Tk>
Cc: homenet@ietf.org, Juliusz Chroboczek <jch@pps.univ-paris-diderot.fr>
Subject: Re: [homenet] Updating DNS [was: How many people have installed the homenet code?]
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 03:00:11 -0000

Hm. Ok, good news. Makes the job a wee bit easier.
On May 11, 2016 10:57 PM, "Mark Andrews" <marka@isc.org>; wrote:


In message <CAPt1N1nOFM5cQd+WXTtJR9-Gg=
ztyCeDqC7RRFhcfhzyGZX-zg@mail.gmail.com>;, Ted Lemon writes:
> You don't even need SIG(0) to get the level of security that mDNS
provides.
> And SIG(0) doesn't work right now, because it relies on an older version
> of DNSSEC keys.   Remember the flag day?

DNSSEC depends on DNSKEY as of RFC 403[345]
SIG(0) depends on KEY.

The flag day seperated DNSSEC from other uses of KEY.  It did not
say "stop using KEY for everything" just for DNSSEC.

Mark

> On Wed, May 11, 2016 at 8:33 PM, Mark Andrews <marka@isc.org>; wrote:
>
> >
> > SIG(0) works fine for DDNS once you have a KEY record installed in
> > the DNS.
> >
> > KEY can be installed on a "add if name does not exist basis" for
> > forward zone and add if TCP self (owner name is the matching
> > in-addr.arpa/ip6.arpa name of the TCP source address) is true for
> > the reverse zones.  This requires policy enforcement in the server
> > but is do able.  nameservers already have policy rules (e.g. tcp-self
> > has existed for years in named).  Adding more is not a hard thing
> > to do.
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> >
>
> --001a11c26b2ae5fabf05329b6f8a
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr">You don&#39;t even need SIG(0) to get the level of
securit=
> y that mDNS provides. =C2=A0 And SIG(0) doesn&#39;t work right now,
because=
>  it relies on an older version of DNSSEC keys. =C2=A0 Remember the flag
day=
> ?</div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed,
Ma=
> y 11, 2016 at 8:33 PM, Mark Andrews <span dir=3D"ltr">&lt;<a
href=3D"mailto=
> :marka@isc.org" target=3D"_blank">marka@isc.org</a>&gt;</span>;
wrote:<br><b=
> lockquote class=3D"gmail_quote" style=3D"margin:0 0 0
.8ex;border-left:1px =
> #ccc solid;padding-left:1ex"><br>
> SIG(0) works fine for DDNS once you have a KEY record installed in<br>
> the DNS.<br>
> <br>
> KEY can be installed on a &quot;add if name does not exist basis&quot;
for<=
> br>
> forward zone and add if TCP self (owner name is the matching<br>
> in-addr.arpa/ip6.arpa name of the TCP source address) is true for<br>
> the reverse zones.=C2=A0 This requires policy enforcement in the
server<br>
> but is do able.=C2=A0 nameservers already have policy rules (e.g.
tcp-self<=
> br>
> has existed for years in named).=C2=A0 Adding more is not a hard thing<br>
> to do.<br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> --<br>
> Mark Andrews, ISC<br>
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> PHONE: <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742">+61
2=
>  9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
> =A0INTERNET: <a href=3D"mailto:marka@isc.org">marka@isc.org</a><br>
> </font></span></blockquote></div><br></div>
>
> --001a11c26b2ae5fabf05329b6f8a--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org