Re: [homenet] Updating DNS [was: How many people have installed the homenet code?]

[Ted Lemon <mellon@fugue.com>]

Hm. Ok, good news. Makes the job a wee bit easier.
On May 11, 2016 10:57 PM, "Mark Andrews" <marka@isc.org> wrote:


In message <CAPt1N1nOFM5cQd+WXTtJR9-Gg=
ztyCeDqC7RRFhcfhzyGZX-zg@mail.gmail.com>, Ted Lemon writes:
> You don't even need SIG(0) to get the level of security that mDNS
provides.
> And SIG(0) doesn't work right now, because it relies on an older version
> of DNSSEC keys.   Remember the flag day?

DNSSEC depends on DNSKEY as of RFC 403[345]
SIG(0) depends on KEY.

The flag day seperated DNSSEC from other uses of KEY.  It did not
say "stop using KEY for everything" just for DNSSEC.

Mark

> On Wed, May 11, 2016 at 8:33 PM, Mark Andrews <marka@isc.org> wrote:
>
> >
> > SIG(0) works fine for DDNS once you have a KEY record installed in
> > the DNS.
> >
> > KEY can be installed on a "add if name does not exist basis" for
> > forward zone and add if TCP self (owner name is the matching
> > in-addr.arpa/ip6.arpa name of the TCP source address) is true for
> > the reverse zones.  This requires policy enforcement in the server
> > but is do able.  nameservers already have policy rules (e.g. tcp-self
> > has existed for years in named).  Adding more is not a hard thing
> > to do.
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
> >
>
> --001a11c26b2ae5fabf05329b6f8a
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
>
> <div dir=3D"ltr">You don&#39;t even need SIG(0) to get the level of
securit=
> y that mDNS provides. =C2=A0 And SIG(0) doesn&#39;t work right now,
because=
>  it relies on an older version of DNSSEC keys. =C2=A0 Remember the flag
day=
> ?</div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Wed,
Ma=
> y 11, 2016 at 8:33 PM, Mark Andrews <span dir=3D"ltr">&lt;<a
href=3D"mailto=
> :marka@isc.org" target=3D"_blank">marka@isc.org</a>&gt;</span>
wrote:<br><b=
> lockquote class=3D"gmail_quote" style=3D"margin:0 0 0
.8ex;border-left:1px =
> #ccc solid;padding-left:1ex"><br>
> SIG(0) works fine for DDNS once you have a KEY record installed in<br>
> the DNS.<br>
> <br>
> KEY can be installed on a &quot;add if name does not exist basis&quot;
for<=
> br>
> forward zone and add if TCP self (owner name is the matching<br>
> in-addr.arpa/ip6.arpa name of the TCP source address) is true for<br>
> the reverse zones.=C2=A0 This requires policy enforcement in the
server<br>
> but is do able.=C2=A0 nameservers already have policy rules (e.g.
tcp-self<=
> br>
> has existed for years in named).=C2=A0 Adding more is not a hard thing<br>
> to do.<br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> --<br>
> Mark Andrews, ISC<br>
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> PHONE: <a href=3D"tel:%2B61%202%209871%204742" value=3D"+61298714742">+61
2=
>  9871 4742</a>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
> =A0INTERNET: <a href=3D"mailto:marka@isc.org">marka@isc.org</a><br>
> </font></span></blockquote></div><br></div>
>
> --001a11c26b2ae5fabf05329b6f8a--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org