Re: [homenet] Paul Wouters' Discuss on draft-ietf-homenet-naming-architecture-dhc-options-21: (with DISCUSS)
Paul Wouters <paul.wouters@aiven.io> Mon, 24 October 2022 23:20 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A01FDC1522AF for <homenet@ietfa.amsl.com>; Mon, 24 Oct 2022 16:20:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CCSdZmORs5kw for <homenet@ietfa.amsl.com>; Mon, 24 Oct 2022 16:20:39 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C062C15256B for <homenet@ietf.org>; Mon, 24 Oct 2022 16:20:37 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id bp11so17773823wrb.9 for <homenet@ietf.org>; Mon, 24 Oct 2022 16:20:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=d275M4RmhNkJ3uIDnIBH15T0EGVTMBLoJcuAfnNNqgU=; b=PDRHSeoBoYPM4Dj/zf4ZzvXjgftwNHjPnxA04Zv/q5NmkvdCVpeKk6g/FtHfZxB+gt tvjK8sQyIZIoYxSBO4WlTWm/NCzKhomkl8NahRW8KgpKjqY2wdGTREWsMimMi3A+xqxJ wZbYTbpjrtAm8qupWfiVPaTFrBmbYKFvCjhZM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=d275M4RmhNkJ3uIDnIBH15T0EGVTMBLoJcuAfnNNqgU=; b=TV0kPhVDJHBw0lkhIg247H/P+TUpAFZl7YlngcBWdpTo/ltifxKTnZWaxZfhFFTyaB L5s2NJ5E5z99wKy8Dd65NYWUhh5cJRL3Uh/ko6w8Ry/w+NBskviOUgrC9nuPzYW+K8IZ 8L+Q2oU3lTR6czLFXrjyb4IRorW1Bg/PemmQ1TCQJMtwJwJ/tiJfzenmMTupACP2BKjR qO3RlfeWhdc9EUzFKVZQXHfOBgww8eRKrPka5721rY0aXYsJaTizxXmF2dkGFK79uLf+ rzBEidTTOBmTYPjXp5OmQ7WEXSFfeC4x++UhNRnbi8njLvaykpgj9VIUS5YBytdF0srg eOlw==
X-Gm-Message-State: ACrzQf1CTcmH4uycFAkHv9i0dZD0eQcfUlh0wISPF9L3vRm7wLVtJjWv hurPt/eoiHQ4JzopS08X86ATJIkVE3Wn8QxKJ1OJfg==
X-Google-Smtp-Source: AMsMyM405Px5vzGO+v1Skz6FGKFTIS5zGaepUrQcRRa9X9p5vQi1RZA4HqEyc7KHbDtNFAYcQGrgHbXZK+2lhDe5le0=
X-Received: by 2002:a05:6000:180b:b0:236:5985:9c4e with SMTP id m11-20020a056000180b00b0023659859c4emr11464088wrh.584.1666653634664; Mon, 24 Oct 2022 16:20:34 -0700 (PDT)
MIME-Version: 1.0
References: <166624546383.55524.17919861797763262507@ietfa.amsl.com> <CADZyTk=GD1k9RfdLoddCWqKCr8yQvoOm1+df0gAzp92oKRWzdw@mail.gmail.com> <CAGL5yWYoMaFxL+UWwYDkYaJ2Y6tckH_0n2HL4wLxYTMCZsctbQ@mail.gmail.com> <CADZyTkmXunv9oZyGtwq0LKBtEHLVdcW4qGOcYtSCvkhbHXxs1w@mail.gmail.com>
In-Reply-To: <CADZyTkmXunv9oZyGtwq0LKBtEHLVdcW4qGOcYtSCvkhbHXxs1w@mail.gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Mon, 24 Oct 2022 19:20:23 -0400
Message-ID: <CAGL5yWbjq_k72KD6N9ikb3G7S13pVRdbdOf2yRZ7yOwLe-3ARQ@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-homenet-naming-architecture-dhc-options@ietf.org, homenet-chairs@ietf.org, homenet@ietf.org, stephen.farrell@cs.tcd.ie
Content-Type: multipart/alternative; boundary="000000000000dbaa2b05ebd0098a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/LmLBlkbQjCcU1DOiXb1rdpTfvLY>
Subject: Re: [homenet] Paul Wouters' Discuss on draft-ietf-homenet-naming-architecture-dhc-options-21: (with DISCUSS)
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 23:20:43 -0000
On Sun, Oct 23, 2022 at 10:45 PM Daniel Migault <mglt.ietf@gmail.com> wrote: > While TLS gives you privacy, > >> the DNS Update cannot be done with only TLS (as far as I understand it). >>> >>> please develop, but just in case, we do not use dns update to >>> synchronize the zone. we use AFXR/IXRF over TLS define din XoT. >>> >> This to me was not clear and a missed reference by me. While you name RFC9103, the text states: DNS over TLS: indicates the support of DNS over TLS as described in [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and [RFC9103 <https://datatracker.ietf.org/doc/html/rfc9103>]. I should have looked more closely at the references, and I would have realized 9103 is about DNS XFR over TLS. That document indeed explains that XoT uses mutually authenticated TLS which provides the authentication for the XFR streams. My suggestion: Current: DNS over TLS: indicates the support of DNS over TLS as described in [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and [RFC9103 <https://datatracker.ietf.org/doc/html/rfc9103>]. New: DNS Zone Transfer over TLS: indicates the support of DNS Zone Transfer over TLS as described in [RFC9103] The reference to RFC7858 is misleading - it only deals with stub to recursive. If you think stub to recursive is in scope, it might be better to use two DHCP options as these two things seem to be very separate protocols (that just both happen to use DNS and TLS) > >> So you are going against the RFC 5936 SHOULD. >> >> I even had to look this up because I didn't know you could do an AXFR as >> a secondary >> from a primary without DNS level authentication. Apparently you can, but >> you SHOULD not. >> >> That is what we do. TLS provides enough security to replace TSIG / SIG(0). > Reading 9103 made that clear to me now, but the text in the document did not. Perhaps that can be stated more clearly ? Paul
- [homenet] Paul Wouters' Discuss on draft-ietf-hom… Paul Wouters via Datatracker
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Paul Wouters
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault
- Re: [homenet] Paul Wouters' Discuss on draft-ietf… Daniel Migault