Re: [homenet] securing zone transfer

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 11 June 2019 13:54 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93E9C120170 for <homenet@ietfa.amsl.com>; Tue, 11 Jun 2019 06:54:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VZtvgrovhyH for <homenet@ietfa.amsl.com>; Tue, 11 Jun 2019 06:54:37 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FB53120225 for <homenet@ietf.org>; Tue, 11 Jun 2019 06:54:36 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id E4E8838186; Tue, 11 Jun 2019 09:53:12 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 1195DFF6; Tue, 11 Jun 2019 09:54:35 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 0F1FCC0C; Tue, 11 Jun 2019 09:54:35 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: homenet <homenet@ietf.org>, Juliusz Chroboczek <jch@irif.fr>
cc: Daniel Migault <daniel.migault@ericsson.com>
In-Reply-To: <878su8fj24.wl-jch@irif.fr>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <878su8fj24.wl-jch@irif.fr>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Tue, 11 Jun 2019 09:54:35 -0400
Message-ID: <2348.1560261275@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/PsL8lnidh8_EJcrw9JuvdHMmk_4>
Subject: Re: [homenet] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 13:54:48 -0000

Juliusz Chroboczek <jch@irif.fr>; wrote:
    >> The front end naming architecture uses a primary and a secondary dns server to
    >> synchronize a zone.

    > People will recall that the need for a hidden primary hasn't been
    > established yet.  Please see my unanswered e-mail of 21 November 2018.

    > https://mailarchive.ietf.org/arch/msg/homenet/vz1kdCJISN6UPNZpj9ZD4e8EdwQ

We strongly believe that the HNA needs to know the list of names in order to
be able to answer for those names when there is unstable (or no) Internet connectivity.

Otherwise, applications and people have to know two different names for the
service. (A public one for when away, and the .local one)

In our current draft we have:

2.1.  Alternative solutions

   An alternative to having a single zone is what is currently common
   with IPv4, where a host uses a RESTful HTTP service to register a
   single name into a common public zone.  This is often called "Dynamic
   DNS", and there are a number of commercial providers, including
   dyn.com, ghandi.com.  These solutions were typically used by a host
   behind the CPE to make it's CPE IPv4 address visible, usually in
   order to enable incoming connections.

   For a small number (one to three) of hosts, use of such a system
   provides an alternative to the architecture described in this
   document.  The alternative does suffer from some limitations:

   o  the CPE/HNA router is unaware of the process, and can not answer
      for the same names when there are disruptions in connectivity.
      This makes the home user using different names when there are
      disruptions.

   o  the CPE/HNA router can not control the process.  Any host can do
      this regardless of whether or not the home network administrator
      wants the name published or not.  There is therefore no possible
      audit trail.

   o  the credentials for the dynamic DNS server need to be securely
      transferred to the hosts that wish to use it.  This is not a
      problem for a technical user to do with one or two hosts, but it
      does not scale to multiple hosts and becomes a problem for non-
      technical users.

   o  "all the good names are taken" - current services put everyone's
      names into a some set of zones, and there are often conflicts.
      Distinguishing similar names by delegation of zones was among the
      primary design goals of the DNS system.

   There is no technical reason why a RESTful cloud service could not
   provide solutions to many of these problems, but this document
   describes a DNS based solution.

--
Michael Richardson <mcr+IETF@sandelman.ca>;, Sandelman Software Works
 -= IPv6 IoT consulting =-