IETF Logo Mail Archive

Re: [homenet] [EXT] securing zone transfer

Daniel Migault <daniel.migault@ericsson.com> Wed, 12 June 2019 02:20 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C25CC12007A for <homenet@ietfa.amsl.com>; Tue, 11 Jun 2019 19:20:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgwN1hps4A32 for <homenet@ietfa.amsl.com>; Tue, 11 Jun 2019 19:20:16 -0700 (PDT)
Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2981112002F for <homenet@ietf.org>; Tue, 11 Jun 2019 19:20:16 -0700 (PDT)
Received: by mail-qk1-f174.google.com with SMTP id g18so9050536qkl.3 for <homenet@ietf.org>; Tue, 11 Jun 2019 19:20:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yl/acOw1/+2w47fDqC3D25YfqFXdvTuYKDcmn1yz1Hg=; b=XbuYosbLu/h8OyWxAp5fPdPNQ8/SKUGBAjm567zivaLSGtf4eF+bKQrGBZg+GW634B dHXFjVHAmZomoo/39h7CMN5xTxESkeOWRW0j8ISHp5lDpYjwTbuNDTqrwpGE2DA5n8ey W8sTE69rdW+resaurnEKSkOvbx+P2wH/8Bf2uCqwgQESN6hI7stsl24JAUDCRxx1BI2Z CvnRysoolYUSMEid8mh55ijBgOyPoWSvUhoSzlUALEq6rMXROBHvUsEoXhS1LEJ9eOZZ mSO/Jftswp1ajm3eDu5vG2CzIW/xsqmAK/LM4CNWvx/WYi1DbhGlvvyghCStp14s3vRs /fJA==
X-Gm-Message-State: APjAAAVQ+C706My6KnT7YIK/mhCoSsOyeQtAW0sSSRRRiLk9fWaTrE4+ ZZT6sFnR11fiwyRrLwVsXzrU3+wsO2HCsb9ptL4=
X-Google-Smtp-Source: APXvYqxh9ZFBlaLvDeOnYk/XHyNdnIiHo2p+5UptCD8ivi8E4ahOFlFS07G2jZNzb13CxQP0zlmNS+xmi1W11Z8NGvM=
X-Received: by 2002:a37:7bc3:: with SMTP id w186mr63287372qkc.225.1560306015243; Tue, 11 Jun 2019 19:20:15 -0700 (PDT)
MIME-Version: 1.0
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <cca26a8147924f1ab0d9447e3f083e0c@cira.ca>
In-Reply-To: <cca26a8147924f1ab0d9447e3f083e0c@cira.ca>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Tue, 11 Jun 2019 22:20:04 -0400
Message-ID: <CADZyTkmm_kW_EV70A2w3_bF2MWskqU2=QOxTf8rAgHPqD0BzRQ@mail.gmail.com>
To: Jacques Latour <Jacques.Latour@cira.ca>
Cc: homenet <homenet@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c791da058b170d1e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/SL75P_FCp4WE2LoTOcAntvIY1lE>
Subject: Re: [homenet] [EXT] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 02:20:18 -0000

Hi Jacques,

I agree the HNA cannot generate the full zone out of the box and needs some
information such as the NS. It also needs some information to configure the
primary / secondary relation such as the the IP of what we now call the
Distribution Master. DNS update on a specific zone seems tempting
especially as it is available code for it. Though I might be biased, but i
am not sure we need TSIG. I need more thoughts.

Yours,
Daniel

On Tue, Jun 11, 2019 at 3:00 PM Jacques Latour <Jacques.Latour@cira.ca>
wrote:

> Daniel,
>
>
>
> In trying to setup our secure home gateway project to have the external
> zone & primary DNS server setup and managed on the gateway itself and to
> XFR back to secondary name servers somewhere turned out not be functional
> or practical, first, the gateway does not know for sure which external NS
> are use by the secondary DNS service, second, the IPs of the WAN port might
> not be the internet facing IPs and this could break inbound connectivity.
> We’re looking at using dynamic DNS updates for things that need internet
> connectivity, and have the primary DNS server on the main land.   TSIG &
> DNS over TLS look like a good option to look at.
>
>
>
> Jacques
>
>
>
>
>
>
>
> *From:* homenet <homenet-bounces@ietf.org> *On Behalf Of *Daniel Migault
> *Sent:* June 7, 2019 4:03 PM
> *To:* homenet <homenet@ietf.org>
> *Subject:* [EXT] [homenet] securing zone transfer
>
>
>
> Hi,
>
>
>
> The front end naming architecture uses a primary and a secondary dns
> server to synchronize a zone. The expected exchanges are (SOA, NOTIFY,
> IXFR, AXFR. We would like to get feed backs from the working group on what
> are the most appropriated way to secure this channel.
>
>
>
> Options we have considered are TSIG, IPsec, TLS, DTLS. TSIG does not
> provide confidentiality, and we would rather go for user space security.
> Are there any recommendation for using TLS or DTLS in that case ?
>
>
>
> Any thoughts would be helpful.
>
>
>
> Yours,
>
> Daniel
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
>

v2.23.0 | Report a Bug | By Email