IETF Logo Mail Archive

Re: [homenet] I-D Action: draft-ietf-homenet-dot-11.txt (FINAL?)

Ted Lemon <mellon@fugue.com> Wed, 09 August 2017 15:54 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB8F51323FB for <homenet@ietfa.amsl.com>; Wed, 9 Aug 2017 08:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7DAFFDkXfhJ for <homenet@ietfa.amsl.com>; Wed, 9 Aug 2017 08:54:24 -0700 (PDT)
Received: from mail-pg0-x234.google.com (mail-pg0-x234.google.com [IPv6:2607:f8b0:400e:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0D541323FD for <homenet@ietf.org>; Wed, 9 Aug 2017 08:54:23 -0700 (PDT)
Received: by mail-pg0-x234.google.com with SMTP id u185so29705121pgb.1 for <homenet@ietf.org>; Wed, 09 Aug 2017 08:54:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=z1+xLIoJaGP6RZFlQg9k2x/PqkixM5OY/VeOC13X4WM=; b=ngGjDRWBaw+sla9W3amWsIacagXHkoNkli+3GkCMj8NXjxYgp9Ck5cmNfATwkC9ntU 8Q8/zJJ2BwIlKwnrObTo841GSL+LNMJENwC5CWE2nwXymHtLTZvhCdOWI6yj7I2sKq66 5XD/9QX3Sm5K80jQ7VJxdDwWu8iKCRWV4DIYTgj61a8bj/YIimXGCEVpdueFr4I7OHHV UEe97W4+Rkfj1XAxqCPApvoUH6G/VSQ4zWEwjkmwXBOZ/NMhN0y8+xXcUDPsTD6qwduG JUTRXB4VG9BseL573lTOrwBkyPIsSDaZMPH+9B+yI5brMAopYr3sr7CH3FRKDz1rrOPI ZpsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=z1+xLIoJaGP6RZFlQg9k2x/PqkixM5OY/VeOC13X4WM=; b=AUbqiMvUON+76tZaqM/vg3nBUl0mARBWQwBhSqaA/ZStONNt6UCzp+oN+RZHhaiGvv AuUg+ZiAanhO89RXuVKioG1IoXH4OzXZXWUCJKY3qXtAamPc4e1m5040X39SzwRVvzTh 6J2E1EzjWWSQbm5iEPKu8Gxbyw47CWZ+v5ADCfgGe/KtSiLEsGbqLMIh4PNNdUNUpUV4 g78r/7d9V9GWehU0WgxqtTquxUHU+eYdF0s+BrzCJSilsYqRSYeemX9RgkEnPK8cUj5G jib5r0/49WYd6NFW5ZHHJN9vJmQuxzAK9PwfzD2/1PUiwXmVW7DU9ch1cTIHZGWvjJB1 l/WQ==
X-Gm-Message-State: AHYfb5hewNv5FwA0GT0JSRDmf+GZ6x3CPltfuAVfCP/QTUou3k9Q/wyd HAah/enQL+60mD659nVFtgescEhOI36k
X-Received: by 10.84.215.210 with SMTP id g18mr9623784plj.210.1502294063428; Wed, 09 Aug 2017 08:54:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.180.131 with HTTP; Wed, 9 Aug 2017 08:53:42 -0700 (PDT)
In-Reply-To: <20170809031722.28F8F81C6FC7@rock.dv.isc.org>
References: <150223150804.3668.14190745110025046639@ietfa.amsl.com> <79597E4D-DEC0-4622-A410-003B45EB5E6A@fugue.com> <20170809031722.28F8F81C6FC7@rock.dv.isc.org>
From: Ted Lemon <mellon@fugue.com>
Date: Wed, 09 Aug 2017 11:53:42 -0400
Message-ID: <CAPt1N1mkOheWcQAispL7zpK=Whcjm=7ibjJcv9-DuNJKFyBiXw@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: HOMENET <homenet@ietf.org>, Warren Kumari <warren@kumari.net>
Content-Type: multipart/alternative; boundary="94eb2c19f1420003e6055654182f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/UcdQkuuGAOqr51Ggym25NLlfuNw>
Subject: Re: [homenet] I-D Action: draft-ietf-homenet-dot-11.txt (FINAL?)
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 15:54:27 -0000

What does forwarding DS lookups for home.arpa out of the homenet do?   That
is, suppose I implement a cache that doesn't do this: what bad thing
happens?   It's going to return NXDOMAIN, right?   Isn't it the NSEC
lookups that have to succeed, and the NS record lookup?   And doesn't the
NS record have to be forged?

I think this actually means that it does have to be an unsigned delegation.
  Argh.

Hm, thinking farther, no, it doesn't, because it's okay to return the right
answer for the delegation as long as the stub resolver is willing to rely
on the cache, which we've already specified it must do.   So what's the
failure mode that this new text prevents?  Oh, you have to look up the DS
record to get the NSEC that validates it?

(I'm leaving in all of the stuff I typed while I was thinking this through
because I'm not sure I got it right, and you can point out what I got
wrong.)

On Tue, Aug 8, 2017 at 11:17 PM, Mark Andrews <marka@isc.org> wrote:

>
> In message <79597E4D-DEC0-4622-A410-003B45EB5E6A@fugue.com>, Ted Lemon
> writes:
> > I updated homenet-dot with the change that Mark requested regarding
> > signed, unsigned and insecure delegations.   I believe the text is
> > correct now, but would appreciate a sanity check.   Otherwise, I think
> > it's up to the chairs to make the next move.
>
> I would explictly list DS home.arpa as a exception.  (I had to file
> a bug report against recursive server that failed to have this
> exception this week for AS112 zones.  The bug has been fixed.)  Also
> I wouldn't be using '.home.arpa.' as we also want to stop queries
> for 'home.arpa' leaving the home.  There are a couple of references
> to '.home.arpa'.
>
> e.g.
>
> Old:
>    DNS queries for names ending with '.home.arpa.' are resolved using
>    local resolvers on the homenet.  Such queries MUST NOT be recursively
>    forwarded to servers outside the logical boundaries of the homenet.
>
> New:
>    DNS queries for names ending with 'home.arpa.' are resolved using
>    local resolvers on the homenet.  Such queries MUST NOT be recursively
>    forwarded to servers outside the logical boundaries of the homenet with
>    the exception of DS lookups for 'home.arpa.'.
>
> Mark
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
>

v2.23.0 | Report a Bug | By Email