Re: [homenet] I-D Action: draft-ietf-homenet-dot-11.txt (FINAL?)
Ted Lemon <mellon@fugue.com> Wed, 09 August 2017 15:54 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB8F51323FB for <homenet@ietfa.amsl.com>; Wed, 9 Aug 2017 08:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7DAFFDkXfhJ for <homenet@ietfa.amsl.com>; Wed, 9 Aug 2017 08:54:24 -0700 (PDT)
Received: from mail-pg0-x234.google.com (mail-pg0-x234.google.com [IPv6:2607:f8b0:400e:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0D541323FD for <homenet@ietf.org>; Wed, 9 Aug 2017 08:54:23 -0700 (PDT)
Received: by mail-pg0-x234.google.com with SMTP id u185so29705121pgb.1 for <homenet@ietf.org>; Wed, 09 Aug 2017 08:54:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=z1+xLIoJaGP6RZFlQg9k2x/PqkixM5OY/VeOC13X4WM=; b=ngGjDRWBaw+sla9W3amWsIacagXHkoNkli+3GkCMj8NXjxYgp9Ck5cmNfATwkC9ntU 8Q8/zJJ2BwIlKwnrObTo841GSL+LNMJENwC5CWE2nwXymHtLTZvhCdOWI6yj7I2sKq66 5XD/9QX3Sm5K80jQ7VJxdDwWu8iKCRWV4DIYTgj61a8bj/YIimXGCEVpdueFr4I7OHHV UEe97W4+Rkfj1XAxqCPApvoUH6G/VSQ4zWEwjkmwXBOZ/NMhN0y8+xXcUDPsTD6qwduG JUTRXB4VG9BseL573lTOrwBkyPIsSDaZMPH+9B+yI5brMAopYr3sr7CH3FRKDz1rrOPI ZpsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=z1+xLIoJaGP6RZFlQg9k2x/PqkixM5OY/VeOC13X4WM=; b=AUbqiMvUON+76tZaqM/vg3nBUl0mARBWQwBhSqaA/ZStONNt6UCzp+oN+RZHhaiGvv AuUg+ZiAanhO89RXuVKioG1IoXH4OzXZXWUCJKY3qXtAamPc4e1m5040X39SzwRVvzTh 6J2E1EzjWWSQbm5iEPKu8Gxbyw47CWZ+v5ADCfgGe/KtSiLEsGbqLMIh4PNNdUNUpUV4 g78r/7d9V9GWehU0WgxqtTquxUHU+eYdF0s+BrzCJSilsYqRSYeemX9RgkEnPK8cUj5G jib5r0/49WYd6NFW5ZHHJN9vJmQuxzAK9PwfzD2/1PUiwXmVW7DU9ch1cTIHZGWvjJB1 l/WQ==
X-Gm-Message-State: AHYfb5hewNv5FwA0GT0JSRDmf+GZ6x3CPltfuAVfCP/QTUou3k9Q/wyd HAah/enQL+60mD659nVFtgescEhOI36k
X-Received: by 10.84.215.210 with SMTP id g18mr9623784plj.210.1502294063428; Wed, 09 Aug 2017 08:54:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.180.131 with HTTP; Wed, 9 Aug 2017 08:53:42 -0700 (PDT)
In-Reply-To: <20170809031722.28F8F81C6FC7@rock.dv.isc.org>
References: <150223150804.3668.14190745110025046639@ietfa.amsl.com> <79597E4D-DEC0-4622-A410-003B45EB5E6A@fugue.com> <20170809031722.28F8F81C6FC7@rock.dv.isc.org>
From: Ted Lemon <mellon@fugue.com>
Date: Wed, 09 Aug 2017 11:53:42 -0400
Message-ID: <CAPt1N1mkOheWcQAispL7zpK=Whcjm=7ibjJcv9-DuNJKFyBiXw@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: HOMENET <homenet@ietf.org>, Warren Kumari <warren@kumari.net>
Content-Type: multipart/alternative; boundary="94eb2c19f1420003e6055654182f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/UcdQkuuGAOqr51Ggym25NLlfuNw>
Subject: Re: [homenet] I-D Action: draft-ietf-homenet-dot-11.txt (FINAL?)
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2017 15:54:27 -0000
What does forwarding DS lookups for home.arpa out of the homenet do? That is, suppose I implement a cache that doesn't do this: what bad thing happens? It's going to return NXDOMAIN, right? Isn't it the NSEC lookups that have to succeed, and the NS record lookup? And doesn't the NS record have to be forged? I think this actually means that it does have to be an unsigned delegation. Argh. Hm, thinking farther, no, it doesn't, because it's okay to return the right answer for the delegation as long as the stub resolver is willing to rely on the cache, which we've already specified it must do. So what's the failure mode that this new text prevents? Oh, you have to look up the DS record to get the NSEC that validates it? (I'm leaving in all of the stuff I typed while I was thinking this through because I'm not sure I got it right, and you can point out what I got wrong.) On Tue, Aug 8, 2017 at 11:17 PM, Mark Andrews <marka@isc.org> wrote: > > In message <79597E4D-DEC0-4622-A410-003B45EB5E6A@fugue.com>, Ted Lemon > writes: > > I updated homenet-dot with the change that Mark requested regarding > > signed, unsigned and insecure delegations. I believe the text is > > correct now, but would appreciate a sanity check. Otherwise, I think > > it's up to the chairs to make the next move. > > I would explictly list DS home.arpa as a exception. (I had to file > a bug report against recursive server that failed to have this > exception this week for AS112 zones. The bug has been fixed.) Also > I wouldn't be using '.home.arpa.' as we also want to stop queries > for 'home.arpa' leaving the home. There are a couple of references > to '.home.arpa'. > > e.g. > > Old: > DNS queries for names ending with '.home.arpa.' are resolved using > local resolvers on the homenet. Such queries MUST NOT be recursively > forwarded to servers outside the logical boundaries of the homenet. > > New: > DNS queries for names ending with 'home.arpa.' are resolved using > local resolvers on the homenet. Such queries MUST NOT be recursively > forwarded to servers outside the logical boundaries of the homenet with > the exception of DS lookups for 'home.arpa.'. > > Mark > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >
- [homenet] I-D Action: draft-ietf-homenet-dot-11.t… internet-drafts
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Mark Andrews
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Mark Andrews