Re: [homenet] [EXT] securing zone transfer

Jacques Latour <Jacques.Latour@cira.ca> Tue, 11 June 2019 19:00 UTC

Return-Path: <Jacques.Latour@cira.ca>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC478120281 for <homenet@ietfa.amsl.com>; Tue, 11 Jun 2019 12:00:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2ST9UjUMFGq for <homenet@ietfa.amsl.com>; Tue, 11 Jun 2019 12:00:01 -0700 (PDT)
Received: from mx2.cira.ca (mx2.cira.ca [192.228.22.117]) by ietfa.amsl.com (Postfix) with ESMTP id 59F60120114 for <homenet@ietf.org>; Tue, 11 Jun 2019 12:00:01 -0700 (PDT)
X-Virus-Scanned: by SpamTitan at cira.ca
Received: from CRP-EX16-02.CORP.CIRA.CA (10.2.36.121) by CRP-EX16-01.CORP.CIRA.CA (10.2.36.120) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1531.3; Tue, 11 Jun 2019 14:59:59 -0400
Received: from CRP-EX16-02.CORP.CIRA.CA ([fe80::15c6:1482:4083:e9f7]) by CRP-EX16-02.CORP.CIRA.CA ([fe80::15c6:1482:4083:e9f7%13]) with mapi id 15.01.1531.010; Tue, 11 Jun 2019 14:59:59 -0400
From: Jacques Latour <Jacques.Latour@cira.ca>
To: Daniel Migault <daniel.migault@ericsson.com>, homenet <homenet@ietf.org>
Thread-Topic: [EXT] [homenet] securing zone transfer
Thread-Index: AQHVHWwY/eg7HDVFCUWnWkBhrr/GC6aWz1pg
Date: Tue, 11 Jun 2019 18:59:59 +0000
Message-ID: <cca26a8147924f1ab0d9447e3f083e0c@cira.ca>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com>
In-Reply-To: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.16.4.107]
Content-Type: multipart/alternative; boundary="_000_cca26a8147924f1ab0d9447e3f083e0cciraca_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/V85EZhcZeNXbNxGxztnWrKt0ufQ>
Subject: Re: [homenet] [EXT] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 19:00:05 -0000

Daniel,

In trying to setup our secure home gateway project to have the external zone & primary DNS server setup and managed on the gateway itself and to XFR back to secondary name servers somewhere turned out not be functional or practical, first, the gateway does not know for sure which external NS are use by the secondary DNS service, second, the IPs of the WAN port might not be the internet facing IPs and this could break inbound connectivity.  We’re looking at using dynamic DNS updates for things that need internet connectivity, and have the primary DNS server on the main land.   TSIG & DNS over TLS look like a good option to look at.

Jacques



From: homenet <homenet-bounces@ietf.org> On Behalf Of Daniel Migault
Sent: June 7, 2019 4:03 PM
To: homenet <homenet@ietf.org>
Subject: [EXT] [homenet] securing zone transfer

Hi,

The front end naming architecture uses a primary and a secondary dns server to synchronize a zone. The expected exchanges are (SOA, NOTIFY, IXFR, AXFR. We would like to get feed backs from the working group on what are the most appropriated way to secure this channel.

Options we have considered are TSIG, IPsec, TLS, DTLS. TSIG does not provide confidentiality, and we would rather go for user space security.  Are there any recommendation for using TLS or DTLS in that case ?

Any thoughts would be helpful.

Yours,
Daniel