IETF Logo Mail Archive

Re: [homenet] [EXT] securing zone transfer

Ted Lemon <mellon@fugue.com> Tue, 11 June 2019 19:13 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 147B71200B7 for <homenet@ietfa.amsl.com>; Tue, 11 Jun 2019 12:13:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jMLuBct7be-l for <homenet@ietfa.amsl.com>; Tue, 11 Jun 2019 12:13:19 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 233D6120099 for <homenet@ietf.org>; Tue, 11 Jun 2019 12:13:19 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id t8so4711164qkt.1 for <homenet@ietf.org>; Tue, 11 Jun 2019 12:13:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=i3aNWm7+SzqGkXOJ/IXvKGYfqwFc+/YNVWeAsZf7xtM=; b=CpjahQkJn/72PWRGfpqtlynxwtFPf1sLf9ne5za3rFicW7K4qPZDSh8kmXcYWWWIhk fPy8UI1p91rw1FO8XcW+B/ftl69wTpskEqyADt+umIJxNWnJ5wf5jyXnqA3DSK2w8Nqj XWdtE6uSuNvnLMdCCkUg08NBTPI1lwCHcxVkyoQZeqx0CNMbU2NXrbCNWuZbXW4t47iD Fk4bKLGj52M92BYzevWQP5Gimqc6PqTviiwUASc5O5d5C1RlNKRI3HF0t1DGaD/jx9RC 50vP5OUHvy/5+zgW8wl31tyYGczTTmBWmpJG/r4DTDlu2RAYob/8JpZGTDW7usuyZ3Os 8h4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=i3aNWm7+SzqGkXOJ/IXvKGYfqwFc+/YNVWeAsZf7xtM=; b=c/TD5ogbrUFoTXIutFjWsC91XWOJZvBHHakJjIUTbyYeO0JDYNwqFW6mqxzB3kjPXH bxBTmYtjX5Sic6jp7KGQa97d8jefzoqHkwbe0+hEvHpcunFqAZC7OB8/Fx6w7pJxgQZu P3tAXKorKBXtVAwFprGjM2op17Nu4u23EwcWYiZ2nox/tv+JrGe4dYZrOvcd3IGEy3BK zhDDCicsztBmKMSn9Lg3CojQecMrX1NQMMFM3MDzTzWY4W/5BDEFGaK45SaDuAFPltD4 c+dKZF81WB3MR7mcfT5fSK48JhMWSEUe0ADixgn0/29CN7t/thn46sKgRsZCY7mAYMnR DQCg==
X-Gm-Message-State: APjAAAXCytG1+3Q0WPEZs2mhO6QIpOwgybYbuocItjkk35tvU2Q/J5Po NwNyhulhZtnJMKR6GcIIBx8j3Q==
X-Google-Smtp-Source: APXvYqyHpwLhD3ErB6500ZBpBnkDVqF0nNBoFlegyz5Oo8q0AD+sdWvKJ2OJRYYvsstN/2y0G6JyWA==
X-Received: by 2002:a37:4e92:: with SMTP id c140mr62005227qkb.48.1560280398187; Tue, 11 Jun 2019 12:13:18 -0700 (PDT)
Received: from [192.168.8.100] (c-73-186-137-119.hsd1.nh.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id j9sm6184447qkg.30.2019.06.11.12.13.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jun 2019 12:13:17 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <FFD7BFEB-CF80-4624-8D34-210A6C79BE57@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8E84FF98-4807-4B2C-9E3D-3446BD037BB9"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 11 Jun 2019 15:13:15 -0400
In-Reply-To: <cca26a8147924f1ab0d9447e3f083e0c@cira.ca>
Cc: Daniel Migault <daniel.migault@ericsson.com>, homenet <homenet@ietf.org>
To: Jacques Latour <Jacques.Latour@cira.ca>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <cca26a8147924f1ab0d9447e3f083e0c@cira.ca>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/XeGHR3lGscklJJtA0Wur0c3oNpk>
Subject: Re: [homenet] [EXT] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 19:13:21 -0000

On Jun 11, 2019, at 2:59 PM, Jacques Latour <Jacques.Latour@cira.ca> wrote:
> In trying to setup our secure home gateway project to have the external zone & primary DNS server setup and managed on the gateway itself and to XFR back to secondary name servers somewhere turned out not be functional or practical, first, the gateway does not know for sure which external NS are use by the secondary DNS service, second, the IPs of the WAN port might not be the internet facing IPs and this could break inbound connectivity.  We’re looking at using dynamic DNS updates for things that need internet connectivity, and have the primary DNS server on the main land.   TSIG & DNS over TLS look like a good option to look at.

Have you looked at draft-ietf-dnssd-srp (https://tools.ietf.org/html/draft-ietf-dnssd-srp-01 <https://tools.ietf.org/html/draft-ietf-dnssd-srp-01>)?

v2.23.0 | Report a Bug | By Email