IETF Logo Mail Archive

Re: [homenet] Updating DNS [was: How many people have installed the homenet code?]

"Ray Hunter (v6ops)" <v6ops@globis.net> Wed, 18 May 2016 09:03 UTC

Return-Path: <v6ops@globis.net>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E32612D195 for <homenet@ietfa.amsl.com>; Wed, 18 May 2016 02:03:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I12R_M4TRMSL for <homenet@ietfa.amsl.com>; Wed, 18 May 2016 02:03:36 -0700 (PDT)
Received: from globis01.globis.net (092-111-140-212.static.chello.nl [92.111.140.212]) by ietfa.amsl.com (Postfix) with ESMTP id 1019F12D17E for <homenet@ietf.org>; Wed, 18 May 2016 02:03:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id 7CA2240347; Wed, 18 May 2016 11:03:33 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Ef4TJtvt485; Wed, 18 May 2016 11:03:29 +0200 (CEST)
Received: from Mac-a45e60d143f5.local (dhcp-089-098-157-249.chello.nl [89.98.157.249]) (Authenticated sender: v6ops@globis.net) by globis01.globis.net (Postfix) with ESMTPA id B69BF40344; Wed, 18 May 2016 11:03:29 +0200 (CEST)
Message-ID: <573C2FE0.4080701@globis.net>
Date: Wed, 18 May 2016 11:03:28 +0200
From: "Ray Hunter (v6ops)" <v6ops@globis.net>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: Ted Lemon <mellon@fugue.com>
References: <6E709688-414A-4AFB-AEAE-56BAE0469583@coote.org> <57333B3F.7000009@globis.net> <CC759790-4F9B-47B8-A42C-A85F78AC9773@jisc.ac.uk> <57335AB6.8060305@globis.net> <87mvnwh81u.wl-jch@pps.univ-paris-diderot.fr> <CAPt1N1nu98pXdDzVgZ2yW7xe8mwA=O+zmoGS8XLs_NLbNUaKFQ@mail.gmail.com> <57337274.1040000@globis.net> <CAPt1N1=mVBM-Dyg50eAv4Lz4XK1Hfe1SgHH5osR9fuhJhc0DWQ@mail.gmail.com> <57344249.8070907@globis.net> <874ma3s9pc.wl-jch@pps.univ-paris-diderot.fr> <57348817.1090200@globis.net> <CAPt1N1nWJJx_38Z_G8085w3Kwnd=_6gX3FBLjFMQcDm9sTdFtQ@mail.gmail.com> <5735B02D.8080304@globis.net> <CAPt1N1kAks=pAF-rcHRGWFbWLgWN5qEPZK+-6=c4VeZRi5VHcQ@mail.gmail.com> <CAPt1N1m96gpEz4GXrpr+eA3OjQyhQfbAACyi83noYovE1WSx7Q@mail.gmail.com> <CAPt1N1nkCRG6S2QJ9KqzhTrneN3SpnEQ8vWZO4f4gWwT9g-+dA@mail.gmail.com> <57371F60.6060605@globis.net> <CAPt1N1kMtZ+TKveVxN-Lq5C4tKmBdMNy7n7zRyN0wVyQEZjE+g@mail.gmail.com>
In-Reply-To: <CAPt1N1kMtZ+TKveVxN-Lq5C4tKmBdMNy7n7zRyN0wVyQEZjE+g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------070900070008060304010408"
Archived-At: <http://mailarchive.ietf.org/arch/msg/homenet/YmBPkGAoC6GvvJNy0cqrLIOrOK0>
Cc: homenet@ietf.org, Juliusz Chroboczek <jch@pps.univ-paris-diderot.fr>
Subject: Re: [homenet] Updating DNS [was: How many people have installed the homenet code?]
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 May 2016 09:03:37 -0000


> Ted Lemon <mailto:mellon@fugue.com>
> 14 May 2016 15:18
> The only problem with that is that in the homenet ideally we'd like to 
> have local names signed and validatable via DNSSEC, and that requires 
> that the local namespace be global in scope, even if the names 
> published in that namespace are not.
>
Not necessarily.

You only need global scope namespace if trust also needs to extend 
beyond Homenet.

If we're assuming that ULA will be used for on-Homenet communication 
streams (in the event of non-availability of GUA/ ISP uplink), then 
tying local names into the upstream global namespace is not strictly 
necessary.

So IMHO it would be just as acceptable to sign RRs for local names 
related to ULA address space with a locally-generated trust anchor 
(independent of the trust anchors installed on the Internet root servers).

Nodes and new routers would have to learn their local trust-anchor when 
connecting to the Homenet for the first time.

In other words, the local DNSSEC trust anchor identifies a Homenet. Not 
the ULA. Not an arbitrary label.

Otherwise we're going to need a globally-unique time-invariant label to 
identify this Homenet, that is also not based on the actual chosen ULA 
in use, which is not easy to generate.

>
> Ray Hunter (v6ops) <mailto:v6ops@globis.net>
> 14 May 2016 14:51
>
>
> Ted Lemon wrote:
>>
>> If devices publish keys, then you can use those keys to make sure you 
>> are still talking to them. And the dnssec validation of local names 
>> would also work. Graceful renumbering should indeed result in DNS 
>> updates. Bear in mind that this is graceful, so the old and new ULAs 
>> coexist for a while.
>>
>
> Sounds good.
>
> So can we assume
>
> 1) a single ULA namespace for resolving all active ULAs, that will 
> eventually converge to only containing RRs from a single ULA?
>
> 2) And that ULA namespace is disjoint from/completely independent of 
> any GUA namespace?
>
>

-- 
regards,
RayH
<https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>

v2.23.0 | Report a Bug | By Email