IETF Logo Mail Archive

Re: [homenet] review of draft-ietf-homenet-redact and draft-ietf-homenet-dot

Ralph Droms <rdroms.ietf@gmail.com> Mon, 13 March 2017 12:11 UTC

Return-Path: <rdroms.ietf@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EE9712958A for <homenet@ietfa.amsl.com>; Mon, 13 Mar 2017 05:11:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hruzRvCBJMyY for <homenet@ietfa.amsl.com>; Mon, 13 Mar 2017 05:11:16 -0700 (PDT)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62FD612957C for <homenet@ietf.org>; Mon, 13 Mar 2017 05:11:16 -0700 (PDT)
Received: by mail-qk0-x232.google.com with SMTP id 1so219732523qkl.3 for <homenet@ietf.org>; Mon, 13 Mar 2017 05:11:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=k4JE/j7a4p4Z7F7tTP3rxnaDAEiB0HJxh9WxfeJfz9k=; b=UIjYJoylFxQTBH0vv9HYxHzEMrMLw7MqOWOF0ERFVBkVUf86WBhyBMkF3EATaezoAQ JrjowL+WEo+1D0QKkuS50MCauIIt6Et+Wf7z7mumCDhrXdDW+Tdbgp5rET4Me823wVnV xCr9FNXNB92fMbeRldqM+i0wTO2jPoUj7a3b1aZ7t1C0cn5p0PUt2OjUEjmCb71+6g65 ru2OZRGyQU8b0XjysLVPCHGDlAv2Z0kJqcWATIHx44LL5+2FSCcNMdOGA7s6DVQGgZGg kZUQo+WyzPdbLo2Gt17PZ+e0Ic2sL4Lsv+BexmEGcz7T4+7gABqV/jbrmD2KTuYoOBBo sMPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=k4JE/j7a4p4Z7F7tTP3rxnaDAEiB0HJxh9WxfeJfz9k=; b=W5fPPcfGjBE4J9hPV8PMUNmr1wpUEyho7QRRbEOMl/iZrEd0O/nSKRZfzRIHop7dO3 D9V88fbXcHB9XeMKXGzahWgpZM+/EZGBidKmTwp5rUnDyWW1s0O6RtEuDIay08a9xE7S WILbGoFunYl94MwA/hvcBDTfSF4MXHQFexOA015Eyi8l4+rg65gpoiNCkzIXvwGNhO1w pjkbdw9K9xI78LSQ7hHAPr9dDkXvRUnuJF5m069Rvp2LgHR1cAZeMRY7cmRRJB8xYdW3 dvBDcBjYX8LRBnA5rKk6MK5yUKQA0QyWlfa0MShwXMsYkRLPwUQnqO9IwGtee1L+Pz8N IFZw==
X-Gm-Message-State: AFeK/H1hKJB7YROZS4ucMPBDrxoVdrKH6uq9dz1QZawoSFzUsmqSFiP5RPbJOV59qQP+sA==
X-Received: by 10.55.9.3 with SMTP id 3mr29047094qkj.199.1489407075485; Mon, 13 Mar 2017 05:11:15 -0700 (PDT)
Received: from ?IPv6:2601:18f:801:600:907f:7393:27af:19ab? ([2601:18f:801:600:907f:7393:27af:19ab]) by smtp.gmail.com with ESMTPSA id t30sm12029985qtt.56.2017.03.13.05.11.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Mar 2017 05:11:15 -0700 (PDT)
From: Ralph Droms <rdroms.ietf@gmail.com>
Message-Id: <E6A9DDF9-A430-4FBE-B361-3CDE9B7B34C2@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0EC73E2A-97BA-4499-AB09-F539C76498E7"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Mon, 13 Mar 2017 08:11:13 -0400
In-Reply-To: <20170312135930.GF13811@mx4.yitter.info>
To: Jari Arkko <jari.arkko@piuha.net>
References: <42ECD4C1-3A87-414C-91D3-8B709A8B3FB5@piuha.net> <20170312135930.GF13811@mx4.yitter.info>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/dxw7p7hvlxiqBU1psrS4wT--NM4>
Cc: HOMENET <homenet@ietf.org>
Subject: Re: [homenet] review of draft-ietf-homenet-redact and draft-ietf-homenet-dot
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2017 12:11:18 -0000

> On Mar 12, 2017, at 9:59 AM, Andrew Sullivan <ajs@anvilwalrusden.com> wrote:
> 
> Hi,
> 
> On Sun, Mar 12, 2017 at 01:17:28PM +0100, Jari Arkko wrote:
> 
> [...]
>> Also, the insecure delegation in the root zone puts us into a
>> place where we have not been before, process-wise, because
>> this is a special use domain name and a proper TLD at the same
>> time, causing us to run both the ICANN and the IETF process,
> 
> As long as we understand "run the ICANN process" as including "getting
> ICANN to invent such a process", I agree with the above.

I agree with Andrew and think we need to consider this step quite carefully.  This text in the IANA considerations section:

   IANA is requested to set up insecure delegation for '.homenet' in the
   root zone pointing to the AS112 service [RFC7535], to break the
   DNSSEC chain of trust.

does not explain that there is no process through which IANA can set up that delegation.  It may not even be an IANA process.  If this text were to be published in an RFC, I don't think IANA can carry out that instruction today, and I don't think IANA has the authority to negotiate a process through which it can carry out the instruction in the future.

I think this text should be modified in some way, before the document is published, to recognize explicitly that no such process exists today and that such a process is requested as part of the implementation of the published document.

The homenet WG is, I believe, aware of the need for a process for instantiating an insecure delegation as requested in the -dot document.  In my opinion, the implicit request for such a process should be made explicit in some way.

- Ralph

> 
>> If we categorise .homenet as special, I don’t understand
>> why we need an insecure delegation. Software (e.g.,
>> local resolver) would *know* this is a special name
>> and it would never be the case that .homenet suddenly
>> turns into a delegated secure regular domain which needs
>> the chain of trust from the root. What gives?
> 
> Which "local resolver" do you mean?  There could be more than one, and
> it's not only resolvers.  You could do validation without doing
> resolution.  Basically, to get homenet without the provably insecure
> delegation, you need to give up on validation or you have to accept
> that homenet techniques won't work until everything has been upgraded.
> (I suppose that, since we're assuming v6, we might be waiting for that
> anyway ;-) )
> 
> Best regards,
> 
> A
> 
> -- 
> Andrew Sullivan
> ajs@anvilwalrusden.com
> 
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet

v2.23.0 | Report a Bug | By Email