IETF Logo Mail Archive

Re: [homenet] review of draft-ietf-homenet-redact and draft-ietf-homenet-dot

Ted Lemon <mellon@fugue.com> Sun, 12 March 2017 12:41 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C12B41204D9 for <homenet@ietfa.amsl.com>; Sun, 12 Mar 2017 05:41:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bpw25s1fL66e for <homenet@ietfa.amsl.com>; Sun, 12 Mar 2017 05:41:43 -0700 (PDT)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC70112944A for <homenet@ietf.org>; Sun, 12 Mar 2017 05:41:41 -0700 (PDT)
Received: by mail-qt0-x232.google.com with SMTP id i34so16284218qtc.0 for <homenet@ietf.org>; Sun, 12 Mar 2017 05:41:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=E1apS8VuNYKwD3cehTse6wgnWHV4HyyXbCE3IlWRHv4=; b=iZIe0lJVUJ+EP9nXFP8XLT+CqWe4hYfM4lyWlR0Y6+o2mW7Vb9T+UvSdu+wVb6uBf2 uDT5728wQ8GUPAl+KiZiFRqwDAn1Jxfa3YerK2fSIKbW7nKAegr2W4JNMl7ef62RFO4K 3Okf/Q8bM+uN/I53AN4UL/bgZlwgQ6vKyg64TmaKUlsNPjBa0bAJll9WkPw2IXTtbeDX o8pElY0N2WNR5pPWl0rakXSyucBL3GrCquWHPUosxwRCYs7b507Y9J8oYhOWB8sNUIoA 2Lm6z+jlFxO58DyH91GdsJYKUOLFDzQ+gc4fl9NP1KTaG94J1g47maK5RM9bxhWOyNy3 NUFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=E1apS8VuNYKwD3cehTse6wgnWHV4HyyXbCE3IlWRHv4=; b=EE5CwgiINz9sGWY7PEw7s5qqp3tuAI+5BGrf0Er53sH1Wz1Xi1xN+IAhrOrdBL2BOg 5Ke30/o3JeZmkVflJ3unHjNvDgoYV90EbdUYIGmYpuVpn2H3y6XzKuMnuuyZKvqNHIbV gkHXN+7ZiYguSqcPaZDTLhmlZZY3HlpuDtCx1nRw+QwaerUy1ZbJ534z46CFZy7UbldO hnRKvN23tSoBSQHO/lqPaob8yip5Sw/zzt6HCVaK3tNQEcf2Ux2UDcd1UVbIPJJB7DYS Yq0EhjxsbioJgcPPL7VNARmSeVvsp4OtZCT+msVfaRvSVGSh9zo/EqsjGv95rc0P2V+R Xukw==
X-Gm-Message-State: AMke39kLCXksZYhR+G9gHr+VorY5fjEKQn6g4w3Etv4dVGmAbR1WedOfb7UmqWn17CDS8g==
X-Received: by 10.237.32.34 with SMTP id 31mr27909878qta.174.1489322500946; Sun, 12 Mar 2017 05:41:40 -0700 (PDT)
Received: from [10.0.30.228] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id t43sm10138247qtc.64.2017.03.12.05.41.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 12 Mar 2017 05:41:40 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <43E15F33-EFE4-4690-88FD-76977C930055@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5D4AAE1D-2465-440F-8097-C1C9DE1C39C0"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Sun, 12 Mar 2017 08:41:38 -0400
In-Reply-To: <42ECD4C1-3A87-414C-91D3-8B709A8B3FB5@piuha.net>
To: Jari Arkko <jari.arkko@piuha.net>
References: <42ECD4C1-3A87-414C-91D3-8B709A8B3FB5@piuha.net>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/fkcMvZC7M-VLPF19i0ixi71nMw8>
Cc: homenet@ietf.org
Subject: Re: [homenet] review of draft-ietf-homenet-redact and draft-ietf-homenet-dot
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 12:41:45 -0000

On Mar 12, 2017, at 8:17 AM, Jari Arkko <jari.arkko@piuha.net> wrote:
> I would like to add that the issue is not just a process issue;
> the questions one would have to answer (like how other
> entities in the Internet should deal with the newly allocated
> name) went unanswered. Maybe:

While this is true, it is not why we are doing the redact.   We actually do the enumeration in homenet-dot.   I think changing the text would confuse the issue by leading the reader to believe something that isn't true.   Am I missing something?

> However, there are first of all some unclear
> details, but more importantly, I fear that the class of
> name being requested is wrong. I say this with the
> understanding that I’m not an DNS expert, but despite
> efforts I have failed to understand the logic, and I can
> see some issues in doing it the way that you’re crafting
> the request.

You use the word type later on, not class, so my initial reaction to this text was wrong.   To be clear, I assume you are not proposing that we use a different CLASS value.

> I’m not clear how to implement this MUST NOT. Is there
> a requirement here that any recursive resolver either
> knows about the logical boundaries of a home network,
> or does not forward .homenet queries?

This is addressed in points 4 and 5 of section 3.   Your objection to the normative language in section 2 makes sense, though.

> This is fine, but that should probably be ‘… any assumption
> about the security properties based on the use of this special
> name.’ (It is not clear to me that there’d be additional security
> level, could also be reduced security, e.g., if DNSSEC was not
> locally available.)

That makes sense.

> If we categorise .homenet as special, I don’t understand
> why we need an insecure delegation. Software (e.g.,
> local resolver) would *know* this is a special name
> and it would never be the case that .homenet suddenly
> turns into a delegated secure regular domain which needs
> the chain of trust from the root. What gives?

A validating stub will treat an un-signed RR in the zone as bogus if there is no un-signed delegation, because the absence of an un-signed delegation constitutes a secure denial of existence.   The working group is well aware of the process issue—we've discussed it at length.   We know that it's terra incognita, and may not go our way, but we want to try.   Given that we're in last call, I suppose perhaps you are saying that you as a participant wish to see the consensus change; I would prefer not to have that discussion again.   Is this what you are proposing, or are you just pointing this out in case the working group missed it?

>   To
>   prevent this from happening, it may be useful for the resolver to
>   identify different home networks on which it has resolved names, but
>   this is out of scope for this document.
> 
> Even if this is outside the scope, it is not clear to me how this is
> doable, given existing APIs.

You can establish a process for establishing a trust anchor for any given homenet using trust-on-first-use of that zone's KSK.   When you encounter a zone signed with a different KSK, this is by definition not the same zone, but is not treated as invalid: instead, you can cache multiple trust anchors (or be configured to treat other homenets as untrusted, or as invalid).   This requires modifications to the stub resolver, obviously.   There may be other issues with this solution as well, which is why it's out of scope for the current discussion, but you asked.   :)

v2.23.0 | Report a Bug | By Email