Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt
Mark Andrews <marka@isc.org> Mon, 31 July 2017 05:02 UTC
Return-Path: <marka@isc.org>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C5F1120724 for <homenet@ietfa.amsl.com>; Sun, 30 Jul 2017 22:02:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ik5l2XyBLaXw for <homenet@ietfa.amsl.com>; Sun, 30 Jul 2017 22:02:11 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C69C126CC4 for <homenet@ietf.org>; Sun, 30 Jul 2017 22:02:11 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 76B80349687 for <homenet@ietf.org>; Mon, 31 Jul 2017 05:02:08 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 6922F160048 for <homenet@ietf.org>; Mon, 31 Jul 2017 05:02:08 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 4EBEE16004F for <homenet@ietf.org>; Mon, 31 Jul 2017 05:02:08 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JkpFKt3qSiBY for <homenet@ietf.org>; Mon, 31 Jul 2017 05:02:08 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id F2347160048 for <homenet@ietf.org>; Mon, 31 Jul 2017 05:02:07 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 1A431806F1C2 for <homenet@ietf.org>; Mon, 31 Jul 2017 15:02:06 +1000 (AEST)
To: homenet@ietf.org
From: Mark Andrews <marka@isc.org>
References: <150127266271.25329.18484770769960144@ietfa.amsl.com>
In-reply-to: Your message of "Fri, 28 Jul 2017 13:11:02 -0700." <150127266271.25329.18484770769960144@ietfa.amsl.com>
Date: Mon, 31 Jul 2017 15:02:06 +1000
Message-Id: <20170731050206.1A431806F1C2@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/fujAKgK6VVJ4_0Gg8IIn5cg5Hu4>
Subject: Re: [homenet] I-D Action: draft-ietf-homenet-dot-10.txt
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 05:02:13 -0000
DNSSEC describes the delegation as "insecure".
Old:
In addition, it's necessary, for compatibility with DNSSEC
(Section 6), that an unsigned delegation be present for the name.
There is an existing process for allocating names under '.arpa'
[RFC3172]. No such process is available for requesting a similar
delegation in the root at the request of the IETF, which does not
administer that zone. As a result, the use of '.home' is deprecated.
New:
In addition, it's necessary, for compatibility with DNSSEC
(Section 6), that an insecure delegation be present for the name.
There is an existing process for allocating names under '.arpa'
[RFC3172]. No such process is available for requesting a similar
delegation in the root at the request of the IETF, which does not
administer that zone. As a result, the use of '.home' is deprecated.
Paragraph 5 doesn't read well and won't match reality once the
insecure delegation of home.arpa is in place.
5. No special processing of 'home.arpa.' is required for
authoritative DNS server implementations. It is possible that an
authoritative DNS server might attempt to check the authoritative
servers for 'home.arpa.' for a delegation beneath that name
before answering authoritatively for such a delegated name. In
such a case, because the name always has only local significance
there will be no such delegation in the 'home.arpa.' zone, and so
the server would refuse to answer authoritatively for such a
zone. A server that implements this sort of check MUST be
configurable so that either it does not do this check for the
'home.arpa.' domain, or it ignores the results of the check.
The delegatation is INSECURE and SIGNED not UNSIGNED. The wording
here is *important*.
Old:
7. Delegation of 'home.arpa.'
In order to be fully functional, there must be a delegation of
'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation MUST
NOT be signed, MUST NOT include a DS record, and MUST point to one or
more black hole servers, for example 'blackhole-1.iana.org.' and
'blackhole-2.iana.org.'. The reason that this delegation must not be
signed is that not signing the delegation breaks the DNSSEC chain of
trust, which prevents a validating stub resolver from rejecting names
published under 'home.arpa.' on a homenet name server.
New:
7. Delegation of 'home.arpa.'
In order to be fully functional, there must be a delegation of
'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation
MUST be insecure, MUST NOT include a DS record, and MUST point
to one or more black hole servers, for example 'blackhole-1.iana.org.'
and 'blackhole-2.iana.org.'. The reason that this delegation
must be insecure is that it breaks the DNSSEC chain of trust,
which prevents a validating stub resolver from rejecting names
published under 'home.arpa.' on a homenet name server.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [homenet] I-D Action: draft-ietf-homenet-dot-10.t… internet-drafts
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Mark Andrews
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Warren Kumari
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Mark Andrews
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Toke Høiland-Jørgensen
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… STARK, BARBARA H
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Juliusz Chroboczek
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Juliusz Chroboczek
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Michael Richardson
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Ted Lemon
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.
- Re: [homenet] I-D Action: draft-ietf-homenet-dot-… Walter H.