IETF Logo Mail Archive

Re: [homenet] Eric Rescorla's Discuss on draft-ietf-homenet-dot-13: (with DISCUSS)

Mark Andrews <marka@isc.org> Fri, 01 September 2017 02:39 UTC

Return-Path: <marka@isc.org>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84802133145; Thu, 31 Aug 2017 19:39:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iX6SKa944Ppk; Thu, 31 Aug 2017 19:39:14 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0C2A133141; Thu, 31 Aug 2017 19:39:14 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 85D2134B3D0; Fri, 1 Sep 2017 02:39:11 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 3463D160044; Fri, 1 Sep 2017 02:39:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 11456160050; Fri, 1 Sep 2017 02:39:11 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id sOhweI5d4xqm; Fri, 1 Sep 2017 02:39:10 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id B5C14160044; Fri, 1 Sep 2017 02:39:10 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id E7C0F83ED0E3; Fri, 1 Sep 2017 12:39:08 +1000 (AEST)
To: Eric Rescorla <ekr@rtfm.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-homenet-dot@ietf.org, homenet-chairs@ietf.org, homenet@ietf.org, ray@bellis.me.uk
From: Mark Andrews <marka@isc.org>
References: <150413520708.16860.14531912464478386147.idtracker@ietfa.amsl.com>
In-reply-to: Your message of "Wed, 30 Aug 2017 16:20:07 -0700." <150413520708.16860.14531912464478386147.idtracker@ietfa.amsl.com>
Date: Fri, 01 Sep 2017 12:39:08 +1000
Message-Id: <20170901023908.E7C0F83ED0E3@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/iPzIy_RRErcLY6RYCUJOFVvpj2E>
Subject: Re: [homenet] Eric Rescorla's Discuss on draft-ietf-homenet-dot-13: (with DISCUSS)
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Sep 2017 02:39:16 -0000

In message <150413520708.16860.14531912464478386147.idtracker@ietfa.amsl.com>, 
Eric Rescorla writes:
> Eric Rescorla has entered the following ballot position for
> draft-ietf-homenet-dot-13: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-homenet-dot/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
>        A.  Recursive resolvers at sites using 'home.arpa.'  MUST
>            transparently support DNSSEC queries: queries for DNSSEC
>            records and queries with the DO bit set ([RFC4035] section
>            3.2.1).  While validation is not required, it is strongly
>            encouraged: a caching recursive resolver that does not
>            validate answers that can be validated may cache invalid
>            data.  This in turn will prevent validating stub resolvers
>            from successfully validating answers.
> 
> I don't understand the rationale for this requirement. As I understand it
> from this document, stuff ending in home.arpa cannot be DNSSEC validated,
> so what's it the business of this document to levy the requirement on
> sites which support home.arpa that they do anything with DNSSEC at all.

Wrong the responses can be validated.  The output of the validation
step is one of secure, insecure, or bogus.  With the exception of
home.arpa/DS and without private trust anchors being installed the
output of that validation should be insecure for all answers from
home.arpa.  home.arpa/DS should validate as secure NODATA.

In particular validation of the home.arpa/DS is important as it
prevents the cache being poisoned with answers which prevent the
stub proving that the home.arpa is supposed to exist and that it
doesn't have a chain of trust from the root.

Mark

> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email