[homenet] Paul Wouters' Discuss on draft-ietf-homenet-naming-architecture-dhc-options-21: (with DISCUSS)

[Paul Wouters via Datatracker <noreply@ietf.org>]

Paul Wouters has entered the following ballot position for
draft-ietf-homenet-naming-architecture-dhc-options-21: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-homenet-naming-architecture-dhc-options/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

This might be my misunderstanding of homenet, so hopefully easy to resolve.

The HNA (hidden primary?) to DM (primary) DNS communication using DNS Update
needs some kind of authentication, TSIG or SIG0 ? While TLS gives you privacy,
the DNS Update cannot be done with only TLS (as far as I understand it). I
don't see any DHCP options to relay authentication information for automatic
deployment? So I don't understand how this would startup and be able to setup a
secure DNS update channel ?

There was also talk about using ACME for TLS certificates, but wouldn't that
require that the HNA already has a provisioned and working homenet domain ?
(possibly more a question for the other draft, but just adding it here in case
the hidden primary to primary is an "almost DNS Update" protocol that uses TLS
instead f TSIG/SIG0.