Re: [homenet] New version draft-mglt-homenet-naming-architecture-dhc-options-02.txt

[Michael Richardson <mcr+ietf@sandelman.ca>]

Juliusz Chroboczek <jch@pps.univ-paris-diderot.fr> wrote:
    > I've got a device that wants to be advertised in the global DNS (a web

Let's call this device "FredBaby" (with allusions to Breakfast at Tiffanys,
which I was reading on the weekend)

    > server is the obvious example, but it doesn't matter).  Your draft
    > suggests (I think) that the device should speak to the CPE which will
    > take care of the interaction with the public DNS (arrow 6 in Figure 1 is
    > missing, by the way).  I'd like to understand why the device needs to go
    > through the middleman rather than speaking directly to the authoritative
    > DNS server.

The reason why FredBaby device MAY speak to the CPE as the middleman is
because:
    1) in the homenet we can automate the discovery of CPE / FredBaby,
       and probably bootstrap a secure relationship between them.
    2) the CPE may be managing multiple zones in multiple different ways.
       For instance, dyndns update to the ISP, dyndns to the DNS provider,
       stealth primary for the zone, public primary for the zone.
    3) we may be able to bootstrap the secure relationship between the
       CPE device some of the forward zones with the ISP, and definitely
       will do that for the reverse zone with the ISP.  FredBaby will have
       no relationship with the ISP(s).
    4) the CPE will know about all the other devices that want their name
       managed, such as Rusty, Yunioshi, Sally.  In particular the CPE
       will also know about brother-FredBaby, the device which you are
       replacing, but haven't yet turned off.  You'll therefore be able
       to see all the various attempts to publish in one place and
       decide who gets priority, and which devices ("Sally" the Tomato),
       you weren't supposed to publish your relationship with.


    > My family was poor but honest, Daniel, and NATed addresses were all we
    > could afford.  Notwithstanding our difficult conditions, my parents took
    > a lot of care to bring me up to believe that end-to-end is always better

LUXURY! <Queue Monty Python sketch>

    >>     - CPE presents a centralized point for end user interactions

    > I'm not convinced about that, the authoritative DNS master seems like the
    > natural place for end-user interactions.  (Note that this does not
    > prevent
    > the CPE's web interface from implementing some sort of proxy to the DNS
    > master's interface.)

I'm not sure I understand where the authoritative DNS master is.
I don't think that Daniel is demanding the CPE be the only possible answer,
and perhaps within HNCP we should be passing around the address of the
homenet authoritative DNS master, as if there are multiple CPE they might
need to argue about it too.

    >>     - CPE can integrate multiple protocols to publish a zone. Suppose
    >> mDNS is
    >> used by a node, than registration of its IP address and name cannot be
    >> perfomed on a public authoritative server cannot be performed using mDNS.

    > I strongly disagree.  I don't want mDNS->DNS proxying.  Registering in
    > the
    > global DNS is something that should be under user control, while mDNS
    > is something that happens automatically (for better or worse).

I think that this is the reason why we want it proxied; so that we have a
filter.   That's why FredBaby shouldn't talk to some out-of-home DNS master
directly.  I think that populating DNS from mDNS could well be turned off
by default, and enabled in a UI on a per name basis.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-