Re: [homenet] Updating DNS [was: How many people have installed the homenet code?]

Ted Lemon <> Mon, 25 April 2016 02:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B720C12D1A1 for <>; Sun, 24 Apr 2016 19:40:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0oJcthg8mC6C for <>; Sun, 24 Apr 2016 19:40:09 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7E25412D195 for <>; Sun, 24 Apr 2016 19:40:08 -0700 (PDT)
Received: by with SMTP id c126so108635518lfb.2 for <>; Sun, 24 Apr 2016 19:40:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XE4+DOyeGs67PAMP7UxoVoBl/YjPNLxWDvgqBHIPqo0=; b=jOotx5IpRb8OsoGrz0IPcEeFnxM3VJCz8XhpIbHFO/I3G9cB2+ZWhPGkPpMlt9wS16 nRmwXyyWZOCynEvsPJD9umjY066L9kLsN/YbCUtgucztWf7J3e2B70KNo1a9Z9vfoF0S KHr7iQ1NGpoHM+citzJ5kTd5zcN8PA/MEIk6gR//u+PKSLSGRtyYuVLFKllk3KiWnIgR xKlBoAW3Qcx0CPtrH/D5zxTm4AhcbW/gG1zGOqjkYAXZ7vx47mWu6aFnP3rBVE2ArJFW Otb3vwaAvWPvLaKH6Xf2Z7MJT0aHlqrOCiJ0CjodLPCvMvbqMiSkZxlmIt2+5d6mijY5 VvuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XE4+DOyeGs67PAMP7UxoVoBl/YjPNLxWDvgqBHIPqo0=; b=EsGyQjCErPzVJ07+uAwclrOb6zCDhWFZB5wElUXG1a0b1dTyyOlqktsgwlNrDVgdm9 10vFFcfAN+zZf1UPwDgJ9MhY9430urj7IQ6/9G0OPkeZEOb4024Xfdmrmk+VzF06vu5j XFQKuYSrSgy1bN+1NKd8AVXo+5TdX1Jp+K6l7k04F5zkqNjwzDbwc9dEQX7oc0mzRaeZ wLi4AZ7x5KThb26zU5CvFMhhS7B+wehiSb23IBXya+sZLk9irAk25pOYRU+1oiLWScJX IP5YCdAMQLAF/XP9Yjy6bel2OjIfJ8QI09ywnlzmQzqWL4nbP7vCFTflmxhMOMJFMupL XMRw==
X-Gm-Message-State: AOPr4FXcKyzfSGGUWjIWECcEfiMW/JLsO9k2XlLfFmFrJ/Tw6EXkt8lA/zq4NmVhOkgsuM5+X5JGTbK5oEEp7Q==
X-Received: by with SMTP id w203mr11077753lfa.22.1461552006639; Sun, 24 Apr 2016 19:40:06 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Sun, 24 Apr 2016 19:39:27 -0700 (PDT)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <>
From: Ted Lemon <>
Date: Sun, 24 Apr 2016 22:39:27 -0400
Message-ID: <>
To: Juliusz Chroboczek <>
Content-Type: multipart/alternative; boundary=001a114b15922d48330531461899
Archived-At: <>
Cc:, Markus Stenberg <>
Subject: Re: [homenet] Updating DNS [was: How many people have installed the homenet code?]
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Apr 2016 02:40:11 -0000

On Sun, Apr 24, 2016 at 12:29 PM, Juliusz Chroboczek <> wrote:

> > Juliusz, the problem is that existing home network devices that do
> > DNS-based service discovery do not support DNS update. They could, but
> > they don't, because we didn't define an easy way for them to do it.
> I'd be grateful if you could expand on that.  Why can't we define a way
> for clients to do DDNS?

We can and should.   The problem is that we won't see that code ship in new
devices anytime soon, so we still have to make mDNS work.

> > Just 2136 isn't enfough, because there's no authentication scheme,
> I don't understand this argument.  How is non-secured DDNS any less secure
> than mDNS?  What am I missing?

This is an implementation issue, not a security issue--sorry for not making
that clear.   In order to preserve the same security characteristics that
mDNS has, we have to ensure that the update actually originated on the
local link, which requires a different sort of listener than is present in
a typical DNS server.   And existing DNS servers typically don't have any
way to support unauthenticated updates on a first-come, first-served basis,
so if you allow unauthenticated updates, you don't have any way to avoid
collisions.   Otherwise you are correct.   The answer is to write a
document that describes how to do that, and if you read the homenet naming
arch document, you can see that I actually sketched out a solution there,
which I expect to go in a different document, likely in a different working

> Oh, sure, we Poles are not quite as pessimistic as the Finns.  I'm
> actually of a divided mind here -- I rather like distributed solutions
> (hence prefer mDNS to DDNS) but dislike proxying.  Part of me just wishes
> we'd mandate site-local multicast and do mDNS over that

The problem with site-local multicast for mDNS is that multicast isn't a
great solution even on the local wire when that wire is wireless.    And,
you have to do modify the client anyway.

Furthermore, if you consider the mdns hybrid proxy stateless, then you can
have a DNS server that is roughly that stateless too.   I think it provides
better service continuity if you are willing to retain some state, but
everything will still work even if you don't, just as the hybrid proxy does.