IETF Logo Mail Archive

Re: [homenet] [DNSOP] WGLC on "redact" and "homenet-dot"

Ted Lemon <mellon@fugue.com> Thu, 15 December 2016 20:11 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5133129E42 for <homenet@ietfa.amsl.com>; Thu, 15 Dec 2016 12:11:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7UnPUhRuq3p for <homenet@ietfa.amsl.com>; Thu, 15 Dec 2016 12:11:29 -0800 (PST)
Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2135129C60 for <homenet@ietf.org>; Thu, 15 Dec 2016 12:11:23 -0800 (PST)
Received: by mail-qk0-x233.google.com with SMTP id n21so69181705qka.3 for <homenet@ietf.org>; Thu, 15 Dec 2016 12:11:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=khlUGIKxv6meEzSewyeKneWaGNoa2rzCucNsMq8eQ1c=; b=L1usRR1ASS0xELobDgoRCPfMJR+3mWuaLUHQeMRjxQRo5SXtTOUHLDOqeo/u8RNFA4 iASZr00PuYkaRqIziSJbESbPMdEyzrdGMAFwaGT48l6d3dkwdd0GvYhOXTiqmdEK2nCl 5an97eciQfUWbHtTLcBO2og9V9Ydws4DTeBL0UEtGVlbUa/0EZYj/3h+3ubx6BexzUfu 1K7RVZyOWmy2SHey0E/tk2wTSKqh307Ny67iS0oiq2dm3iOPt+DQ/aVwPGErex3osmMI /K2sg6GWoLfqAz958ZDnxKw+2AN3cM/xWhVE2mPIt6T8wpainQiUqEVPp+7WBmRBNBcE qmHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=khlUGIKxv6meEzSewyeKneWaGNoa2rzCucNsMq8eQ1c=; b=dntWLoi4Kqxz+yUVD+A05szUz63C7dkLYT9GtSvNVoxfgIVXApyBYDE5MNafsTFfXi ixsP7ZfejExHg5NmocawYhesDdxf0J85s+kd9AMPao2pzXBoPBwaUvJ1XN0mhrt4ouoM yNIwJP9P925u5mabvnRlNb30f5flzbiyhm5O1R5Uhoe9EAQFhY5rO//Tt3mjr4d4RWXt fUK43jtkZGpR0SyV3TfkKs+m2JjnHShiOU4Vtr5z15LTTYkObYeMonpdcxjgGsG0PGU7 1rVW+dN8hX/emDvPMVFcvgcQ/X0ecbNgNHXMBK88xB2i/tBfqpHL4w2VCbdzyGQfdE0F FNqQ==
X-Gm-Message-State: AIkVDXJv28LWdzXubs0gOzaL5qgI2accq0PF1CEHBbeHjTGLOe1tOwe2xRBef/MMRx1GFA==
X-Received: by 10.55.110.69 with SMTP id j66mr2462878qkc.92.1481832682827; Thu, 15 Dec 2016 12:11:22 -0800 (PST)
Received: from [192.168.1.229] (c-73-167-64-188.hsd1.nh.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id h47sm1905885qtc.27.2016.12.15.12.11.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Dec 2016 12:11:21 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
From: Ted Lemon <mellon@fugue.com>
In-Reply-To: <313759CF-B72F-401D-BA26-79C214C30686@shinkuro.com>
Date: Thu, 15 Dec 2016 15:11:20 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <8D7E8E5C-EC8E-46E9-9C07-947D7A7F69E3@fugue.com>
References: <4ab2a538-603e-4e7a-3be9-ad75ed459006@bellis.me.uk> <B192A1B3-03FF-43D1-AD30-12BBA2D65DF0@gmail.com> <9fe0e34d-51e9-bdf3-a650-d8b3681f1cd8@bellis.me.uk> <CAPt1N1=Z2xERw68-=iFGgYYnEO3eDW-8tvhmTmaf4+vU-24grQ@mail.gmail.com> <C059877D829F76429F49E0B48705D888F7FD2C7B@EXCH-01.CORP.CIRA.CA> <4A870505-070B-4065-B360-5A98485E4CEB@fugue.com> <313759CF-B72F-401D-BA26-79C214C30686@shinkuro.com>
To: Steve Crocker <steve@shinkuro.com>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/tcsQrZRPuy_JUjjyPOMyt_EGuYk>
Cc: HOMENET <homenet@ietf.org>, Jacques Latour <jacques.latour@cira.ca>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [homenet] [DNSOP] WGLC on "redact" and "homenet-dot"
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Dec 2016 20:11:31 -0000

On Dec 15, 2016, at 2:23 PM, Steve Crocker <steve@shinkuro.com> wrote:
> I don’t understand what is meant by an “unsecured delegation.”  I also don’t understand what sort of delegation you want, irrespective of whether DNSSEC is involved.

There would be a delegation for .homenet in the secure root, which would point at the AS112 servers, and would have no DS records.

> I think there are two very big hurdles implicit in “I think we should ask ICANN to set up …”  One is the technical hurdle of whether this is a sensible thing technically with respect to the security and stability of the Internet.  It will take a fairly long time and a lot of analysis for ICANN to get comfortable with such a result, and I would not count on a positive outcome.

Yup, understood.

> That’s the first hurdle.  The second hurtle may be even harder.  The only existing procedures for adding new delegations to the root are for:
> 
> o New ccTLDs, i.e. when new countries are created and get two letter codes from the ISO 3166 Maintenance Agency;
> 
> o New IDN ccTLDs via the Fast Track; and
> 
> o New gTLDs through the gTLD process.
> 
> The first two would not apply.  The window for the third was closed a while ago and we are studying when and how to reopen the window.  The process is geared toward prospective operators of registries.  A substantial fee is required, and an even more substantial investment in registry operation is required.

It would not make sense to follow any of these processes.   This is a technical allocation under the terms of the MoU, and we don’t actually know how to do those.   It would, in my view, be extremely weird for ICANN to charge IETF for doing one of these, based on my reading of the MoU, but at the same time ICANN is responsible for operating the zone, so it’s entirely reasonable for ICANN to say "no, we won’t do that," and then the IETF would have to decide that that meant in terms of the MoU.   I would hope that ICANN would not do this, and I think the MoU seems to indicate that they have agreed not to, but it’s uncharted territory, and I think there would have to be a fourth process for this, which is separate from the three you described above.

> I suspect what’s intended here is something qualitatively different, e.g. some sort of entry in the root that returns a fixed result, not a pointer to name servers.

No, just a delegation to AS112 with no DS record would do the job, unless I am missing something.   I will admit to not being an expert on DNSSEC arcana, so that’s entirely possible.

>  Aside from the technical questions I mentioned above, we would also have to sort out the policy questions, e.g. what are the rules for accepting such requests, what happens if there are competing requests, and perhaps others that aren’t occurring to me as I write this.

Yes.   It’s a big can of worms.   We won’t know precisely what’s in it unless we open it.

>>   In order for names under .homenet to be validated by DNSSEC, it would be necessary for the validating resolver to have a trust anchor for any homenet on which it wants to do validation, and a means of differentiating between home nets so that it doesn’t use the wrong key to validate.
> 
> Yes, but the way the sentence is written suggests this would difficult or odd.  In a homenet environment, if you have a local name server responding to requests as an authority, it can sign those requests as the authority.  The requesting resolver will have to have the public key associated with the authority.  This is a configuration matter.  When the requesting resolver is told which resolver on the edge of the homenet is authoritative for the homenet environment, it should also learn that resolver’s public key.  This seems like a DHCP issue.

I don’t think DHCP is the right answer, but the bottom line is that this isn’t really the issue that we need to figure out right now.   Just bear in mind that a validating stub resolver needs to not invalidate answers that are returned within .homenet.

>>   But that’s out of scope for this discussion: the point of this discussion is simply to figure out whether we want to do the hard thing or the easy thing: .homenet or home.arpa.
> 
> I don’t see a difference between .homenet or home.arpa in this regard.

If the working group chose to use home.arpa, we would not need to open the aforementioned can of worms.

v2.23.0 | Report a Bug | By Email