Re: [homenet] securing zone transfer
"Ray Hunter (v6ops)" <v6ops@globis.net> Thu, 13 June 2019 12:32 UTC
Return-Path: <v6ops@globis.net>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A47712004D for <homenet@ietfa.amsl.com>; Thu, 13 Jun 2019 05:32:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vc58hyRKasQp for <homenet@ietfa.amsl.com>; Thu, 13 Jun 2019 05:32:22 -0700 (PDT)
Received: from globis01.globis.net (92-111-140-212.static.v4.ziggozakelijk.nl [92.111.140.212]) by ietfa.amsl.com (Postfix) with ESMTP id 3A38112000F for <homenet@ietf.org>; Thu, 13 Jun 2019 05:32:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by globis01.globis.net (Postfix) with ESMTP id E84204018F; Thu, 13 Jun 2019 14:32:20 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at globis01.globis.net
Received: from globis01.globis.net ([127.0.0.1]) by localhost (mail.globis.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id blYFHHHqCTPX; Thu, 13 Jun 2019 14:32:17 +0200 (CEST)
Received: from MacBook-Pro-3.local (h9041.upc-h.chello.nl [62.194.9.41]) (Authenticated sender: v6ops@globis.net) by globis01.globis.net (Postfix) with ESMTPA id C75FD4012D; Thu, 13 Jun 2019 14:32:17 +0200 (CEST)
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Juliusz Chroboczek <jch@irif.fr>, homenet <homenet@ietf.org>
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <878su8fj24.wl-jch@irif.fr> <2348.1560261275@localhost> <87ftofwqut.wl-jch@irif.fr> <27503.1560302791@localhost> <87ef3zwoew.wl-jch@irif.fr> <4109.1560349340@localhost> <87ftoecq5g.wl-jch@irif.fr> <21639.1560389132@localhost>
From: "Ray Hunter (v6ops)" <v6ops@globis.net>
Message-ID: <44b03210-7b3c-f240-6f2b-ac754197dad0@globis.net>
Date: Thu, 13 Jun 2019 14:32:16 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0) Gecko/20100101 PostboxApp/6.1.18
MIME-Version: 1.0
In-Reply-To: <21639.1560389132@localhost>
Content-Type: multipart/alternative; boundary="------------BFD486A12DFA998CA8FC46B6"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/vL_OZ5bmuDRYqoQH3I-ALCARoGg>
Subject: Re: [homenet] securing zone transfer
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 12:32:25 -0000
Michael Richardson wrote on 13/06/2019 03:25: > Juliusz Chroboczek <jch@irif.fr> wrote: > > Are you assuming here there's a central Homenet controller that presents > > a web interface where the "house owner" can choose which names get > > published? > > No, we are assuming that there are one or more homenet routers that either > come with a delegated domain from the manufacturer (probably a very ugly > one), or which that CPE's ISP will delegate via DHCPv6. (or both) > > Whether we should or have to do some negotiation over HNCP if there are > multiple CPEs is a problem we can deal with later. > > We have, however, been thinking about the problem of having partial > connectivity for the home, and how do published names get resolved. > > > I'm probably missing something, Michael, so please explain if you agree > > with the analysis above, whether you're assuming a central controller, > > and, if so, where is the central controller located in a network that has > > multiple edge routers. > > If an end user wants a non-ugly domain, and they buy it, then they need to > introduce one or more of their CPEs to the upstream provider of the > domain. It could be it is at this point that it makes sense to do some HNCP, > but in essence, this is an internal problem, and the front-end-naming > document is not about internal issues. > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet Indeed this draft should say as little as possible about what should happen internally (whether there's one elected central Homenet controller for all ISP uplinks, or there's something running on all Homenet routers that updates an edge HNA per ISP uplink, or the HNA service runs on a host, or something else). Probably the text isn't in that state yet. The facts of life with using DNS are that: - a zone delegation is built on a hierarchical name space with a single root; - a delegated zone is a proper subset of a parent zone, - zone signing occurs with one single active zone signing key signing the complete set of RR's in a zone (not a key or signature per RR), and where - zone transfer updates are performed with a master/slave arrangement with a limited number of known peers per zone. If you want individual hosts to interact directly with an outsourced name service based on DNS (instead of via an HNA), you either have to delegate the zone signing to the outsourced name service (which introduces a different trust model), or you assign a dedicated zone per host (possible?), or you introduce a massive key sharing and signing problem. Another use case could be small companies who want to run something like Active Directory on premises (AD integrated DNS). Then they could potentially build AD forest trust relationships between companies. AD of course runs on a domain controller (DC). The DC function could then potentially take on the role of HNA, whether that is running a separate server or on a CPE. -- regards, RayH <https://www.postbox-inc.com/?utm_source=email&utm_medium=siglink&utm_campaign=reach>
- [homenet] securing zone transfer Daniel Migault
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ray Bellis
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Mark Andrews
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] [EXT] securing zone transfer Jacques Latour
- Re: [homenet] [EXT] securing zone transfer Ted Lemon
- Re: [homenet] [EXT] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] [EXT] securing zone transfer Ted Lemon
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] [EXT] securing zone transfer Daniel Migault
- Re: [homenet] number of devices in homenet Daniel Migault
- Re: [homenet] [EXT] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ted Lemon
- Re: [homenet] webauthn for routers (was: securing… MIchael Thomas
- Re: [homenet] webauthn for routers (was: securing… Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] securing zone transfer Michael Richardson
- Re: [homenet] securing zone transfer Ray Hunter (v6ops)
- Re: [homenet] webauthn for routers Michael Richardson
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] securing zone transfer Juliusz Chroboczek
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] webauthn for routers Ted Lemon
- Re: [homenet] webauthn for routers Michael Thomas
- Re: [homenet] [EXT] securing zone transfer Ray Hunter (v6ops)