Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Brian Dickson <brian.peter.dickson@gmail.com>]

On Wed, Dec 14, 2016 at 5:18 PM, Mark Andrews <marka@isc.org> wrote:

>
> In message <CAH1iCioPZiO78j478BV7t=pTN9LZXQbweeBZQF2w3O1gKwx3XA@mail.
> gmail.com>
> , Brian Dickson writes:
> >
> > On Wed, Dec 14, 2016 at 4:09 PM, Ted Lemon <mellon@fugue.com> wrote:
> >
> > > On Dec 14, 2016, at 5:04 PM, John Levine <johnl@taugh.com> wrote:
> > >
> > > But it's worse than that -- if your client software does DNSSEC
> > > validation it needs to understand that homenet is a special case and
> > > it's OK not to validate.
> > >
> > > [etc]
> > >
> > >
> > > That is precisely why we need an unsecured delegation.
> > >
> > >
> >
> >
> > I agree that in the current world, an unsigned delegation is required.
> >
> > I would humbly suggest that use of an AS112-like set of well-known names
> > and IP addresses, would be the preferred way of DOING that delegation.
> >
> > A well-known address set would allow homenet-aware devices to be
> pre-loaded
> > with the address of the NS, while non-aware would learn it through the
> > delegation.
> >
> > If it were possible to have the names be served by root servers (as a
> > consequence of being in the set of domains served by the root servers),
> > then the glue data would be signed and validate-able, which is about as
> > good as you can get (security-wise), while making homenet strictly local.
> >
> > (Within a given homenet, the well known IP(s) could be handled via
> anycast
> > or similar mechanisms, presuming the homenet mechanisms support things
> like
> > that.)
> >
> > My personal recommendation would be non-RFC-1918 well known addresses.
> >
> > This ensures that for queries that leak from non-1918 space sourced
> > queries, that the delegation is to an address that is guaranteed to be
> > reachable, even if the local set-up is badly broken.
> >
> > That IP would be configured to give itself as the answer to any query,
> and
> > be configured to provide (rate-limed) HTTP (wild-card) responses,
> > that serve up the RFC for how to set up homenet. (If that RFC doesn't
> > exist, that really should be next on the WG milestones.)
> >
> > All roads would then lead to the answer to the question, which is, "How
> do
> > I get this stuff to work?".
> >
> > Brian
>
> Why is this any better than a referral to the existing root servers
> and a empty locally served .homenet zone with the previously mentioned
> constraint of only enabling it when the namespace is not being
> forwarded.  We do this for all the default local zones so this will
> just be a extra name in the list of empty local zones that are
> automatically configured.  A 5 minute job to commit to all the
> branches once the name is approved.  Other vendors do similar.  The
> root servers will always need to be answering for homenet/DS.  The
> locally served .homenet zone will stop most of the leaks for *.homenet
> at the ISP level.
>

It depends on perspective, and your definition of "better".

The homenet folks want zero configuration, want it to work, and don't want
to wait.

The difference between the scenarios are:
- How a non-aware resolver within a homenet (which has a correctly deployed
aware resolver) behaves
- How much infrastructure requires changes before the first improperly
deployed homenet gets any help
  - In your scenario, it never gets help, and leaks to the root until ISPs
and/or resolvers get changes deployed
  - In my scenario, the first instance of an upgraded AS112 node (with new
address being anycast) results in universal support, modulo available
capacity

If you only care about leaking, you are missing the point.

If you care about both leaking, *and* getting mixed environments to work,
*and* minimizing deployment support costs, you should be able to see why
this is better.


>
> If there are too many leaks after 5 years (give ISPs time to deploy
> the new servers) then consider a AS112 like solution but I don't
> think it will be needed.
>

IMHO, this is mostly backwards. In this case, I think the AS112 would
probably need to be permanent.

But, in general, the fastest way of fixing the leaks is, deploy the leak
shield (AS112), then fix the leaks, then remove the leak shield when it is
no longer needed.

Waiting until the deluge has become a dribble, seems backwards.
(Plus, look how well that worked for spam.)

Brian


>
> Mark
>
> > PS For the DNSSEC-aware humans:
> >
> > I think this exposes an unforeseen edge case, not covered in the design
> of
> > DNSSEC.
> >
> > I think what would have been ideal, would have been the ability to
> securely
> > delegate to a well-known name/address, but without a secure entry point.
> > I.e. where parent/child NS use different RRTYPEs, and the parent NS is
> > signed (along with glue), and there is no DS.
> >
> > The child could exist as an island of security, and have a self-signed
> > DNSKEY (or KSK/ZSK pair).
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
>