IETF Logo Mail Archive

Re: [renum] draft-liu-6renum-gap-analysis-03

Mark Andrews <marka@isc.org> Fri, 09 December 2011 22:45 UTC

Return-Path: <marka@isc.org>
X-Original-To: renum@ietfa.amsl.com
Delivered-To: renum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A18E421F849B for <renum@ietfa.amsl.com>; Fri, 9 Dec 2011 14:45:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.581
X-Spam-Level:
X-Spam-Status: No, score=-2.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X2BcvXxfL8PZ for <renum@ietfa.amsl.com>; Fri, 9 Dec 2011 14:45:51 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id A8B9D21F8496 for <renum@ietf.org>; Fri, 9 Dec 2011 14:45:50 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id BE116C9479; Fri, 9 Dec 2011 22:45:38 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:44bf:4184:2d0e:dbdb]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 1BF16216C6B; Fri, 9 Dec 2011 22:45:38 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 322F11968819; Sat, 10 Dec 2011 09:45:30 +1100 (EST)
To: Ran Atkinson <ran.atkinson@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <5C46AA96-3CDA-41AD-8197-E7989DEC2609@gmail.com> <5D36713D8A4E7348A7E10DF7437A4B9218580CF0@SZXEML506-MBX.china.huawei.com> <7D6F6DAB-D8B3-46AA-8339-D9B92E6356F1@gmail.com>
In-reply-to: Your message of "Fri, 09 Dec 2011 07:55:19 CDT." <7D6F6DAB-D8B3-46AA-8339-D9B92E6356F1@gmail.com>
Date: Sat, 10 Dec 2011 09:45:30 +1100
Message-Id: <20111209224530.322F11968819@drugs.dv.isc.org>
Cc: "renum@ietf.org" <renum@ietf.org>
Subject: Re: [renum] draft-liu-6renum-gap-analysis-03
X-BeenThere: renum@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Renumbering discussion mailing list." <renum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/renum>, <mailto:renum-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/renum>
List-Post: <mailto:renum@ietf.org>
List-Help: <mailto:renum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/renum>, <mailto:renum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2011 22:45:51 -0000

In message <7D6F6DAB-D8B3-46AA-8339-D9B92E6356F1@gmail.com>, Ran Atkinson write
s:
> 
> On 09  Dec 2011, at 01:49 , Sheng Jiang wrote:
> > Yes, our statement above is mainly based on BIND implementations.
> > We think most of DNS servers are BIND-based, 80% and above
> > (unverified estimation). So, Bind itself is the majority.
> 
> BIND is quite common with ISPs and content providers, 
> but Microsoft Server might well be the majority for 
> *enterprise* sites.  Since this document is focused 
> on renumbering situations, Microsoft Server's DNS 
> might well be the majority for the renumbering situation.
> 
> Unlike UNIX deployments of BIND, which stand alone, 
> Microsoft reportedly has fully integrated DNS with 
> other services (e.g. DHCP, Windows Work groups) inside 
> the Microsoft Windows Server.  
> 
> So reports say that there is no "flat file" with DNS entries.
> Reportedly, there is also no "loading of the DNS entries".  
> Instead, there is full integration of DNS with the 
> other services, and things are GUI-based and systemic
> for the whole deployment.
> 
> I'm told that Apple's MacOS X Server takes a very
> similar approach to Microsoft Windows Server, with
> integration and a GUI front-end for the whole deployment.
> Apple apparently does use BIND code behind-the-scenes,
> but system administrators never interact with BIND
> directly and again there are no "flat files" to load
> because everything is behind a common server GUI.
> 
> > We will contact Cricket Liu for the detail and
> > how common this is. We will update our text accordingly.
> 
> Why not start first by reading his book (which is quite clear) ?
> It is a published O'Reilly book and should be readily available.
> 
> According to the book, Microsoft Windows Server automatically
> enables Dynamic DNS Update between the Windows clients and
> the Windows server in a number of situations.  So deployment
> of Dynamic DNS UPdate is proportional to deployments of
> Microsoft Windows server, which ought to be pretty common
> in an enterprise scenario.

Windows uses GSS-TSIG to secure the updates.

Mac OS uses TSIG to secure the updates.  You turn it on via sharing
presumable as Apple decided that you only need this if you need to
reach the machine by name.

> >> In Section 10, the above draft in part says:
> >>> In the LAN, Secure DHCPv6 ([I-D.ietf-dhc-secure-dhcpv6]) or
> >>> SeND ([RFC3971], Secure Neighbor Discovery) deployment
> >>> may need to validate prefixes.
> >> 
> >> 
> >> If one thinks that configuring keys for Secure Dynamic
> >> DNS Update is difficult or challenging, then it is
> >> unavoidable to conclude that neither Secure DHCPv6
> >> nor SEND are actually deployable at present.
> >> 
> >> I think the problems with key management deserve their
> >> own subsection in Section 10 -- as a category of "gap"
> >> that ought to be addressed.  That new subsection ought
> >> to note the operational issues with key provisioning
> >> and key management for Secure Dynamic DNS Update
> >> (at least for non-MS nodes) and equally or more so
> >> for Secure DHCPv6 and SEND.  One would hope these
> >> would not fall into the "unsolvable gap" category,
> >> but in any event these gaps do need to be clearly
> >> documented.
> > 
> > The key management is a complicated issue. It is worth
> > a separated draft. It is relevant. However, we don't
> > think it is a renumbering specific issue.  We will add
> > some new text for it. But we would like to leave it out of scope.
> 
> I do not think that ignoring the issue or declaring it
> out-of-scope is a legitimate position to take for this
> document.
> 
> IETF rules require that ALL documents must fully address
> Security Considerations *within their own document*.
> 
> Ignoring that topic -- or shunting it off to other
> documents -- will result in a Last Call objection from me 
> and possibly others on the very solid technical grounds
> that the Security Considerations are known to be deficient.

With Windows you add the machine to the domain.  This is a
one off procedure and the last time I did it this it needed
a domain administrators password if my memory is correct.

Initial registration doesn't necessarially need to be standardised.
It can be ad-hoc.  Log into a web page and it can return a TSIG 
which is configured into the nameserver and the client machine.

That's done all the time to secure zone transfers.

What need to be standardised is what goes on the wire and that
was done years ago.  The rest really is implementation detail.

> >> Similarly, there is a practical operational "gap" in
> >> that we have no way to automatically update ACLs during
> >> a renumbering event.  This also needs to be documented
> >> as a gap.
> > 
> > We did list ACL as part of filter, see Section 6.3.
> 
> I did.  It is not nearly clear enough.  
> 
> More text is needed -- and since it is a Security 
> Consideration it also needs to be referenced in the 
> Security Considerations section of the document.
> 
> Last, it is very very rude and offensive to take any 
> private email and post it to any public mailing list
> without prior permission of the author -- as you
> have done today.  
> 
> Yours,
> 
> Ran
> 
> _______________________________________________
> renum mailing list
> renum@ietf.org
> https://www.ietf.org/mailman/listinfo/renum
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email