Re: [secdir] secdir review of draft-ietf-homenet-arch-10

Ted Lemon <Ted.Lemon@nominum.com> Wed, 11 September 2013 15:39 UTC

Return-Path: <Ted.Lemon@nominum.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 917F221F9B26; Wed, 11 Sep 2013 08:39:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.481
X-Spam-Level:
X-Spam-Status: No, score=-106.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3JoylqgyGlC; Wed, 11 Sep 2013 08:39:15 -0700 (PDT)
Received: from exprod7og109.obsmtp.com (exprod7og109.obsmtp.com [64.18.2.171]) by ietfa.amsl.com (Postfix) with ESMTP id BE13011E81A8; Wed, 11 Sep 2013 08:39:15 -0700 (PDT)
Received: from shell-too.nominum.com ([64.89.228.229]) (using TLSv1) by exprod7ob109.postini.com ([64.18.6.12]) with SMTP ID DSNKUjCOo5oJl02KOSduxhNmrI41riDLtZFF@postini.com; Wed, 11 Sep 2013 08:39:15 PDT
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id 0C83C1B82A4; Wed, 11 Sep 2013 08:39:15 -0700 (PDT)
Received: from webmail.nominum.com (cas-02.win.nominum.com [64.89.228.132]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTPS id 62F0C190074; Wed, 11 Sep 2013 08:39:12 -0700 (PDT) (envelope-from Ted.Lemon@nominum.com)
Received: from MBX-01.WIN.NOMINUM.COM ([64.89.228.133]) by CAS-02.WIN.NOMINUM.COM ([64.89.228.132]) with mapi id 14.03.0158.001; Wed, 11 Sep 2013 08:39:12 -0700
From: Ted Lemon <Ted.Lemon@nominum.com>
To: Samuel Weiler <weiler@watson.org>
Thread-Topic: secdir review of draft-ietf-homenet-arch-10
Thread-Index: AQHOrpotcPqjIoy9fUumqq7T/fdL8JnAohQAgAAJHACAAHDgAIAABjQA
Date: Wed, 11 Sep 2013 15:39:11 +0000
Message-ID: <9E3806AB-46ED-4CF8-BA00-9C8EF3B59363@nominum.com>
References: <alpine.BSF.2.00.1309051037400.86627@fledge.watson.org> <F432C9E2-B19A-452B-89A7-5C47FD4C4EC4@townsley.net> <53F00E5CD8B2E34C81C0C89EB0B4FE732DE90676@wds-exc1.okna.nominet.org.uk> <alpine.BSF.2.00.1309111110440.1574@fledge.watson.org>
In-Reply-To: <alpine.BSF.2.00.1309111110440.1574@fledge.watson.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.1.10]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <E6977A974C75BC45B946552066F3E37B@nominum.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Ray Bellis <Ray.Bellis@nominet.org.uk>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-homenet-arch.all@tools.ietf.org" <draft-ietf-homenet-arch.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-homenet-arch-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 15:39:22 -0000

On Sep 11, 2013, at 11:17 AM, Samuel Weiler <weiler@watson.org>; wrote:
> I was challenging the prescription.  The quotes are necessarily in conflict, but they seem to carry very different force.

Actually they aren't in conflict.   3.7.3 is saying "you need an authoritative name server on the local net."   3.7.4 is saying "if you want names to be resolved externally, one way to make this work would be to set up secondaries on external servers."  In fact, the solution that I've seen discussed recently is to have the master on the local network be a hidden master, so that the only published authoritative servers for the zone would be the secondaries.   But the architecture document rightly avoids prescribing that solution.