Re: [secdir] secdir review of draft-ietf-homenet-arch-10

Ray Bellis <> Wed, 11 September 2013 08:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C010A11E8162; Wed, 11 Sep 2013 01:33:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ImcRr9hMR-Ic; Wed, 11 Sep 2013 01:33:13 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9C38C11E81EC; Wed, 11 Sep 2013 01:33:07 -0700 (PDT)
DomainKey-Signature:;; c=nofws; q=dns; h=X-IronPort-AV:Received:Received:From:To:CC:Subject: Thread-Topic:Thread-Index:Date:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-ID:Content-Transfer-Encoding: MIME-Version; b=p9yqRfxyM9tRzLPZqVSYnsp9ebIYCP1xh1mHFJ2hY/dwq7vM7Osl8ifY Ol1rrZiD0FPYmfynQ/BspLCCAzVmt+XuvdpazL4ICs1yfzd846BRCAxds sb0+Wa9hTUOAPCB;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=main.dkim.nominet.selector; t=1378888388; x=1410424388; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=+16kQriOhfRcP5WoPA5GIs0f4sM0EC2WNeLK4K2UuNc=; b=k9SYyAAbYlbR6IXvvPzt/5aVehKaNJce4RDvEnG0wy8ELjBuZRVoMgGe +yBDANmgFrs51KNMX5dm3RlEdPBCADvTIUuZeVN2aaSu02NaxyR3JwWdW pUYyp+1A903qxgC;
X-IronPort-AV: E=Sophos;i="4.90,883,1371078000"; d="scan'208";a="3287016"
Received: from ([]) by with ESMTP; 11 Sep 2013 09:33:02 +0100
Received: from ([fe80::1593:1394:a91f:8f5f]) by ([fe80::7577:eaca:5241:25d4%17]) with mapi id 14.02.0318.004; Wed, 11 Sep 2013 09:33:01 +0100
From: Ray Bellis <>
To: Samuel Weiler <>
Thread-Topic: secdir review of draft-ietf-homenet-arch-10
Thread-Index: AQHOrpowneGtTVadlEOUAKAd3eCKbZnAG/gAgAAJHAA=
Date: Wed, 11 Sep 2013 08:33:00 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 11 Sep 2013 02:30:05 -0700
Cc: "" <>, "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-ietf-homenet-arch-10
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Sep 2013 08:33:19 -0000


Following on from Mark's comments:

> -- "When DNS is used as the homenet name service, it includes both a
>  resolving service and an authoritative service."  Does it
>  necessarily?

A Homenet that is not currently connected to the Internet still needs to be able to function, so (when DNS is used) authoritative local name service and a service for resolution of those local names are both needed.

> -- "The name space(s) should be served authoritatively by the
>  homenet..."   Why is that necessary?  (Indeed, there is text in
>  3.7.4 that seems to conflict with this.)

One reason is simply to prevent names only intended to be known internally from being shared with externally maintained authoritative servers.

The other is the "disconnected homenet" mentioned above.

Can you please indicate which text you believe is in conflict?

> -- There is a recommendation to support DNSSEC on the authoritative
>  server side (in 3.7.4).  Shouldn't there be a similar
>  recommendation on the resolver side?

That (short) paragraph is not specific to authoritative servers, it applies to the entire section.  The example of cache-poisoning further indicates its applicability to recursive resolution.

kind regards,