Re: [secdir] secdir review of draft-ietf-homenet-arch-10

Ray Bellis <> Wed, 11 September 2013 15:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 53BCA11E81A8; Wed, 11 Sep 2013 08:57:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MdiUgg3iDjqS; Wed, 11 Sep 2013 08:56:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 10C9621F9B8C; Wed, 11 Sep 2013 08:56:45 -0700 (PDT)
DomainKey-Signature:;; c=nofws; q=dns; h=X-IronPort-AV:Received:Received:From:To:CC:Subject: Thread-Topic:Thread-Index:Date:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-ID:Content-Transfer-Encoding: MIME-Version; b=Tz1UkZbsJZxf6MjTotuJ3avdQvGd+HLrCfZYQY0645C2ZFfVs6JeBLQD 8Dl5eiPHAIkLrmEmpgejcSq8n7yDATG4DZ/rllYtq3w2nJClMLof0IyKJ XLrEXjzYGN9SPtJ;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=main.dkim.nominet.selector; t=1378915006; x=1410451006; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=LFJoP92rsa9xmhnNZITCFJTiAoX1pYB4/5uWc//TTHA=; b=yYQCuI+7y259AgVEvmfgXGAkKvIRfDDA4zE9Tv2Zo2d16OKIJqONGuz3 aeCqz+3NG4zZGHK230CbLC+pnkdyIkzwZ9E+U8XCmBXLlhqJRRodpHvNt CgWYwaWYUNJvQfA;
X-IronPort-AV: E=Sophos;i="4.90,885,1371078000"; d="scan'208";a="2984942"
Received: from ([]) by with ESMTP; 11 Sep 2013 16:56:40 +0100
Received: from ([fe80::1593:1394:a91f:8f5f]) by ([fe80::7577:eaca:5241:25d4%17]) with mapi id 14.02.0318.004; Wed, 11 Sep 2013 16:56:40 +0100
From: Ray Bellis <>
To: Ted Lemon <>, Samuel Weiler <>
Thread-Topic: secdir review of draft-ietf-homenet-arch-10
Date: Wed, 11 Sep 2013 15:56:39 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: " IESG" <>, "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-ietf-homenet-arch-10
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Sep 2013 15:57:05 -0000

On 11 Sep 2013, at 16:39, Ted Lemon <>;

> Actually they aren't in conflict.   3.7.3 is saying "you need an authoritative name server on the local net."   3.7.4 is saying "if you want names to be resolved externally, one way to make this work would be to set up secondaries on external servers."  In fact, the solution that I've seen discussed recently is to have the master on the local network be a hidden master, so that the only published authoritative servers for the zone would be the secondaries.   But the architecture document rightly avoids prescribing that solution.

I think the confusion is caused by the use of the phrase "secondary resolving name service" in 3.7.4

Ted is (correctly, I think) taking the intent of that to mean a secondary _authoritative_ service, but us DNS heads think of "resolving" as what stubs and recursive servers do.

Tim - can you please clarify the intent?