Re: [secdir] secdir review of draft-ietf-homenet-arch-10

Samuel Weiler <weiler@watson.org> Wed, 11 September 2013 15:17 UTC

Return-Path: <weiler@watson.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC6B911E8181; Wed, 11 Sep 2013 08:17:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kG3sbDBLViZ6; Wed, 11 Sep 2013 08:17:23 -0700 (PDT)
Received: from cyrus.watson.org (cyrus.watson.org [198.74.231.69]) by ietfa.amsl.com (Postfix) with ESMTP id 57C1911E826A; Wed, 11 Sep 2013 08:17:13 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [198.74.231.63]) by cyrus.watson.org (Postfix) with ESMTPS id BB29046B42; Wed, 11 Sep 2013 11:17:01 -0400 (EDT)
Received: from fledge.watson.org (weiler@localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.7/8.14.7) with ESMTP id r8BFH1Tx013839; Wed, 11 Sep 2013 11:17:01 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.7/8.14.7/Submit) with ESMTP id r8BFH0ia013831; Wed, 11 Sep 2013 11:17:00 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Wed, 11 Sep 2013 11:17:00 -0400 (EDT)
From: Samuel Weiler <weiler@watson.org>
To: Ray Bellis <Ray.Bellis@nominet.org.uk>
In-Reply-To: <53F00E5CD8B2E34C81C0C89EB0B4FE732DE90676@wds-exc1.okna.nominet.org.uk>
Message-ID: <alpine.BSF.2.00.1309111110440.1574@fledge.watson.org>
References: <alpine.BSF.2.00.1309051037400.86627@fledge.watson.org> <F432C9E2-B19A-452B-89A7-5C47FD4C4EC4@townsley.net> <53F00E5CD8B2E34C81C0C89EB0B4FE732DE90676@wds-exc1.okna.nominet.org.uk>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Wed, 11 Sep 2013 16:17:01 +0100 (BST)
Cc: "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-homenet-arch.all@tools.ietf.org" <draft-ietf-homenet-arch.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-homenet-arch-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2013 15:17:29 -0000

On Wed, 11 Sep 2013, Ray Bellis wrote:

>> -- "The name space(s) should be served authoritatively by the
>>  homenet..."   Why is that necessary?  (Indeed, there is text in
>>  3.7.4 that seems to conflict with this.)
...
> Can you please indicate which text you believe is in conflict?

Sure.

in 3.7.3:

"The name space(s) should be served authoritatively by the
    homenet, most likely by a server resident on the CER."

in 3.7.4

"One approach ... is to run an authoritative
    name service on the CER and a secondary resolving name service
    provided by the ISP or perhaps a cloud-based third party."

The former I see as more prescriptive (you should do X) and the latter 
as just a suggestion (one idea is X).

I was challenging the prescription.  The quotes are necessarily in 
conflict, but they seem to carry very different force.

>> -- There is a recommendation to support DNSSEC on the authoritative
>>  server side (in 3.7.4).  Shouldn't there be a similar
>>  recommendation on the resolver side?
>
> That (short) paragraph is not specific to authoritative servers, it 
> applies to the entire section.  The example of cache-poisoning 
> further indicates its applicability to recursive resolution.

That is not clear from the text.  I read "it is desirable
    to support appropriate name service security methods, including
    DNSSEC." and interpreted as shown above.

-- Sam