Hi Paul, Some brief element of response to your questions. While you are raising comments within a DISCUSS see your comment as a very high level question on what is the content of the draft with many questions related not to that draft. I am happy to respond, but there is nothing actionable that can be done, so please be more specific.
Yours, Daniel On Thu, Oct 20, 2022 at 1:58 AM Paul Wouters via Datatracker < nore...@ietf.org> wrote: > Paul Wouters has entered the following ballot position for > draft-ietf-homenet-naming-architecture-dhc-options-21: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-homenet-naming-architecture-dhc-options/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > This might be my misunderstanding of homenet, so hopefully easy to resolve. > > The HNA (hidden primary?) to DM (primary) DNS communication using DNS > Update > needs some kind of authentication, TSIG or SIG0 ? no > While TLS gives you privacy, > the DNS Update cannot be done with only TLS (as far as I understand it). please develop, but just in case, we do not use dns update to synchronize the zone. we use AFXR/IXRF over TLS define din XoT. > I > don't see any DHCP options to relay authentication information for > automatic > deployment? The FQDN "Distribution Manager FQDN" and "Reverse Distribution Manager FQDN" are sufficent to set a TLS session. So I don't understand how this would startup and be able to setup a > secure DNS update channel ? > TLS needs only names. The certificates binds the names to a key used for the authentication. > There was also talk about using ACME for TLS certificates, but wouldn't > that > require that the HNA already has a provisioned and working homenet domain ? > The draft does not mention ACME so I do not see what you are referring to. > (possibly more a question for the other draft, but just adding it here in > case > the hidden primary to primary is an "almost DNS Update" protocol that uses > TLS > instead f TSIG/SIG0. > > not at all. we do not use dns update at all for synchronizing the zones. > > > > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet > -- Daniel Migault Ericsson
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet