Hi Paul, I am wondering if there are any remaining concerns left for the draft-ietf-homenet-naming-architecture-dhc-options document and anything you would like us to address to lift your discuss.
Yours, Daniel On Mon, Oct 24, 2022 at 8:49 PM Daniel Migault <mglt.i...@gmail.com> wrote: > Hi Paul, > > Thanks for the follow-up. The reason we mentioned both RFC7858 and RFC9103 > is that the communication between the Homenet Naming Authority (HNA) and > the Distribution Manager (DM) involves two different channels. The Control > Channel that aims at configuring/managing the Synchronization Channel (i.e. > the primary/secondary). The Control Channel uses DNS over TLS RFC7858 while > the Synchronization Channel uses DNS Zone transfer over TLS 9103. The two > channels always go in pairs. As both are using DNS over TLS we use the > mnemonic 'DoT' for the Selected Transport. From what you are saying, it > might be clearer to just mention 'TLS' for the Selected Transport as DoT > might be really tightened to 7858. If you think this is clearer, I am happy > to do so as well as with any name that you think is clearer. > > Yours, > Daniel > > On Mon, Oct 24, 2022 at 7:20 PM Paul Wouters <paul.wout...@aiven.io> > wrote: > >> >> >> On Sun, Oct 23, 2022 at 10:45 PM Daniel Migault <mglt.i...@gmail.com> >> wrote: >> >>> While TLS gives you privacy, >>> >>>> the DNS Update cannot be done with only TLS (as far as I understand >>>>>> it). >>>>> >>>>> please develop, but just in case, we do not use dns update to >>>>> synchronize the zone. we use AFXR/IXRF over TLS define din XoT. >>>>> >>>> >> This to me was not clear and a missed reference by me. While you name >> RFC9103, the text states: >> >> DNS over TLS: indicates the support of DNS over TLS as described in >> [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and [RFC9103 >> <https://datatracker.ietf.org/doc/html/rfc9103>]. >> >> I should have looked more closely at the references, and I would have >> realized 9103 is about DNS XFR over TLS. That document indeed explains >> that XoT uses mutually authenticated TLS which provides the >> authentication for the XFR streams. >> >> My suggestion: >> >> Current: >> >> DNS over TLS: indicates the support of DNS over TLS as described in >> [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and [RFC9103 >> <https://datatracker.ietf.org/doc/html/rfc9103>]. >> >> New: >> >> DNS Zone Transfer over TLS: indicates the support of DNS Zone Transfer >> over TLS as described in [RFC9103] >> >> > >> The reference to RFC7858 is misleading - it only deals with stub to >> recursive. >> >> If you think stub to recursive is in scope, it might be better to use two >> DHCP options as these two things >> seem to be very separate protocols (that just both happen to use DNS and >> TLS) >> >> >> >> >>> >>>> So you are going against the RFC 5936 SHOULD. >>>> >>>> I even had to look this up because I didn't know you could do an AXFR >>>> as a secondary >>>> from a primary without DNS level authentication. Apparently you can, >>>> but you SHOULD not. >>>> >>>> That is what we do. TLS provides enough security to replace TSIG / >>> SIG(0). >>> >> >> >> Reading 9103 made that clear to me now, but the text in the document did >> not. Perhaps that can be stated more clearly ? >> >> Paul >> > > > -- > Daniel Migault > Ericsson > -- Daniel Migault Ericsson
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet