> Hi, > The INT Area Director who oversees the homenet WG, Terry Manderson, has > asked DNSOP participants to review > https://www.ietf.org/id/draft-ietf-homenet-dot-03.txt, "Special Use Top > Level Domain '.homenet’”, with the following aspects in mind: > 1) in terms of RFC6761 > 2) in terms of the _operational_ position of an unsigned entry in the root > zone as requested in this document, to break the chain of trust for local > DNS resolution of .homenet names. >
I'd like to ask some questions about homenet and the TLD. These are mostly clarification questions, but might (together) lead to an alternative solution. 1. The homenet TLD is intended to be used in such a way that queries should never reach the root servers. Is this correct? 2. The main issue driving the request for the insecure delegation, is the ability to have a proof of insecurity anchored at the ICANN root-of-trust, aka the KSK for the root zone. Is this correct? 3. Resolvers doing "homenet" need to be able to serve current "proof" responses, whose signatures' validity periods are "current". Is this correct? 4. What is required for the above, is generation of DNSSEC records including RRSIG(NS), NSEC, and RRSIG(NSEC), for "homenet" TLD. Since the queries are never meant to reach the root servers, the presence or absence of "homenet" in the root is mostly moot. The only technical requirement is that suitable DNSSEC records be generated, and that the special-purpose homenet DNS resolvers are able to have up-to-date copies of these DNSSEC records. As a technical matter, this does not require publishing these records in the root zone, although that would be one way of achieving the necessary requirement. Perhaps the homenet WG folks could talk to the ICANN folks about ways of accomplishing the above, without the need for publishing the unsigned delegation in the root zone? The benefit of not publishing, is that any queries that do hit the root servers, would get a signed NXDOMAIN, which IMHO is a more correct response. (It also prevents the problem of what NS values would need to be used on the unsigned delegation.) Brian > This document is the product of the homenet WG, which has asked the IESG > to approve it for publication, so our comments are strictly advisory to the > IESG. There was some discussion of the draft on this list shortly after it > appeared, in November 2016, but it’s always the AD’s prerogative to ask for > additional review. > > > thanks, > Suzanne & Tim
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
