Just to follow through on my thought(s) on this... (thought in-line below).
On Mon, Mar 20, 2017 at 6:25 PM, Ted Lemon <mel...@fugue.com> wrote: > I'm curious what Russ and Steve think about this as an alternative. It > seems a bit byzantine to me, but I can't say that I object to it on > principal. It does create a lot of extra work for ICANN, though, and it > would be a bit more brittle than just doing an unsigned delegation: we now > have to have some way to get current versions of these signatures into the > homenet resolver. > Given that hypothetically this would not be published in the root zone, there are ways to make this less brittle or expensive. (Apologies in advance to anyone who might sprain their eyebrows.) Technically, it is possible use the KSK instead of the ZSK in generating an RRSIG. This would alleviate the temporal nature of validation from ZSK-derived RRSIGs. (Continue reading for why this matters.) And also technically, an RRSIG can have a nearly-arbitrary validity period, up to 68 years. So, if ICANN were to agree to do so, they could provide a long-lived RRSIG signed directly by the root trust anchor, aka the KSK of the root zone. This would validate for however long the RRSIG's validity period is, or until the KSK rolls. This would require an update every time the KSK is rolled, or whenever the RRSIG needs to be refreshed. 68 years is an inconvenient interval, so maybe 50 or 20 years? This is still a lot better than 1 week or 1 month. The question of how to publish this is orthogonal; perhaps some existing or new RRTYPE, at some well-known place in the DNS tree, maybe under ".arpa" somewhere convenient? Ideally also DNSSEC-signed. Just suggesting something that is technically feasible... Brian > > Further comments inline. > > On Mar 20, 2017, at 6:08 PM, Brian Dickson <brian.peter.dick...@gmail.com> > wrote: > > > 1. What is required for the above, is generation of DNSSEC records > including RRSIG(NS), NSEC, and RRSIG(NSEC), for "homenet" TLD. > > > Yes. > > Since the queries are never meant to reach the root servers, the presence > or absence of "homenet" in the root is mostly moot. > > > Sure. > > The only technical requirement is that suitable DNSSEC records be > generated, and that the special-purpose homenet DNS resolvers are able to > have up-to-date copies of these DNSSEC records. > > > Sure. > > As a technical matter, this does not require publishing these records in > the root zone, although that would be one way of achieving the necessary > requirement. > > > True. > > Perhaps the homenet WG folks could talk to the ICANN folks about ways of > accomplishing the above, without the need for publishing the unsigned > delegation in the root zone? > > > Strictly speaking I think this is something the IESG would have to do. I > don't object to this as a solution, but operationally I think it's a lot > more work. It may be that it's worth doing it, since it might be > applicable to other special-use name allocations. > > The benefit of not publishing, is that any queries that do hit the root > servers, would get a signed NXDOMAIN, which IMHO is a more correct response. > > > Yes. I'm not sure that's enough to justify the extra work. > >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
