Mark Andrews wrote:
In message<20140305102536.gd9...@mx1.yitter.info>, Andrew Sullivan writes:
Mark,
On Wed, Mar 05, 2014 at 08:58:23PM +1100, Mark Andrews wrote:
a bit of flip flop but most of the time one is just "On WiFi" at home or
The point is that we're designing a protocol, and "most of the time"
won't be good enough to avoid support calls to the ISP help desk. ISP
margins are thin enough that it would be a bad thing to build a
specification that encourages that even rarely.
This is a problem that is INDEPENDENT of DNSSEC when you are siging both
zones. This is about there being two versions of the zone.
I really don't see this as being a issue in practice. Just sign
the zone (all verisons) in the house with the same keys. Stop with
this nonsence idea that you shouldn't sign the internal version
when you are signing the external version.
Mark, you're at least jumping ahead to implementation and at worst
begging the question. We started with a proposal that did signing in
the ISP's server. I was pointing out the consequences of that for
DNSSEC. One of the possible solutions is that the "internal version"
is unsigned. It would be careless not to list that as one of the
possibilities, even if I think that's a foolish outcome. We have to
list the possibilities we don't like, too, or else we won't have a
clear picture of what we're talking about.
Signed and unsigned versions of the same zones are a REALLY REALLY
REALLY REALLY bad idea.
+1
This is a "Doctor it hurts if I do this.
Then don't do this." example. It could be made to work with negative
trust anchors which are installed when the WiFi SSID matches the
home's SSID but we really don't want to go there. There be dragons.
It is dead simple for nameserver in the CPE to do the signing. Why
people thing it is beyond the capabilities of the a device like
this is beyond me. The CPE generated the keys. It signs the
records. It updates the parent zone to add DS records for the keys
it has generated.
The owner of the CPE has to do nothing to make this happen.
Either sign all version or don't sign any.
+1
I will appeal any version that even hints that mixed signing is the
way to go. It is just bad design, bad engineer and will cause pain
for everyone.
Best regards,
A
--
Andrew Sullivan
a...@anvilwalrusden.com
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
--
Regards,
RayH
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet
