> On 10 Jun 2019, at 11:27 pm, Michael Richardson <mcr+i...@sandelman.ca> wrote:
>
>
> Ted Lemon <mel...@fugue.com> wrote:
>> For dns updates, SIG(0) works fine. I have code you can steal that
>> works with mbedtls and ecdsa. Signing and validation. But I think TLS
>> client certs can also work. Proving the front end servers identity
>> sounds like the hard part.
>
> Just to ask again clearly:
>
> 1a) is it possible to authorize an AXFR transfer by SIG(0)?
Yes.
> 1b) is it possible to authorize an SOA query by SIG(0)?
Yes.
> 2) is anyone doing AXFR over TLS (DPRIVE)?
>
> {3) is RFC3007 really the most recent text on dynamic DNS?}
What has changed to need a more recent RFC? Once you can identify the
requesting party, which SIG(0) and TSIG can do, the rest is policy.
I suppose we could have DHCP clients send KEY rdata as part of the DHCP
request for DHCP servers to insert in the reverse zone when addresses /
prefixes are allocated to allow the clients to use SIG(0) UPDATE requests
to update reverse zones. This would allow for more than PTR records to
be added to reverse zones. I did write a I-D about this for PD but got
no traction[1]. The technique would work equally well for individual addresses.
All it really requires is a DHCP code point to be allocated.
[1] https://datatracker.ietf.org/doc/draft-andrews-dnsop-pd-reverse/
>>> On Jun 8, 2019, at 6:32 PM, Michael Richardson <mcr+i...@sandelman.ca>
>>> wrote:
>>>
>>>
>>> Ted Lemon <mel...@fugue.com> wrote:
>>>>> Can we use TLS for authorization, assuming that we have trusted
>>>>> certificates
>>>>> at both ends? Perhaps this is more of a: did anyone implement this?
>>>
>>>> How is trust established? Sure, doing TSIG over TLS is no problem.
>>>
>>> Certificates are exchanged/created at manufacturing time (IDevID), and then
>>> optionally updated to LDevID. The certificate contains the name of the zone
>>> which the HNA is authoritative for (or a control record pins the
>>> certificate).
>>>
>>> TSIG requires a shared secret, thus a database of shared secrets available
>>> online. I don't want to do TSIG over TLS, I want to not do TSIG, or
>>> if I have to use TSIG for mechanical reasons, I want to derive the secret
>>> From the TLS.
>>>
>>> I need to authorize the following:
>>> 1) DNS update of some data (NS, DS, AAAA that NS points to) by
>>> Distribution Master (cloud/public system)
>>> 2) SOA query by Distribution Master by HNA.
>>> 3) AXFR by Distribution Master by HNA.
>>>
>>> --
>>> Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
>>> -= IPv6 IoT consulting =-
>
> --
> Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>
>
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet