Re: [homenet] Genart last call review of draft-ietf-homenet-dot-12
Yup, Adam Roach caught that as well and the document will be updated with some new text: This section specifies considerations for systems involved in domain name resolution when resolving queries for names ending with '.home.arpa.'. Each item in this section addresses some aspect of the DNS or the process of resolving domain names that would be affected by this special use allocation. Detailed explanations of these items can be found in , Section 5. On Wed, Aug 30, 2017 at 10:34 PM, Dale R. Worleywrote: > Ted Lemon writes: > > I've updated the document to separate this out into three lettered > > subheads. We can't change the numbering, because that's required by > > RFC 6761, but I agree that it's clearer if the three separate topics > > are split out. > > I hadn't realized from the draft that the items in section 4 are meant > to parallel the items in section 5 of RFC 6761, since the connecting > text is only "(as per [RFC 6761])". Perhaps it would help to amplify > that to "(per the template in [RFC 6761] section 5)". > > Dale > ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Genart last call review of draft-ietf-homenet-dot-12
Ted Lemonwrites: > I've updated the document to separate this out into three lettered > subheads. We can't change the numbering, because that's required by > RFC 6761, but I agree that it's clearer if the three separate topics > are split out. I hadn't realized from the draft that the items in section 4 are meant to parallel the items in section 5 of RFC 6761, since the connecting text is only "(as per [RFC 6761])". Perhaps it would help to amplify that to "(per the template in [RFC 6761] section 5)". Dale ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
[homenet] Eric Rescorla's Discuss on draft-ietf-homenet-dot-13: (with DISCUSS)
Eric Rescorla has entered the following ballot position for draft-ietf-homenet-dot-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-homenet-dot/ -- DISCUSS: -- A. Recursive resolvers at sites using 'home.arpa.' MUST transparently support DNSSEC queries: queries for DNSSEC records and queries with the DO bit set ([RFC4035] section 3.2.1). While validation is not required, it is strongly encouraged: a caching recursive resolver that does not validate answers that can be validated may cache invalid data. This in turn will prevent validating stub resolvers from successfully validating answers. I don't understand the rationale for this requirement. As I understand it from this document, stuff ending in home.arpa cannot be DNSSEC validated, so what's it the business of this document to levy the requirement on sites which support home.arpa that they do anything with DNSSEC at all. ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
[homenet] Warren Kumari's No Objection on draft-ietf-homenet-dot-13: (with COMMENT)
Warren Kumari has entered the following ballot position for draft-ietf-homenet-dot-13: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-homenet-dot/ -- COMMENT: -- This was originally a DISCUSS, but Ted nicely (and quickly!) addressed my concerns - clearing. Major issues: 1: I think that this document could benefit from additional review in the DNSOP WG - it got some (https://www.ietf.org/mail-archive/web/dnsop/current/msg19620.html), but that was a: while it was still homenet. b: primarily focused in terms of RFC6761 and not on the whole systems / interaction with existing behaviors, c: largely devolved into "does this do go in the root zone or not"?, d: 9 revisions back. The document feels vague about much of the details / expected behavior from all of the different players, and I think more focused review from more DNS people would help. 2: What is a "caching resolver"? It is the same as a "recursive resolver"? Or is it a "full-service resolver"? The fact that the answer to RFC6761 Q4 uses both terms makes me think that they are different, but I don't know how. 3: The document says: "Unless configured otherwise, recursive resolvers and DNS proxies MUST behave as described in Locally Served Zones ([RFC6303] Section 3).", but I do not see this being added to the locally served zones registry. This was raised in a previous review (Jon Mitchell, OpsDir (for v03) https://datatracker.ietf.org/doc/review-ietf-homenet-dot-03-opsdir-early-mitchell-2017-03-18/ ), and not implemented. I'm assuming there is a reason, but I haven't found the discussion. 4: The document describes what recursive servers should do with queries for things in home.arpa, but seems to gloss over some detail -- I think that the document would benefit from an overview showing the stub (and / or validating stub), an internal recursive / proxy, an external recursive, the local authoritative for home.arpa, and the .arpa servers, and clearly explain what the expected behavior / role for each one under various scenarios is. 5: Even with the above answered, I remain confused by the "what does a recursive resolver do" bit -- this discusses what a recursive server should do with a DS query for home.arpa - this (obviously) exists to prevent DNSSEC validating stubs from believing that foo.home.arpa is bogus. It also means that it is expected that queries from stubs will sometimes arrive at these recursive resolvers (and they "MUST behave as described in Locally Served Zones" is not simply to prevent pollution). If a query for printer.bedroom.home.arpa does arrive at a recursive, and it is configured as a locally served zone, it will return NXDOMAIN. This (obviously) breaks the lookup for printer.bedroom.home.arpa, but RFC8020 (" NXDOMAIN: There Really Is Nothing Underneath ") also says that this means that nothing exists in bedroom.home.arpa - I think that there needs to be some more text describing the deployment, and which set of queries go where. 6: Section 7. Delegation of ’home.arpa.’ This delegation MUST NOT include a DS record, and MUST point to one or more black hole servers, for example ’blackhole-1.iana.org.’ and ’blackhole- 2.iana.org.’. I fully agree with the DS bit, but the "blackhole" bit feels VERY hand-wavey. Currently a lookup for home.arpa to these returns REFUSED instead of NXDOMAIN: $ dig +nostat +nocmd home.arpa @blackhole-2.iana.org ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 7826 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;home.arpa. IN A The document just delegates this to ’blackhole-1.iana.org.’ and ’blackhole- 2.iana.org.’ - they're are not authoritative for home.arpa (and nothing in the doc makes them so), and so this does not return NXDOMAIN and instead amplifies the query load. Delegating them to RFC7535 servers *may* help, but I'm not sure. 7: "In addition to the behavior specified above, recursive resolvers that can be used in a homenet MUST be configurable with a delegation to an authoritative server for that particular homenet’s instance of the domain ’home.arpa.’." -- Ok, but how does this interact with the requirements on local-zones? I'm *guessing* it overrides it, and if I get a query for printer.livingroom.home.arpa I should "forward" it to the authoritative servers? The document also seems Minor issues / nits: 1: Section 1.
Re: [homenet] Warren Kumari's Discuss on draft-ietf-homenet-dot-13: (with DISCUSS and COMMENT)
Ok, I'm surprised - I spent much time with this review, and felt bad submitting a number of DISCUSS points close to the telechat. I thought that addressing them might end up in this going back to the WG -- but, your (really quick) responses more than adequately addresses my DISCUSS (and major concerns). Thank you, I'm clearing my discuss position -- more inline, but I'm a happy camper. On Wed, Aug 30, 2017 at 3:54 PM, Ted Lemonwrote: > On Aug 30, 2017, at 3:10 PM, Warren Kumari wrote: >> 1: Section 4. Domain Name Reservation Considerations, Subsection 4 >> If I'm a recursive server and I am configured "with a delegation to an >> authoritative server for that particular homenet’s instance of the domain >> ’home.arpa.’." then I have a local zone containing "home.arpa IN NS >> ". Unless I'm really confused, this means >> that I have to make myself authoritative for .arpa, which will a: break >> everything else in .arpa, and b: will (correctly!) be DNSSEC bogus to >> validating stubs. (See also #5). Perhaps you mean that there should be >> something like (BINDism): zone "home.arpa" { >>type forward; >>forwarders { 192.0.2.1; 192.0.2.2; }; >> }; >> This possibility only came to me after much thought, and I do not think that >> it >> could be described as "a delegation". I also do not think that this is a >> standard / well defined behavior. > > Yup, that's bogus. Is this better? > > In addition to the behavior specified above, recursive > resolvers that can be used in > a homenet MUST be configurable to forward queries for > 'home.arpa.' and subdomains of > 'home.arpa.' to an authoritative server for 'home.arpa.'. > This server will provide > authoritative data for 'home.arpa.' within a particular > homenet. The special > handling for DS records for the 'home.arpa.' delegation is > still required. Much better, thanks. > > >> 2: Section 4. Domain Name Reservation Considerations, Subsection 4 >> "Caching resolvers conforming to this specification MUST support DNSSEC >> queries." This is a MUST, so it's important to understand, but I don't >> understand what it actually means. What is a "DNSSEC query"? It is just one >> with the DO bit? It is one looking for a DS / RRSIG / similar as the qtype? I >> don't know what this means, so I don't know if it applies to me / what I >> should >> do. > > I think this is clarified in the -13 version of the document. Is this > review based on that version, or on -12? Here is the new text: > > Recursive resolvers at sites using 'home.arpa.' MUST > transparently support > DNSSEC queries: queries for DNSSEC records and queries with > the DO bit set > ( section 3.2.1). While validation > is not required, it > is strongly encouraged: a caching recursive resolver that > does not validate > answers that can be validated may cache invalid data. This > in turn will prevent > validating stub resolvers from successfully validating > answers. WFM. > >> 3: "Unless configured otherwise, recursive resolvers and DNS proxies MUST >> behave as described in Locally Served Zones ([RFC6303] Section 3). That is, >> queries for domains that are subdomains of ’home.arpa.’ MUST NOT be >> forwarded, >> with one important exception: ..." This says that I must not forward for >> *domains* that are *subdomains* of home.arpa. The example shows a lookup for >> NS >> for 'home.arpa', so presumably this is actually talking about subdomains of >> home.arpa. So, I have no idea what to do for lookups within home.arpa itself >> -- what do I do with query for the A record for printer.home.arpa? It is >> simply >> a name within home.arpa; I have no way of knowing if it is a subdomain of >> home.arpa but it certainly isn't a domain that is a subdomain of home.arpa >> (because there are only three label, not four). > > Yes, the other text had the same problem. How about "queries for > 'home.arpa.' and subdomains of 'home.arpa.'"? WFM. Thanks. > >> -- >> COMMENT: >> -- >> >> Major issues: >> >> 1: I think that this document could benefit from additional review in the >> DNSOP >> WG - it got some >> (https://www.ietf.org/mail-archive/web/dnsop/current/msg19620.html), but that >> was a: while it was still homenet. b: primarily focused in terms of RFC6761 >> and >> not on the whole systems / interaction with existing behaviors, c: largely >> devolved into "does this do go in the root zone or not"?, d: 9 revisions >> back. >> The document feels vague about much of the details / expected behavior from >> all >> of the different players, and I think more focused review from more DNS >> people >> would help.
Re: [homenet] Secdir last call review of draft-ietf-homenet-dot-12
On Aug 29, 2017, at 10:03 PM, Ted Lemonwrote: > Yes. As far as I know the text gives IANA the information they need to do; > I do not know how they operate their black hole servers, so I am trusting > that these instructions are sufficient. They have been reviewed by people > who understand this problem better than I do, like Andrew Sullivan, Paul > Hoffman and Mark Andrews. I was specifically advised not to overspecify > this. I would rather take their word on this than yours, if you will > forgive my saying so. :) Argh. Warren made me look more closely, and you were right. Sorry for doubting. :] Here is the new text for the IANA considerations section: IANA is further requested to create a new subregistry within the "Locally-Served DNS Zones" registry , titled "Transport-Independent Locally-Served DNS Zones", with the same format as the other subregistries. IANA is requested to add an entry in this new registry for 'home.arpa.' with the description "Homenet Special-Use Domain", listing this document as the reference. ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Warren Kumari's Discuss on draft-ietf-homenet-dot-13: (with DISCUSS and COMMENT)
On Aug 30, 2017, at 3:10 PM, Warren Kumariwrote: > 1: Section 4. Domain Name Reservation Considerations, Subsection 4 > If I'm a recursive server and I am configured "with a delegation to an > authoritative server for that particular homenet’s instance of the domain > ’home.arpa.’." then I have a local zone containing "home.arpa IN NS > ". Unless I'm really confused, this means > that I have to make myself authoritative for .arpa, which will a: break > everything else in .arpa, and b: will (correctly!) be DNSSEC bogus to > validating stubs. (See also #5). Perhaps you mean that there should be > something like (BINDism): zone "home.arpa" { >type forward; >forwarders { 192.0.2.1; 192.0.2.2; }; > }; > This possibility only came to me after much thought, and I do not think that > it > could be described as "a delegation". I also do not think that this is a > standard / well defined behavior. Yup, that's bogus. Is this better? In addition to the behavior specified above, recursive resolvers that can be used in a homenet MUST be configurable to forward queries for 'home.arpa.' and subdomains of 'home.arpa.' to an authoritative server for 'home.arpa.'. This server will provide authoritative data for 'home.arpa.' within a particular homenet. The special handling for DS records for the 'home.arpa.' delegation is still required. > 2: Section 4. Domain Name Reservation Considerations, Subsection 4 > "Caching resolvers conforming to this specification MUST support DNSSEC > queries." This is a MUST, so it's important to understand, but I don't > understand what it actually means. What is a "DNSSEC query"? It is just one > with the DO bit? It is one looking for a DS / RRSIG / similar as the qtype? I > don't know what this means, so I don't know if it applies to me / what I > should > do. I think this is clarified in the -13 version of the document. Is this review based on that version, or on -12? Here is the new text: Recursive resolvers at sites using 'home.arpa.' MUST transparently support DNSSEC queries: queries for DNSSEC records and queries with the DO bit set ( section 3.2.1). While validation is not required, it is strongly encouraged: a caching recursive resolver that does not validate answers that can be validated may cache invalid data. This in turn will prevent validating stub resolvers from successfully validating answers. > 3: "Unless configured otherwise, recursive resolvers and DNS proxies MUST > behave as described in Locally Served Zones ([RFC6303] Section 3). That is, > queries for domains that are subdomains of ’home.arpa.’ MUST NOT be forwarded, > with one important exception: ..." This says that I must not forward for > *domains* that are *subdomains* of home.arpa. The example shows a lookup for > NS > for 'home.arpa', so presumably this is actually talking about subdomains of > home.arpa. So, I have no idea what to do for lookups within home.arpa itself > -- what do I do with query for the A record for printer.home.arpa? It is > simply > a name within home.arpa; I have no way of knowing if it is a subdomain of > home.arpa but it certainly isn't a domain that is a subdomain of home.arpa > (because there are only three label, not four). Yes, the other text had the same problem. How about "queries for 'home.arpa.' and subdomains of 'home.arpa.'"? > -- > COMMENT: > -- > > Major issues: > > 1: I think that this document could benefit from additional review in the > DNSOP > WG - it got some > (https://www.ietf.org/mail-archive/web/dnsop/current/msg19620.html), but that > was a: while it was still homenet. b: primarily focused in terms of RFC6761 > and > not on the whole systems / interaction with existing behaviors, c: largely > devolved into "does this do go in the root zone or not"?, d: 9 revisions back. > The document feels vague about much of the details / expected behavior from > all > of the different players, and I think more focused review from more DNS people > would help. I disagree. The document has had substantial review from DNSOP people, including recently. They are mentioned in the acknowledgments. I think that I've fixed a couple of the things in -13 that triggered this reaction. In particular: > 2: What is a "caching resolver"? It is the same as a "recursive resolver"? Or > is it a "full-service resolver"? The fact that the answer to RFC6761 Q4 uses > both terms makes me think that they are different, but I don't know how. The term "caching resolver" was carried over from 6761. What is meant here is "recursive resolver" or "full service resolver," which I think are
[homenet] Warren Kumari's Discuss on draft-ietf-homenet-dot-13: (with DISCUSS and COMMENT)
Warren Kumari has entered the following ballot position for draft-ietf-homenet-dot-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-homenet-dot/ -- DISCUSS: -- 1: Section 4. Domain Name Reservation Considerations, Subsection 4 If I'm a recursive server and I am configured "with a delegation to an authoritative server for that particular homenet’s instance of the domain ’home.arpa.’." then I have a local zone containing "home.arpa IN NS ". Unless I'm really confused, this means that I have to make myself authoritative for .arpa, which will a: break everything else in .arpa, and b: will (correctly!) be DNSSEC bogus to validating stubs. (See also #5). Perhaps you mean that there should be something like (BINDism): zone "home.arpa" { type forward; forwarders { 192.0.2.1; 192.0.2.2; }; }; This possibility only came to me after much thought, and I do not think that it could be described as "a delegation". I also do not think that this is a standard / well defined behavior. 2: Section 4. Domain Name Reservation Considerations, Subsection 4 "Caching resolvers conforming to this specification MUST support DNSSEC queries." This is a MUST, so it's important to understand, but I don't understand what it actually means. What is a "DNSSEC query"? It is just one with the DO bit? It is one looking for a DS / RRSIG / similar as the qtype? I don't know what this means, so I don't know if it applies to me / what I should do. 3: "Unless configured otherwise, recursive resolvers and DNS proxies MUST behave as described in Locally Served Zones ([RFC6303] Section 3). That is, queries for domains that are subdomains of ’home.arpa.’ MUST NOT be forwarded, with one important exception: ..." This says that I must not forward for *domains* that are *subdomains* of home.arpa. The example shows a lookup for NS for 'home.arpa', so presumably this is actually talking about subdomains of home.arpa. So, I have no idea what to do for lookups within home.arpa itself -- what do I do with query for the A record for printer.home.arpa? It is simply a name within home.arpa; I have no way of knowing if it is a subdomain of home.arpa but it certainly isn't a domain that is a subdomain of home.arpa (because there are only three label, not four). -- COMMENT: -- Major issues: 1: I think that this document could benefit from additional review in the DNSOP WG - it got some (https://www.ietf.org/mail-archive/web/dnsop/current/msg19620.html), but that was a: while it was still homenet. b: primarily focused in terms of RFC6761 and not on the whole systems / interaction with existing behaviors, c: largely devolved into "does this do go in the root zone or not"?, d: 9 revisions back. The document feels vague about much of the details / expected behavior from all of the different players, and I think more focused review from more DNS people would help. 2: What is a "caching resolver"? It is the same as a "recursive resolver"? Or is it a "full-service resolver"? The fact that the answer to RFC6761 Q4 uses both terms makes me think that they are different, but I don't know how. 3: The document says: "Unless configured otherwise, recursive resolvers and DNS proxies MUST behave as described in Locally Served Zones ([RFC6303] Section 3).", but I do not see this being added to the locally served zones registry. This was raised in a previous review (Jon Mitchell, OpsDir (for v03) https://datatracker.ietf.org/doc/review-ietf-homenet-dot-03-opsdir-early-mitchell-2017-03-18/ ), and not implemented. I'm assuming there is a reason, but I haven't found the discussion. 4: The document describes what recursive servers should do with queries for things in home.arpa, but seems to gloss over some detail -- I think that the document would benefit from an overview showing the stub (and / or validating stub), an internal recursive / proxy, an external recursive, the local authoritative for home.arpa, and the .arpa servers, and clearly explain what the expected behavior / role for each one under various scenarios is. 5: Even with the above answered, I remain confused by the "what does a recursive resolver do" bit -- this discusses what a recursive server should do with a DS query for home.arpa - this (obviously) exists to prevent DNSSEC validating stubs from believing that foo.home.arpa
Re: [homenet] Adam Roach's No Objection on draft-ietf-homenet-dot-12: (with COMMENT)
Thanks. Both changes look good to me. /a On 8/30/17 11:25, Ted Lemon wrote: Argh, I spaced out on doing these changes because the security review was so extensive. Sorry about that. I'm making changes to my version of the document, but I will refrain from further confusing the datatracker—assuming that this document is approved tomorrow, I can submit an update with these changes and any others that come up on the telechat. On Aug 28, 2017, at 11:18 PM, Adam Roach> wrote: Oh! That makes a lot more sense -- I should have chased down that section in 6761. I think what's tripping me up is the introduction in the homenet-dot draft: "This section defines the behavior of systems involved in domain name resolution when resolving queries for names ending with '.home.arpa.' (as per [RFC6761])." -- it would be clearer if it said something more like "This section reserves the '.home.arpa.' subdomain according to the procedures outlined in [RFC6761] section 4." The requirement to put this in the IANA considerations section is actually probably a bad idea, because it would create a lot of irrelevant chaff for the IANA to parse through. I think it was well-intended, but I've never actually seen it done this way in previous RFC 6761 allocations. That said, your basic point is correct—there should be a better explanation of what's going on in this section. I've updated the introductory text for this section as follows: This section specifies considerations for systems involved in domain name resolution when resolving queries for names ending with '.home.arpa.'. Each items in this section addresses some aspect of the DNS or the process of resolving domain names that would be affected by this special use allocation. Detailed explanations of these items can be found in , Section 5. With the explanation in section 6: it may be useful for the resolver to identify different homenets on which it has resolved names Doesn't this mitigation in the security section require name resolution libraries to recognize names that end in ".home.arpa." as special so that it can treat them differently? Section 6 is talking about future work. If we come up with a way to do this, then it would update this document, changing the normative requirement. To me, this reads as something that could be done unilaterally by the local resolver according to their own reasonable notion of what the proper mitigations might be here. I would suggest rephrasing to make it clearer that this suggestion pertains to _future_ work; e.g., "To prevent this from happening, future documents may define behavior that allows resolvers to identify and distinguish among different homenets on which they have resolved names, and take appropriate measures to avoid such confusion." Yup, that makes sense. Proposed update: To prevent this from happening, it could be useful for the resolver to securely differentiate between different homenets, and between identical names on different homenets. However, a mechanism for doing this has not yet been standardized, and doing so is out of scope for this document. It is expected that this will be explored in future work. OK? ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Adam Roach's No Objection on draft-ietf-homenet-dot-12: (with COMMENT)
Argh, I spaced out on doing these changes because the security review was so extensive. Sorry about that. I'm making changes to my version of the document, but I will refrain from further confusing the datatracker—assuming that this document is approved tomorrow, I can submit an update with these changes and any others that come up on the telechat. > On Aug 28, 2017, at 11:18 PM, Adam Roachwrote: > Oh! That makes a lot more sense -- I should have chased down that section in > 6761. I think what's tripping me up is the introduction in the homenet-dot > draft: "This section defines the behavior of systems involved in domain name > resolution when resolving queries for names ending with '.home.arpa.' (as per > [RFC6761])." -- it would be clearer if it said something more like "This > section reserves the '.home.arpa.' subdomain according to the procedures > outlined in [RFC6761] section 4." The requirement to put this in the IANA considerations section is actually probably a bad idea, because it would create a lot of irrelevant chaff for the IANA to parse through. I think it was well-intended, but I've never actually seen it done this way in previous RFC 6761 allocations. That said, your basic point is correct—there should be a better explanation of what's going on in this section. I've updated the introductory text for this section as follows: This section specifies considerations for systems involved in domain name resolution when resolving queries for names ending with '.home.arpa.'. Each items in this section addresses some aspect of the DNS or the process of resolving domain names that would be affected by this special use allocation. Detailed explanations of these items can be found in , Section 5. >>> With the explanation in section 6: >>> >>> it may be useful for the resolver to identify different >>> homenets on which it has resolved names >>> >>> Doesn't this mitigation in the security section require name resolution >>> libraries to recognize names that end in ".home.arpa." as special so that it >>> can treat them differently? >> >> Section 6 is talking about future work. If we come up with a way to do >> this, then it would update this document, changing the normative requirement. > > To me, this reads as something that could be done unilaterally by the local > resolver according to their own reasonable notion of what the proper > mitigations might be here. I would suggest rephrasing to make it clearer that > this suggestion pertains to _future_ work; e.g., "To prevent this from > happening, future documents may define behavior that allows resolvers to > identify and distinguish among different homenets on which they have resolved > names, and take appropriate measures to avoid such confusion." > > Yup, that makes sense. Proposed update: To prevent this from happening, it could be useful for the resolver to securely differentiate between different homenets, and between identical names on different homenets. However, a mechanism for doing this has not yet been standardized, and doing so is out of scope for this document. It is expected that this will be explored in future work. OK? ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
[homenet] Kathleen Moriarty's No Objection on draft-ietf-homenet-dot-13: (with COMMENT)
Kathleen Moriarty has entered the following ballot position for draft-ietf-homenet-dot-13: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-homenet-dot/ -- COMMENT: -- Thanks for queuing up changes from the SecDir review and adding mention of privacy implications into the security considerations section. I read through the responses on the SecDir list and agree with the statements and changes made. https://mailarchive.ietf.org/arch/msg/secdir/E7fjRdo94abFW5nqjVBbLspvkww ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
Re: [homenet] Genart last call review of draft-ietf-homenet-dot-12
In message <4b072264-2824-4433-a24d-df5d2fd5a...@fugue.com>, Ted Lemon writes: > El Aug 24, 2017, a les 7:20 AM, Dale Worleyva > escriure: > > 4. Domain Name Reservation Considerations > > > > 3. Name resolution APIs MUST send queries for such > > names to a recursive DNS server that is configured to be > > authoritative for the 'home.arpa.' zone appropriate to the > > homenet. > > > > If I understand the terminology correctly, this rules out sending the > > query to a DNS server that recursively sends the query to a server > > that is authoritative for home.arpa. If that is intended and there > > are technical reasons for making this prescription, that's OK, but I > > want to check that that is intended, as this rule is stricter than the > > similar rule in the second paragraph of item 4, which is qualified > > "Unless configured otherwise". > > Wow. The text here is just flat wrong: recursive name servers aren't > authoritative. You can of course combine them, but this text doesn't > agree with some other text later in the document. What the text is > supposed to be saying is that the stub resolver has to use the recursive > resolver that was provided by the network; if it uses a manually > configured resolver, it may get the wrong answer. I will have to rework > this textâthanks so much for calling this to my attention, even though > what you noticed isn't exactly what's wrong! :) > > As for the discrepancy itself, the reason for this is that recursive > resolvers are supposed to stop home.arpa queries leaking to the root, > whereas stub resolvers can (must!) fob that responsibility off on the > recursive resolver. If they are configured to send these queries to, > e.g., 8.8.8.8, we just have to hope that google doesn't forward them to > the root (as would be consistent with the text in item 4). Or the recursive server has learnt that 8.8.8.8 is "special" and is the equivalent of the root servers in terms of keeping local traffic local. Maintaining the list of don't leak too recursive servers is a "interesting" problem. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet