Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Ted Lemon]

Billions and billions of them?   How often do they query the root, do you
think, compared to a stub resolver that did recursion itself?

On Thu, Dec 15, 2016 at 3:57 PM, John R Levine  wrote:

> Putting an iterative resolver in a stub resolver is an attack on the DNS
>>> infrastructure.
>>>
>>
> Ted might want to alert all of the BSD and linux distros that default to
> running a copy of bind or unbound answering queries on 127.0.0.1.
>
> Regards,
> John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
>
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
>
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[John R Levine]

Putting an iterative resolver in a stub resolver is an attack on the DNS 
infrastructure.


Ted might want to alert all of the BSD and linux distros that default to 
running a copy of bind or unbound answering queries on 127.0.0.1.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Mark Andrews]

In message <4195dba6-6eae-45ce-ad61-9236c6212...@google.com>, james woodyatt wr
ites:
> 
> On Dec 15, 2016, at 06:35, Ted Lemon  wrote:
> > [Mark Andrews  wrote:]
> > Why shouldn't a iterative resolver work if we can make it work?
> >
> > Putting an iterative resolver in a stub resolver is an attack on the
> > DNS infrastructure.   If you are doing it because you are testing some
> > theory in an experimental jig, that's perfectly fine; in that case, you
> > are a consenting adult, and can configure it with a special delegation
> > for .homenet if you need that to work.   If you are adding it to
> > production code that will be installed in a billion devices, you are a
> > vandal.
>
> I doubt any sane home gateway vendor would do this even if the DNS
> infrastructure were robust enough to handle it (which, hey— I thought it
> was supposed to be, why isn’t it?). The reason is that too many ISPs
> insist on enhancing the content of the public DNS with their own private
> horizon stuff, so that additional services they bundle to their customers
> will work only on their own networks. Competition! Oh and that’s before I
> mention the extra featurefulness that many content delivery networks are
> still using for selecting servers based on the source address of the
> iterative DNS query instead of something more meaningful.

Too many people are already use third party DNS servers (Google
etc.) for ISPs to get away with this garbage anymore.  Iterative
resolvers in the CPE router just work.

The issue is more about iterative resolvers not in the CPE router.

Mark

> --james woodyatt mailto:j...@google.com>>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Mark Andrews]

In message 
, Ted Lemon writes:
> --001a11411ef6886b910543b361bc
> Content-Type: text/plain; charset=UTF-8
> 
> >
> > Why shouldn't a iterative resolver work if we can make it work?
> >
> 
> Putting an iterative resolver in a stub resolver is an attack on the DNS
> infrastructure.   If you are doing it because you are testing some theory
> in an experimental jig, that's perfectly fine; in that case, you are a
> consenting adult, and can configure it with a special delegation for
> .homenet if you need that to work.   If you are adding it to production
> code that will be installed in a billion devices, you are a vandal.

Please go read STD 13 and tell me where using a iterative resolver
in a application is BANNED because it is NOT there.  Iterative
resolvers in applications are part to the data flow model for DNS.
Just because MOST application will use a stub resolver doesn't make
it REQUIRED.

There is no attack of the DNS by wanting interative resolvers to
work by default.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Ted Lemon]

>
> Why shouldn't a iterative resolver work if we can make it work?
>

Putting an iterative resolver in a stub resolver is an attack on the DNS
infrastructure.   If you are doing it because you are testing some theory
in an experimental jig, that's perfectly fine; in that case, you are a
consenting adult, and can configure it with a special delegation for
.homenet if you need that to work.   If you are adding it to production
code that will be installed in a billion devices, you are a vandal.
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Juliusz Chroboczek]

> So far so good.  The problem is a (largely hypothetical at this point)
> stub resolver that wants to do DNSSEC verification of the results the
> router gives it.

Yes, I'm following this discussion with interest.  The only bit I object
to is bringing .onion into the discussion -- .homenet is nothing like that
particular piece of bad humour.

-- Juliusz

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Mark Andrews]

In message , "John R Levine" writes:
> > I was under the impression that .homenet is handled entirely within the
> > DNS resolver of the Homenet router, which combines:
> >
> >  - an authoritative DNS server for .homenet;
> >  - a hybrid mDNS proxy;
> >  - a recursive DNS resolver for the rest of the namespace.
> 
> So far so good.  The problem is a (largely hypothetical at this point) 
> stub resolver that wants to do DNSSEC verification of the results the 
> router gives it.

Lots of machines already do

forwarder { list of servers from DHCP; };
forward only;

automatically and those servers have a DNSSEC validation enabled.
This isn't a hypothetical problem.

Mark

> R's,
> John
> 
> >> On the computers I know, the stub resolver is in one shared library and
> >> the SOCKS proxy is in another.  What's the difference?
> >
> > The SOCKS library uses a completely different data transport (one that is
> > circuit-switched and layered over TCP), with very different capabilities
> > from the usual packet-switched transport.
> 
> Of course, but from the point of view of a SOCKS client, either way it 
> gives it a name and a port, and it gets back a two-way data stream.  If 
> you don't happen to be using a web proxy or ToR, the SOCKS library does 
> essentially nothing.
> 
> > Adding support for mDNS to the stub resolver makes no change to the way 
> > the actual data is pushed around.
> 
> Sure it does -- the .local queries do one thing and the others do another.
> Not unlike with SOCKS the .onion opens do one thing and the others do 
> another.  But this is utterly tangential to the argument about resolvers 
> that might want to do DNSSEC validation of .homenet results.
> 
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Mark Andrews]

In message 
, Ted Lemon writes:
> 
> A stub resolver is expected to query a caching resolver, not the root.   So
> all that is required for this to work is that the resolver advertised on
> the homenet claim authority for the zone, and that there be an unsecured
> delegation that validates that the homenet resolver can give to the stub
> resolver.   Stub resolvers that query the root themselves will fail.   This
> is a feature--that behavior is broken.

Why shouldn't a iterative resolver work if we can make it work?

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Mark Andrews]

In message 
, Brian Dickson writes:
> 
> On Wed, Dec 14, 2016 at 6:37 PM, Ted Lemon  wrote:
> 
> > Brian, there's no need for the complexity you are describing.   The
> > unsecured delegation of .homenet would just point to AS112.   Any trust
> > anchor bootstrapping would not involve the root at all.
> >
> 
> Is the intent just to have a global NXDOMAIN, provided with no DNSSEC?
> 
> That works at preventing homenet from working unless every resolver inside
> the home network is homenet-aware.
> (And yes, I realize as currently specified in RFC 7778, that is a
> requirement.)
> 
> However, I don't believe that is only (or optimal) path for the homenet.
> 
> Their stated goal is that they want everything to work, plug-and-play.
> 
> What I'm proposing will (I believe) actually produce a working network as
> long as a single resolver is homenet-aware.
> It automatically gets non-homenet-aware resolvers to point at homenet-aware
> resolvers (ie homenet routers), as long as the default address for homenet
> routers' DNS service, is the same as the value assigned in the AS112-like
> delegation.
> 
> I.e. it turns a broken hybrid of "today" networks plus a "homenet", into a
> fully functional homenet with a minimum of
> deployments/upgrades/replacements. It also minimizes the "broken Christmas
> light" aka "missing terminator" class of problem, if any host is running
> its own recursive resolver (which would then fail to properly integrate
> into the homenet.)
> 
> (Also, I think having things with built-in firmware-based crappy resolvers
> actually work without any patching, would be nice.)
> 
> I agree that an unsigned delegation is sufficient for non-hybrid
> homenet-aware gear to provide hosts a correct homenet experience.
> 
> Brian

So you want the nameservers configured to serve HOMENET to advertise
a well known prefixes (IPv4 and IPv6) into the IGP and as a result
packet routing will direct HOMENET queries to those servers.

That the publically delegated to servers also use those addresses.

I suppose this helps the case of a host using interative resolution
to find the on net homenet servers.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Ted Lemon]

A stub resolver is expected to query a caching resolver, not the root.   So
all that is required for this to work is that the resolver advertised on
the homenet claim authority for the zone, and that there be an unsecured
delegation that validates that the homenet resolver can give to the stub
resolver.   Stub resolvers that query the root themselves will fail.   This
is a feature--that behavior is broken.

On Wed, Dec 14, 2016 at 10:30 PM, Brian Dickson <
brian.peter.dick...@gmail.com> wrote:

> On Wed, Dec 14, 2016 at 6:37 PM, Ted Lemon  wrote:
>
>> Brian, there's no need for the complexity you are describing.   The
>> unsecured delegation of .homenet would just point to AS112.   Any trust
>> anchor bootstrapping would not involve the root at all.
>>
>
> Is the intent just to have a global NXDOMAIN, provided with no DNSSEC?
>
> That works at preventing homenet from working unless every resolver inside
> the home network is homenet-aware.
> (And yes, I realize as currently specified in RFC 7778, that is a
> requirement.)
>
> However, I don't believe that is only (or optimal) path for the homenet.
>
> Their stated goal is that they want everything to work, plug-and-play.
>
> What I'm proposing will (I believe) actually produce a working network as
> long as a single resolver is homenet-aware.
> It automatically gets non-homenet-aware resolvers to point at
> homenet-aware resolvers (ie homenet routers), as long as the default
> address for homenet routers' DNS service, is the same as the value assigned
> in the AS112-like delegation.
>
> I.e. it turns a broken hybrid of "today" networks plus a "homenet", into a
> fully functional homenet with a minimum of deployments/upgrades/replacements.
> It also minimizes the "broken Christmas light" aka "missing terminator"
> class of problem, if any host is running its own recursive resolver (which
> would then fail to properly integrate into the homenet.)
>
> (Also, I think having things with built-in firmware-based crappy resolvers
> actually work without any patching, would be nice.)
>
> I agree that an unsigned delegation is sufficient for non-hybrid
> homenet-aware gear to provide hosts a correct homenet experience.
>
> Brian
>
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[John R Levine]

I was under the impression that .homenet is handled entirely within the
DNS resolver of the Homenet router, which combines:

 - an authoritative DNS server for .homenet;
 - a hybrid mDNS proxy;
 - a recursive DNS resolver for the rest of the namespace.


So far so good.  The problem is a (largely hypothetical at this point) 
stub resolver that wants to do DNSSEC verification of the results the 
router gives it.


R's,
John


On the computers I know, the stub resolver is in one shared library and
the SOCKS proxy is in another.  What's the difference?


The SOCKS library uses a completely different data transport (one that is
circuit-switched and layered over TCP), with very different capabilities
from the usual packet-switched transport.


Of course, but from the point of view of a SOCKS client, either way it 
gives it a name and a port, and it gets back a two-way data stream.  If 
you don't happen to be using a web proxy or ToR, the SOCKS library does 
essentially nothing.


Adding support for mDNS to the stub resolver makes no change to the way 
the actual data is pushed around.


Sure it does -- the .local queries do one thing and the others do another.
Not unlike with SOCKS the .onion opens do one thing and the others do 
another.  But this is utterly tangential to the argument about resolvers 
that might want to do DNSSEC validation of .homenet results.


___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Juliusz Chroboczek]

> On the computers I know, the stub resolver is in one shared library and
> the SOCKS proxy is in another.  What's the difference?

The SOCKS library uses a completely different data transport (one that is
circuit-switched and layered over TCP), with very different capabilities
from the usual packet-switched transport.  Adding support for mDNS to the
stub resolver makes no change to the way the actual data is pushed around.

> You can run POP3 over ToR if you want to.

You can also run POP3 over X.25.  Shall we special-case .x25, and require
all applications to use PF_X25 instead of PF_INET6 whenever they see
a name ending in .x25?  This essentially what RFC 7686 requires for .onion.

> If we expect the client libraries to know that .homenet is special, it
> doesn't matter what's in the root.

I was under the impression that .homenet is handled entirely within the
DNS resolver of the Homenet router, which combines:

  - an authoritative DNS server for .homenet;
  - a hybrid mDNS proxy;
  - a recursive DNS resolver for the rest of the namespace.

In other words, I was assuming that we put enough Stenberg-Cheshire magic
in the Homenet router's resolver to ensure that no host changes are
necessary.  If that is not the plan, then I'd appreciate a clarification.

-- Juliusz

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Brian Dickson]

On Wed, Dec 14, 2016 at 6:37 PM, Ted Lemon  wrote:

> Brian, there's no need for the complexity you are describing.   The
> unsecured delegation of .homenet would just point to AS112.   Any trust
> anchor bootstrapping would not involve the root at all.
>

Is the intent just to have a global NXDOMAIN, provided with no DNSSEC?

That works at preventing homenet from working unless every resolver inside
the home network is homenet-aware.
(And yes, I realize as currently specified in RFC 7778, that is a
requirement.)

However, I don't believe that is only (or optimal) path for the homenet.

Their stated goal is that they want everything to work, plug-and-play.

What I'm proposing will (I believe) actually produce a working network as
long as a single resolver is homenet-aware.
It automatically gets non-homenet-aware resolvers to point at homenet-aware
resolvers (ie homenet routers), as long as the default address for homenet
routers' DNS service, is the same as the value assigned in the AS112-like
delegation.

I.e. it turns a broken hybrid of "today" networks plus a "homenet", into a
fully functional homenet with a minimum of
deployments/upgrades/replacements. It also minimizes the "broken Christmas
light" aka "missing terminator" class of problem, if any host is running
its own recursive resolver (which would then fail to properly integrate
into the homenet.)

(Also, I think having things with built-in firmware-based crappy resolvers
actually work without any patching, would be nice.)

I agree that an unsigned delegation is sufficient for non-hybrid
homenet-aware gear to provide hosts a correct homenet experience.

Brian
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Mark Andrews]

In message 
, Brian Dickson writes:
> 
> On Wed, Dec 14, 2016 at 5:18 PM, Mark Andrews  wrote:
> 
> >
> > In message  > gmail.com>
> > , Brian Dickson writes:
> > >
> > > On Wed, Dec 14, 2016 at 4:09 PM, Ted Lemon  wrote:
> > >
> > > > On Dec 14, 2016, at 5:04 PM, John Levine  wrote:
> > > >
> > > > But it's worse than that -- if your client software does DNSSEC
> > > > validation it needs to understand that homenet is a special case and
> > > > it's OK not to validate.
> > > >
> > > > [etc]
> > > >
> > > >
> > > > That is precisely why we need an unsecured delegation.
> > > >
> > > >
> > >
> > >
> > > I agree that in the current world, an unsigned delegation is required.
> > >
> > > I would humbly suggest that use of an AS112-like set of well-known names
> > > and IP addresses, would be the preferred way of DOING that delegation.
> > >
> > > A well-known address set would allow homenet-aware devices to be
> > > pre-loaded
> > > with the address of the NS, while non-aware would learn it through the
> > > delegation.
> > >
> > > If it were possible to have the names be served by root servers (as a
> > > consequence of being in the set of domains served by the root servers),
> > > then the glue data would be signed and validate-able, which is about as
> > > good as you can get (security-wise), while making homenet strictly local.
> > >
> > > (Within a given homenet, the well known IP(s) could be handled via
> > > anycast
> > > or similar mechanisms, presuming the homenet mechanisms support things
> > > like
> > > that.)
> > >
> > > My personal recommendation would be non-RFC-1918 well known addresses.
> > >
> > > This ensures that for queries that leak from non-1918 space sourced
> > > queries, that the delegation is to an address that is guaranteed to be
> > > reachable, even if the local set-up is badly broken.
> > >
> > > That IP would be configured to give itself as the answer to any query,
> > > and
> > > be configured to provide (rate-limed) HTTP (wild-card) responses,
> > > that serve up the RFC for how to set up homenet. (If that RFC doesn't
> > > exist, that really should be next on the WG milestones.)
> > >
> > > All roads would then lead to the answer to the question, which is, "How
> > > do
> > > I get this stuff to work?".
> > >
> > > Brian
> >
> > Why is this any better than a referral to the existing root servers
> > and a empty locally served .homenet zone with the previously mentioned
> > constraint of only enabling it when the namespace is not being
> > forwarded.  We do this for all the default local zones so this will
> > just be a extra name in the list of empty local zones that are
> > automatically configured.  A 5 minute job to commit to all the
> > branches once the name is approved.  Other vendors do similar.  The
> > root servers will always need to be answering for homenet/DS.  The
> > locally served .homenet zone will stop most of the leaks for *.homenet
> > at the ISP level.
> >
> 
> It depends on perspective, and your definition of "better".
> 
> The homenet folks want zero configuration, want it to work, and don't want
> to wait.
> 
> The difference between the scenarios are:
> - How a non-aware resolver within a homenet (which has a correctly deployed
> aware resolver) behaves
> - How much infrastructure requires changes before the first improperly
> deployed homenet gets any help
>   - In your scenario, it never gets help, and leaks to the root until ISPs
> and/or resolvers get changes deployed
>   - In my scenario, the first instance of an upgraded AS112 node (with new
> address being anycast) results in universal support, modulo available
> capacity

Add this or the equivalent to each root server.

zone homenet {
file "homenet.db";
masters { icann's servers; };
type slave;
};

homenet.db:
HOMENET. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2016121401 
1800 900 604800 86400
HOMENET. 86400 IN NS A.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS B.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS C.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS D.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS E.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS F.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS G.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS H.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS I.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS J.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS K.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS L.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS M.ROOT-SERVERS.NET.

and add the following to the root zone

HOMENET. 86400 IN NS A.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS B.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS C.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS D.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS E.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS F.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS G.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS H.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS I.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS J.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS K.ROOT-SERVERS.NET.
HOMENET. 86400 IN NS L.ROOT-SERVERS.NET.
HOMENET. 86400 I

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Ted Lemon]

Brian, there's no need for the complexity you are describing.   The
unsecured delegation of .homenet would just point to AS112.   Any trust
anchor bootstrapping would not involve the root at all.
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Ted Lemon]

You would need a special resolver to _validate_ .homenet automatically
using a trust anchor published by the home network.   You do not need a
special resolver to look up names in the homenet without validation, if
there is an unsecured delegation at the root.   If there is a secure denial
of existence or a secure delegation at the root, then no validating
resolver can look up names in the homenet domain.

On Wed, Dec 14, 2016 at 8:24 PM, John R Levine  wrote:

> On Wed, 14 Dec 2016, Ted Lemon wrote:
>
>> That is precisely why we need an unsecured delegation.

>>>
>>> Except that as the [etc] said, it doesn't really solve the problem.
>>>
>>
> It solves the problem of not repudiating names in the homenet.   You have
>> to have a special resolver to be able to validate them.
>>
>
> I'm confused -- if you need a special resolver to handle .homenet anyway,
> why does it matter what's in the root?
>
> R's,
> John
>
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Brian Dickson]

On Wed, Dec 14, 2016 at 5:18 PM, Mark Andrews  wrote:

>
> In message  gmail.com>
> , Brian Dickson writes:
> >
> > On Wed, Dec 14, 2016 at 4:09 PM, Ted Lemon  wrote:
> >
> > > On Dec 14, 2016, at 5:04 PM, John Levine  wrote:
> > >
> > > But it's worse than that -- if your client software does DNSSEC
> > > validation it needs to understand that homenet is a special case and
> > > it's OK not to validate.
> > >
> > > [etc]
> > >
> > >
> > > That is precisely why we need an unsecured delegation.
> > >
> > >
> >
> >
> > I agree that in the current world, an unsigned delegation is required.
> >
> > I would humbly suggest that use of an AS112-like set of well-known names
> > and IP addresses, would be the preferred way of DOING that delegation.
> >
> > A well-known address set would allow homenet-aware devices to be
> pre-loaded
> > with the address of the NS, while non-aware would learn it through the
> > delegation.
> >
> > If it were possible to have the names be served by root servers (as a
> > consequence of being in the set of domains served by the root servers),
> > then the glue data would be signed and validate-able, which is about as
> > good as you can get (security-wise), while making homenet strictly local.
> >
> > (Within a given homenet, the well known IP(s) could be handled via
> anycast
> > or similar mechanisms, presuming the homenet mechanisms support things
> like
> > that.)
> >
> > My personal recommendation would be non-RFC-1918 well known addresses.
> >
> > This ensures that for queries that leak from non-1918 space sourced
> > queries, that the delegation is to an address that is guaranteed to be
> > reachable, even if the local set-up is badly broken.
> >
> > That IP would be configured to give itself as the answer to any query,
> and
> > be configured to provide (rate-limed) HTTP (wild-card) responses,
> > that serve up the RFC for how to set up homenet. (If that RFC doesn't
> > exist, that really should be next on the WG milestones.)
> >
> > All roads would then lead to the answer to the question, which is, "How
> do
> > I get this stuff to work?".
> >
> > Brian
>
> Why is this any better than a referral to the existing root servers
> and a empty locally served .homenet zone with the previously mentioned
> constraint of only enabling it when the namespace is not being
> forwarded.  We do this for all the default local zones so this will
> just be a extra name in the list of empty local zones that are
> automatically configured.  A 5 minute job to commit to all the
> branches once the name is approved.  Other vendors do similar.  The
> root servers will always need to be answering for homenet/DS.  The
> locally served .homenet zone will stop most of the leaks for *.homenet
> at the ISP level.
>

It depends on perspective, and your definition of "better".

The homenet folks want zero configuration, want it to work, and don't want
to wait.

The difference between the scenarios are:
- How a non-aware resolver within a homenet (which has a correctly deployed
aware resolver) behaves
- How much infrastructure requires changes before the first improperly
deployed homenet gets any help
  - In your scenario, it never gets help, and leaks to the root until ISPs
and/or resolvers get changes deployed
  - In my scenario, the first instance of an upgraded AS112 node (with new
address being anycast) results in universal support, modulo available
capacity

If you only care about leaking, you are missing the point.

If you care about both leaking, *and* getting mixed environments to work,
*and* minimizing deployment support costs, you should be able to see why
this is better.


>
> If there are too many leaks after 5 years (give ISPs time to deploy
> the new servers) then consider a AS112 like solution but I don't
> think it will be needed.
>

IMHO, this is mostly backwards. In this case, I think the AS112 would
probably need to be permanent.

But, in general, the fastest way of fixing the leaks is, deploy the leak
shield (AS112), then fix the leaks, then remove the leak shield when it is
no longer needed.

Waiting until the deluge has become a dribble, seems backwards.
(Plus, look how well that worked for spam.)

Brian


>
> Mark
>
> > PS For the DNSSEC-aware humans:
> >
> > I think this exposes an unforeseen edge case, not covered in the design
> of
> > DNSSEC.
> >
> > I think what would have been ideal, would have been the ability to
> securely
> > delegate to a well-known name/address, but without a secure entry point.
> > I.e. where parent/child NS use different RRTYPEs, and the parent NS is
> > signed (along with glue), and there is no DS.
> >
> > The child could exist as an island of security, and have a self-signed
> > DNSKEY (or KSK/ZSK pair).
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mai

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[John Levine]

>Now, granted, .local and .homenet require special casing in shared parts
>of the protocol stack (.local in the stub resolver, .homenet in the
>Homenet router's resolver), but this needs to be done just once in the
>protocol stack, not in every single application.  Completely unlike .onion.

I think you're making unwarranted assumptions about software design
here.  On the computers I know, the stub resolver is in one shared
library and the SOCKS proxy is in another.  What's the difference?

I agree that ToR users typically use specially configured browsers
to minimize side channel leakage, but that's unrelated to the way
the the sockets work.  You can run POP3 over ToR if you want to.

The somewhat relevance to the topic at hand is that we seem to have
different mental models of the way the clients work.  If we expect the
client libraries to know that .homenet is special, it doesn't matter
what's in the root.  If we expect they don't, and all the magic is in
the router, I still don't see any solutions that aren't really ugly.
If we do the unsigned delegation that Mark wants, the validating client
can tell that the .homenet answers it's getting aren't necessarily
bogus, but it can't tell that they're authentic either.

R's,
John

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Juliusz Chroboczek]

> requires special-case code in every single freaking DNS-speaking
> application.  Yeah, I'm still pissed off.)

Since people seem puzzled about my rant, here's the relevant quotation
from RFC 7686:

Applications that do not implement the Tor protocol SHOULD generate an
error upon the use of .onion and SHOULD NOT perform a DNS lookup.

RFC 7686 updates every single DNS-using application protocol, even if it
has nothing to do with tor.  Now go and fix the FTP client you wrote in
1984, it violates RFC 7686.

-- Juliusz

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Juliusz Chroboczek]

> This brings us to one of the knottiest parts of special use names, which
> is that they're all handled differently.  For .onion, it's generally
> handled in a SOCKS proxy in the application, for .local it's handled by
> mDNS, and for .localhost it's special cased in the stub client library.

Let's please not bring .onion into this discussion.  .onion is a hack with
far-reaching consequences, and one that the IETF should never have
standardised.  The less we mention .onion, the better.

.onion encodes the protocol into the hostname.  Instead of .onion, tor
should have used http+tor:// and https+tor://, which would have required
no special-casing, since an application that doesn't understand the new
scheme will return an error straight away rather than leaking .onion names
into the DNS.  (I understand why .onion was used -- it was an expedient
way to avoid the need for special-case code in the browser --, but the
tradeoff that was chosen requires special-case code in every single
freaking DNS-speaking application.  Yeah, I'm still pissed off.)

Not so with .local and .homenet.  Neither of these requires any special
code in the application.  From the point of view of the application,
.local and .homenet are just ordinary domain names that are passed to the
stub resolver, which yields a perfectly normal IP(v6) address that is then
used with ICMP, TCP, UDP, DCCP (remember that?) or whatever your favourite
transport-layer protocol happens to be.  Completely unlike .onion.

Now, granted, .local and .homenet require special casing in shared parts
of the protocol stack (.local in the stub resolver, .homenet in the
Homenet router's resolver), but this needs to be done just once in the
protocol stack, not in every single application.  Completely unlike .onion.

Sorry for the rant.

-- Juliusz

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[John R Levine]

On Wed, 14 Dec 2016, Ted Lemon wrote:

That is precisely why we need an unsecured delegation.


Except that as the [etc] said, it doesn't really solve the problem.



It solves the problem of not repudiating names in the homenet.   You have
to have a special resolver to be able to validate them.


I'm confused -- if you need a special resolver to handle .homenet anyway, 
why does it matter what's in the root?


R's,
John

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Mark Andrews]

In message 
, Brian Dickson writes:
> 
> On Wed, Dec 14, 2016 at 4:09 PM, Ted Lemon  wrote:
> 
> > On Dec 14, 2016, at 5:04 PM, John Levine  wrote:
> >
> > But it's worse than that -- if your client software does DNSSEC
> > validation it needs to understand that homenet is a special case and
> > it's OK not to validate.
> >
> > [etc]
> >
> >
> > That is precisely why we need an unsecured delegation.
> >
> >
> 
> 
> I agree that in the current world, an unsigned delegation is required.
> 
> I would humbly suggest that use of an AS112-like set of well-known names
> and IP addresses, would be the preferred way of DOING that delegation.
> 
> A well-known address set would allow homenet-aware devices to be pre-loaded
> with the address of the NS, while non-aware would learn it through the
> delegation.
> 
> If it were possible to have the names be served by root servers (as a
> consequence of being in the set of domains served by the root servers),
> then the glue data would be signed and validate-able, which is about as
> good as you can get (security-wise), while making homenet strictly local.
> 
> (Within a given homenet, the well known IP(s) could be handled via anycast
> or similar mechanisms, presuming the homenet mechanisms support things like
> that.)
> 
> My personal recommendation would be non-RFC-1918 well known addresses.
> 
> This ensures that for queries that leak from non-1918 space sourced
> queries, that the delegation is to an address that is guaranteed to be
> reachable, even if the local set-up is badly broken.
> 
> That IP would be configured to give itself as the answer to any query, and
> be configured to provide (rate-limed) HTTP (wild-card) responses,
> that serve up the RFC for how to set up homenet. (If that RFC doesn't
> exist, that really should be next on the WG milestones.)
> 
> All roads would then lead to the answer to the question, which is, "How do
> I get this stuff to work?".
> 
> Brian

Why is this any better than a referral to the existing root servers
and a empty locally served .homenet zone with the previously mentioned
constraint of only enabling it when the namespace is not being
forwarded.  We do this for all the default local zones so this will
just be a extra name in the list of empty local zones that are
automatically configured.  A 5 minute job to commit to all the
branches once the name is approved.  Other vendors do similar.  The
root servers will always need to be answering for homenet/DS.  The
locally served .homenet zone will stop most of the leaks for *.homenet
at the ISP level.

If there are too many leaks after 5 years (give ISPs time to deploy
the new servers) then consider a AS112 like solution but I don't
think it will be needed.

Mark

> PS For the DNSSEC-aware humans:
> 
> I think this exposes an unforeseen edge case, not covered in the design of
> DNSSEC.
> 
> I think what would have been ideal, would have been the ability to securely
> delegate to a well-known name/address, but without a secure entry point.
> I.e. where parent/child NS use different RRTYPEs, and the parent NS is
> signed (along with glue), and there is no DS.
> 
> The child could exist as an island of security, and have a self-signed
> DNSKEY (or KSK/ZSK pair).
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[John R Levine]

application, for .local it's handled by mDNS, and for .localhost it's
special cased in the stub client library.


But it isn't.  Go read the library code.  There isn't magic for
localhost in there. The code looks in /etc/hosts before looking in
the DNS (normally) if there is a gethostbyname/getaddrinfo etc.
call.  This allows the administrator to override the DNS for specific
names on this machine for those calls.  This makes "telnet localhost"
work.  It doesn't make lots of other stuff that should work succeed.


I'd say that's special case, since nearly every /etc/hosts I've looked at 
only conains an entry for localhost, and perhaps a useless 255.255.255.255 
for broadcasthost.


Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Brian Dickson]

On Wed, Dec 14, 2016 at 4:09 PM, Ted Lemon  wrote:

> On Dec 14, 2016, at 5:04 PM, John Levine  wrote:
>
> But it's worse than that -- if your client software does DNSSEC
> validation it needs to understand that homenet is a special case and
> it's OK not to validate.
>
> [etc]
>
>
> That is precisely why we need an unsecured delegation.
>
>


I agree that in the current world, an unsigned delegation is required.

I would humbly suggest that use of an AS112-like set of well-known names
and IP addresses, would be the preferred way of DOING that delegation.

A well-known address set would allow homenet-aware devices to be pre-loaded
with the address of the NS, while non-aware would learn it through the
delegation.

If it were possible to have the names be served by root servers (as a
consequence of being in the set of domains served by the root servers),
then the glue data would be signed and validate-able, which is about as
good as you can get (security-wise), while making homenet strictly local.

(Within a given homenet, the well known IP(s) could be handled via anycast
or similar mechanisms, presuming the homenet mechanisms support things like
that.)

My personal recommendation would be non-RFC-1918 well known addresses.

This ensures that for queries that leak from non-1918 space sourced
queries, that the delegation is to an address that is guaranteed to be
reachable, even if the local set-up is badly broken.

That IP would be configured to give itself as the answer to any query, and
be configured to provide (rate-limed) HTTP (wild-card) responses,
that serve up the RFC for how to set up homenet. (If that RFC doesn't
exist, that really should be next on the WG milestones.)

All roads would then lead to the answer to the question, which is, "How do
I get this stuff to work?".

Brian

PS For the DNSSEC-aware humans:

I think this exposes an unforeseen edge case, not covered in the design of
DNSSEC.

I think what would have been ideal, would have been the ability to securely
delegate to a well-known name/address, but without a secure entry point.
I.e. where parent/child NS use different RRTYPEs, and the parent NS is
signed (along with glue), and there is no DS.

The child could exist as an island of security, and have a self-signed
DNSKEY (or KSK/ZSK pair).
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Ted Lemon]

On Dec 14, 2016, at 5:04 PM, John Levine  wrote:
> But it's worse than that -- if your client software does DNSSEC
> validation it needs to understand that homenet is a special case and
> it's OK not to validate.
> [etc]

That is precisely why we need an unsecured delegation.

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[Mark Andrews]

In message <20161214220428.1688.qm...@ary.lan>, "John Levine" writes:
> >Here's the reasoning:   Either your home router understands .homenet or 
> >it doesn't.  If it doesn't, then your homenet shouldn't be using 
> >.homenet and any .homenet lookups to the real world should fail.  If it 
> >does, then it should trap .homenet queries and do with it what it will.
> 
> But it's worse than that -- if your client software does DNSSEC
> validation it needs to understand that homenet is a special case and
> it's OK not to validate.  This brings us to one of the knottiest parts
> of special use names, which is that they're all handled differently.
> For .onion, it's generally handled in a SOCKS proxy in the
> application, for .local it's handled by mDNS, and for .localhost it's
> special cased in the stub client library.

But it isn't.  Go read the library code.  There isn't magic for
localhost in there. The code looks in /etc/hosts before looking in
the DNS (normally) if there is a gethostbyname/getaddrinfo etc.
call.  This allows the administrator to override the DNS for specific
names on this machine for those calls.  This makes "telnet localhost"
work.  It doesn't make lots of other stuff that should work succeed.

.localhost needs the same treatment as .homenet.  It doesn't get
it today but it should for the same reason .homenet needs a insecure
delegation.

> (There are of course other
> ways one could do it, e.g., a .onion proxy on a LAN could intercept
>  lookups, and return link-local addresses it serves.)
> 
> One model is that DNSSEC is so complex that applications depend on the
> cache and if it sets the AD bit, you trust the result.  Another is
> that memory is cheap and you put a complete DNSSEC verifier in the
> application libraries, so they need to get all of the DNSSEC goop and
> decide for themselves whether they believe it.
> 
> In the former model, you're right, the cache can tell virtuous lies
> about .homenet addresses and there's no need to put anything in the
> root.  In the latter case, you're pretty much schrod.  Since there's
> no way to do a DNSSEC chain from the root to a zillion random homenet
> setups, an unsigned root delegation says that an unsigned result isn't
> necessarily wrong, but of course it doesn't say that it's right,
> either.
> 
> This is a situation that DNSSEC wasn't set up to solve, unless you're
> going to wave your hands and invent some sort of DHCP extension where
> the router can hand out local trust anchors.  I realize we have RFC
> 3318, but I don't get the impression that this is a scenario it can
> handle without implausible amounts of manual preconfiguration just
> to get your mobile phone on your home wifi.
> 
> So having said all this, I agree with Steve that an unsigned delegation
> is a bad idea, not because all unsigned delegations are necessarily
> bad, but because this one wouldn't solve enough problems to be worth
> the ugly and ambiguous precedent it'd set.
> 
> R's,
> John
> 
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[John Levine]

>But it's worse than that -- if your client software does DNSSEC
>validation it needs to understand that homenet is a special case and
>it's OK not to validate.  This brings us to one of the knottiest parts
>of special use names, which is that they're all handled differently.
>For .onion, it's generally handled in a SOCKS proxy in the
>application, for .local it's handled by mDNS, and for .localhost it's
>special cased in the stub client library.  (There are of course other
>ways one could do it, e.g., a .onion proxy on a LAN could intercept
> lookups, and return link-local addresses it serves.)

Forgot to mention: homenet is a fourth model, special cased in the
cache, which is an occasional but I think infrequent alternate
implementation for .localhost.  There's implicitly a fifth for
.example, .test, and .invalid which are expected to get a normal
NXDOMAIN.  

I expect when the next 6761 candidate comes along, it'll be handled in
yet another grotty way.

But still:

>So having said all this, I agree with Steve that an unsigned delegation
>is a bad idea, not because all unsigned delegations are necessarily
>bad, but because this one wouldn't solve enough problems to be worth
>the ugly and ambiguous precedent it'd set.

R's,
John

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] [DNSOP] Fwd: WGLC on "redact" and "homenet-dot"

[John Levine]

>Here's the reasoning:   Either your home router understands .homenet or 
>it doesn't.  If it doesn't, then your homenet shouldn't be using 
>.homenet and any .homenet lookups to the real world should fail.  If it 
>does, then it should trap .homenet queries and do with it what it will.

But it's worse than that -- if your client software does DNSSEC
validation it needs to understand that homenet is a special case and
it's OK not to validate.  This brings us to one of the knottiest parts
of special use names, which is that they're all handled differently.
For .onion, it's generally handled in a SOCKS proxy in the
application, for .local it's handled by mDNS, and for .localhost it's
special cased in the stub client library.  (There are of course other
ways one could do it, e.g., a .onion proxy on a LAN could intercept
 lookups, and return link-local addresses it serves.)

One model is that DNSSEC is so complex that applications depend on the
cache and if it sets the AD bit, you trust the result.  Another is
that memory is cheap and you put a complete DNSSEC verifier in the
application libraries, so they need to get all of the DNSSEC goop and
decide for themselves whether they believe it.

In the former model, you're right, the cache can tell virtuous lies
about .homenet addresses and there's no need to put anything in the
root.  In the latter case, you're pretty much schrod.  Since there's
no way to do a DNSSEC chain from the root to a zillion random homenet
setups, an unsigned root delegation says that an unsigned result isn't
necessarily wrong, but of course it doesn't say that it's right,
either.

This is a situation that DNSSEC wasn't set up to solve, unless you're
going to wave your hands and invent some sort of DHCP extension where
the router can hand out local trust anchors.  I realize we have RFC
3318, but I don't get the impression that this is a scenario it can
handle without implausible amounts of manual preconfiguration just
to get your mobile phone on your home wifi.

So having said all this, I agree with Steve that an unsigned delegation
is a bad idea, not because all unsigned delegations are necessarily
bad, but because this one wouldn't solve enough problems to be worth
the ugly and ambiguous precedent it'd set.

R's,
John

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet