Re: [DNSOP] Second Working Group Last Call - draft-ietf-dnsop-nsec-aggressiveuse

Tim, On 13-12-16 20:13, tjw ietf wrote: All The process of WGLC for this document engaged the working group and there was much discussion and several different versions. It seems that the authors have addressed everything that has been brought up. We felt another formal Working Group Last cal

Re: [DNSOP] Second Working Group Last Call - draft-ietf-dnsop-nsec-aggressiveuse

Sigh, I did. Thank you Matthijs for keeping me honest. tim On Wed, Dec 14, 2016 at 7:46 AM, Matthijs Mekking wrote: > Tim, > > On 13-12-16 20:13, tjw ietf wrote: > >> All >> >> The process of WGLC for this document engaged the working group and >> there was much discussion and several differe

Re: [DNSOP] Second Working Group Last Call - draft-ietf-dnsop-nsec-aggressiveuse

On Tue, Dec 13, 2016 at 02:13:27PM -0500, tjw ietf wrote a message of 94 lines which said: > This starts a Working Group Last Call for: > "Aggressive use of NSEC/NSEC3" > draft-ietf-dnsop-nsec-aggressiveuse I've read -07 and I believe it is OK and ready for publication. All my (

[DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

Hi all, DNSOP participants who are interested in the special use names problem might want to review draft-ietf-homenet-redact (https://datatracker.ietf.org/doc/draft-ietf-homenet-redact/ ) and draft-ietf-homenet-dot (https://datatra

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

I am strongly opposed to unsecured delegations in the root zone. No matter what the problem is, an unsecured delegation is not the answer. Steve > On Dec 14, 2016, at 11:11 AM, Suzanne Woolf wrote: > > Hi all, > > DNSOP participants who are interested in the special use names problem might

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

Is this a matter of religious conviction, or is there some issue with unsecured delegations in the root that you are assuming is so obvious that you don't need to tell us about it? :) On Wed, Dec 14, 2016 at 11:18 AM, Steve Crocker wrote: > I am strongly opposed to unsecured delegations in the

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

The latter. All DNS answers at all levels should be signed to assure the querier of the integrity of the answer. This has been the goal and best practice for a very long time. For example, it was the explicit objective of the quote substantial DNSSEC effort funded by the US Dept of Homeland S

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

I hope it was obvious that I was pretty confident that you actually had a reason. :) The issue what what you are saying is that sometimes it is technically correct for a name to not be validatable. The reason we want an unsecured delegation for .homenet is that .homenet can't be validated usin

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

On 12/14/2016 12:07 PM, Ted Lemon wrote: I hope it was obvious that I was pretty confident that you actually had a reason. :) The issue what what you are saying is that sometimes it is technically correct for a name to not be validatable. The reason we want an unsecured delegation for .ho

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

Is there any way this discussion could be moved to homenet, which is where the use case originates and the WG last call is taking place? - Ralph > On Dec 14, 2016, at 12:21 PM, Steve Crocker wrote: > > If it doesn’t have a globally unique meaning, it doesn’t make sense to query > the root for

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On 14/12/2016 17:24, Ralph Droms wrote: > Is there any way this discussion could be moved to homenet, which is > where the use case originates and the WG last call is taking place? Ralph, I think this is primarily a DNSSEC problem, and the expertise for that is here rather than in Homenet. Ray

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

If it doesn’t have a globally unique meaning, it doesn’t make sense to query the root for an answer. What problem is trying to be solved? I suspect whatever the problem actually is, the answer will be something other than adding an unsecured delegation to the root zone. Steve > On Dec 14,

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

Mike, A query to the root for .homenet results in a *signed* answer that .homenet does not exist. This should suffice for the purpose you have in mind. Ralph, Re moving to the homenet list, I will try to send the same info there once I have time to sign up for that list. Steve > On Dec 14,

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On 12/14/2016 12:34 PM, Steve Crocker wrote: Mike, A query to the root for .homenet results in a *signed* answer that .homenet does not exist. This should suffice for the purpose you have in mind. Yup - that's my comment: The third way is to do no delegation from the root for .homenet a

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

On Dec 14, 2016, at 12:23 PM, Michael StJohns wrote: > Either your home router understands .homenet or it doesn't. If it doesn't, > then your homenet shouldn't be using .homenet and any .homenet lookups to the > real world should fail. If it does, then it should trap .homenet queries and > d

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On Dec 14, 2016, at 12:21 PM, Steve Crocker wrote: > If it doesn’t have a globally unique meaning, it doesn’t make sense to query > the root for an answer. > > What problem is trying to be solved? I suspect whatever the problem actually > is, the answer will be something other than adding an u

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

> On Dec 14, 2016, at 12:37 PM, Michael StJohns wrote: > > On 12/14/2016 12:34 PM, Steve Crocker wrote: >> Mike, >> >> A query to the root for .homenet results in a *signed* answer that .homenet >> does not exist. This should suffice for the purpose you have in mind. > > Yup - that's my comm

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

Ray, While I can’t speak for Ralph, I also suggested that comments from DNSOP participants on these drafts should go to the HOMENET WG list, because they were input to a HOMENET WGLC. It does seem to me that the discussion of DNSSEC, including the opposition of the chair of ICANN to an unsigne

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

Ted Lemon writes: > I hope it was obvious that I was pretty confident that you actually had a > reason. :) > > The issue what what you are saying is that sometimes it is technically > correct for a name to not be validatable. The reason we want an unsecured > delegation for .homenet is

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

On Dec 14, 2016, at 3:14 PM, Jaap Akkerhuis wrote: > Any reason why homenet shuld use a TLD? What is wrong with something > like homenet.arpa (or thuisnet.arpa, or bob.arpa). It’s more typing, and is not consistent with ".local". That is to say, a reasonably intelligent and observant user with

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

On 14/12/2016 20:14, Jaap Akkerhuis wrote: > Any reason why homenet shuld use a TLD? What is wrong with something > like homenet.arpa (or thuisnet.arpa, or bob.arpa). It's not considered user-friendly enough. The historic meaning of ARPA is considered by some to be problematic in the consumer

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

> On 14 Dec 2016, at 20:43, Ray Bellis wrote: > > On 14/12/2016 20:14, Jaap Akkerhuis wrote: >> Any reason why homenet shuld use a TLD? What is wrong with something >> like homenet.arpa (or thuisnet.arpa, or bob.arpa). > > > > It's not considered user-friendly enough. So what? End users are

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

Ray Bellis writes: > On 14/12/2016 20:14, Jaap Akkerhuis wrote: > > Any reason why homenet shuld use a TLD? What is wrong with something > > like homenet.arpa (or thuisnet.arpa, or bob.arpa). > > Which hat? > > It's not considered user-friendly enough. > > The historic meaning of A

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On 14/12/2016 21:16, Jim Reid wrote: > So what? End users are not expected to see this string, far less care > about it, are they? Surely this string is primarily, if not > exclusively, for CPE firmware? Actually, yes, they are expected to see this thing. It would be what would appear in their

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

On 14/12/2016 21:33, Jaap Akkerhuis wrote: > Ray Bellis writes: > > > On 14/12/2016 20:14, Jaap Akkerhuis wrote: > > > Any reason why homenet shuld use a TLD? What is wrong with something > > > like homenet.arpa (or thuisnet.arpa, or bob.arpa). > > > > > > Which hat? Sorry - Homenet WG

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

In message , Michael S tJohns writes: > > On 12/14/2016 12:07 PM, Ted Lemon wrote: > > I hope it was obvious that I was pretty confident that you actually > > had a reason. :) > > > > The issue what what you are saying is that sometimes it is technically > > correct for a name to not be valid

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

>Here's the reasoning: Either your home router understands .homenet or >it doesn't. If it doesn't, then your homenet shouldn't be using >.homenet and any .homenet lookups to the real world should fail. If it >does, then it should trap .homenet queries and do with it what it will. But it's w

Re: [DNSOP] Fwd: [homenet] WGLC on "redact" and "homenet-dot"

>But it's worse than that -- if your client software does DNSSEC >validation it needs to understand that homenet is a special case and >it's OK not to validate. This brings us to one of the knottiest parts >of special use names, which is that they're all handled differently. >For .onion, it's gene

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

> On Dec 14, 2016, at 4:48 PM, Ray Bellis wrote: > > > > On 14/12/2016 21:16, Jim Reid wrote: > >> So what? End users are not expected to see this string, far less care >> about it, are they? Surely this string is primarily, if not >> exclusively, for CPE firmware? > > Actually, yes, they ar

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

In message <20161214220428.1688.qm...@ary.lan>, "John Levine" writes: > >Here's the reasoning: Either your home router understands .homenet or > >it doesn't. If it doesn't, then your homenet shouldn't be using > >.homenet and any .homenet lookups to the real world should fail. If it > >does

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On Dec 14, 2016, at 4:16 PM, Jim Reid wrote: > Surely this string is primarily, if not exclusively, for CPE firmware? You know what they say about assumptions. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On Dec 14, 2016, at 4:48 PM, Ray Bellis wrote: > The arguments in favour of a pseudo-TLD are (AFAIK) entirely user > orientated, and not technical. You are effectively saying that user interfaces don’t matter. If they do matter, then getting them right is indeed a technical matter. Diving de

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

On Dec 14, 2016, at 5:04 PM, John Levine wrote: > But it's worse than that -- if your client software does DNSSEC > validation it needs to understand that homenet is a special case and > it's OK not to validate. > [etc] That is precisely why we need an unsecured delegation. _

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On 15/12/2016 00:07, Ted Lemon wrote: On Dec 14, 2016, at 4:48 PM, Ray Bellis mailto:r...@bellis.me.uk>> wrote: The arguments in favour of a pseudo-TLD are (AFAIK) entirely user orientated, and not technical. You are effectively saying that user interfaces don’t matter. If they do matter,

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On Dec 14, 2016, at 7:09 PM, Ray Bellis wrote: > I meant that they are not technical w.r.t the DNS protocol itself. Nothing about this discussion except the need for an unsecured delegation is technical. ___ DNSOP mailing list DNSOP@ietf.org https://w

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

On Wed, Dec 14, 2016 at 4:09 PM, Ted Lemon wrote: > On Dec 14, 2016, at 5:04 PM, John Levine wrote: > > But it's worse than that -- if your client software does DNSSEC > validation it needs to understand that homenet is a special case and > it's OK not to validate. > > [etc] > > > That is precis

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

application, for .local it's handled by mDNS, and for .localhost it's special cased in the stub client library. But it isn't. Go read the library code. There isn't magic for localhost in there. The code looks in /etc/hosts before looking in the DNS (normally) if there is a gethostbyname/getadd

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

But it's worse than that -- if your client software does DNSSEC validation it needs to understand that homenet is a special case and it's OK not to validate. [etc] That is precisely why we need an unsecured delegation. Except that as the [etc] said, it doesn't really solve the problem. Regard

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

It solves the problem of not repudiating names in the homenet. You have to have a special resolver to be able to validate them. On Wed, Dec 14, 2016 at 7:48 PM, John R Levine wrote: > But it's worse than that -- if your client software does DNSSEC >>> validation it needs to understand that hom

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

Two conversations in one thread is confusing. There is a part which is about the name as a label. in the root? not in the root? under .arpa? which process? why? -Thats mired. I'm trying not to re-ignite flames having covered myself in petrol some time ago. There is a part which is 'can we do DNSS

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

In message , Brian Dickson writes: > > On Wed, Dec 14, 2016 at 4:09 PM, Ted Lemon wrote: > > > On Dec 14, 2016, at 5:04 PM, John Levine wrote: > > > > But it's worse than that -- if your client software does DNSSEC > > validation it needs to understand that homenet is a special case and > > i

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

On Wed, 14 Dec 2016, Ted Lemon wrote: That is precisely why we need an unsecured delegation. Except that as the [etc] said, it doesn't really solve the problem. It solves the problem of not repudiating names in the homenet. You have to have a special resolver to be able to validate them.

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

> This brings us to one of the knottiest parts of special use names, which > is that they're all handled differently. For .onion, it's generally > handled in a SOCKS proxy in the application, for .local it's handled by > mDNS, and for .localhost it's special cased in the stub client library. Let'

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

> requires special-case code in every single freaking DNS-speaking > application. Yeah, I'm still pissed off.) Since people seem puzzled about my rant, here's the relevant quotation from RFC 7686: Applications that do not implement the Tor protocol SHOULD generate an error upon the use o

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

>Now, granted, .local and .homenet require special casing in shared parts >of the protocol stack (.local in the stub resolver, .homenet in the >Homenet router's resolver), but this needs to be done just once in the >protocol stack, not in every single application. Completely unlike .onion. I thin

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

>RFC 7686 updates every single DNS-using application protocol, even if it >has nothing to do with tor. Now go and fix the FTP client you wrote in >1984, it violates RFC 7686. My applications call res_query() to look up and A records, so they don't work with .home, either. That horse left th

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

On Wed, Dec 14, 2016 at 5:18 PM, Mark Andrews wrote: > > In message gmail.com> > , Brian Dickson writes: > > > > On Wed, Dec 14, 2016 at 4:09 PM, Ted Lemon wrote: > > > > > On Dec 14, 2016, at 5:04 PM, John Levine wrote: > > > > > > But it's worse than that -- if your client software does DNSS

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

You would need a special resolver to _validate_ .homenet automatically using a trust anchor published by the home network. You do not need a special resolver to look up names in the homenet without validation, if there is an unsecured delegation at the root. If there is a secure denial of exist

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

Brian, there's no need for the complexity you are describing. The unsecured delegation of .homenet would just point to AS112. Any trust anchor bootstrapping would not involve the root at all. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

In message , Brian Dickson writes: > > On Wed, Dec 14, 2016 at 5:18 PM, Mark Andrews wrote: > > > > > In message > gmail.com> > > , Brian Dickson writes: > > > > > > On Wed, Dec 14, 2016 at 4:09 PM, Ted Lemon wrote: > > > > > > > On Dec 14, 2016, at 5:04 PM, John Levine wrote: > > > > > > >

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

On Wed, Dec 14, 2016 at 6:37 PM, Ted Lemon wrote: > Brian, there's no need for the complexity you are describing. The > unsecured delegation of .homenet would just point to AS112. Any trust > anchor bootstrapping would not involve the root at all. > Is the intent just to have a global NXDOMA

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

> On the computers I know, the stub resolver is in one shared library and > the SOCKS proxy is in another. What's the difference? The SOCKS library uses a completely different data transport (one that is circuit-switched and layered over TCP), with very different capabilities from the usual packe

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

A stub resolver is expected to query a caching resolver, not the root. So all that is required for this to work is that the resolver advertised on the homenet claim authority for the zone, and that there be an unsecured delegation that validates that the homenet resolver can give to the stub reso

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

I was under the impression that .homenet is handled entirely within the DNS resolver of the Homenet router, which combines: - an authoritative DNS server for .homenet; - a hybrid mDNS proxy; - a recursive DNS resolver for the rest of the namespace. So far so good. The problem is a (largely

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

In message , Brian Dickson writes: > > On Wed, Dec 14, 2016 at 6:37 PM, Ted Lemon wrote: > > > Brian, there's no need for the complexity you are describing. The > > unsecured delegation of .homenet would just point to AS112. Any trust > > anchor bootstrapping would not involve the root at

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

In message , Ted Lemon writes: > > A stub resolver is expected to query a caching resolver, not the root. So > all that is required for this to work is that the resolver advertised on > the homenet claim authority for the zone, and that there be an unsecured > delegation that validates that th

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

In message , "John R Levine" writes: > > I was under the impression that .homenet is handled entirely within the > > DNS resolver of the Homenet router, which combines: > > > > - an authoritative DNS server for .homenet; > > - a hybrid mDNS proxy; > > - a recursive DNS resolver for the rest of