Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

> On Dec 15, 2016, at 3:51 PM, Ted Lemon wrote: > > On Dec 15, 2016, at 3:40 PM, Mark Andrews > wrote: >> The IETF and ICANN are going to need to address this issue. It >> does no one any good to leave it festering. > > Yup. I think

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

In message <3e04d8bb-d18f-4d9b-81c3-991bcf76f...@fugue.com>, Ted Lemon writes: > > On Dec 15, 2016, at 4:41 PM, Michael StJohns > wrote: > > The problem with providing an unsecured delegation for .homenet is that > > items subsidiary to .homenet become spoofable in the

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

It would also make it not work for any client, and it would be in direct contradiction to advice this working group published less than a year ago. On Thu, Dec 15, 2016 at 5:04 PM, Jacques Latour wrote: > This would probably a good use case for homenet to use its own DNS

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

This would probably a good use case for homenet to use its own DNS class, Class 2 - 0x0002 – Homenet (HN). How to implement is beyond my paygrade. This would make homenet DNS very distinctive, which it is. If we want to solve this problem, it’s going to require an extension to the DNS that

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On Dec 15, 2016, at 4:41 PM, Michael StJohns wrote: > The problem with providing an unsecured delegation for .homenet is that items > subsidiary to .homenet become spoofable in the wider internet and that's not > necessarily a good thing. It might make life easier for

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On 12/15/2016 3:11 PM, Ted Lemon wrote: On Dec 15, 2016, at 2:23 PM, Steve Crocker wrote: I don’t understand what is meant by an “unsecured delegation.” I also don’t understand what sort of delegation you want, irrespective of whether DNSSEC is involved. There would be

Re: [DNSOP] [homenet] iterative vs. forwarder, was Fwd: WGLC on "redact" and "homenet-dot"

On Thu, 15 Dec 2016, Ted Lemon wrote: Billions and billions of them? How often do they query the root, do you think, compared to a stub resolver that did recursion itself? I have no idea, although I do know that IoT devices tend to use stripped down linux distros. In any event, given that

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

Billions and billions of them? How often do they query the root, do you think, compared to a stub resolver that did recursion itself? On Thu, Dec 15, 2016 at 3:57 PM, John R Levine wrote: > Putting an iterative resolver in a stub resolver is an attack on the DNS >>>

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

Putting an iterative resolver in a stub resolver is an attack on the DNS infrastructure. Ted might want to alert all of the BSD and linux distros that default to running a copy of bind or unbound answering queries on 127.0.0.1. Regards, John Levine, jo...@taugh.com, Taughannock Networks,

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On Dec 15, 2016, at 3:40 PM, Mark Andrews wrote: > The IETF and ICANN are going to need to address this issue. It > does no one any good to leave it festering. Yup. I think that’s the bottom line. ___ DNSOP mailing list

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

In message <8d7e8e5c-ec8e-46e9-9c07-947d7a7f6...@fugue.com>, Ted Lemon writes: > On Dec 15, 2016, at 2:23 PM, Steve Crocker wrote: > > I dont understand what is meant by an unsecured delegation. I also > > dont understand what sort of delegation you want, irrespective of

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

In message <4195dba6-6eae-45ce-ad61-9236c6212...@google.com>, james woodyatt wr ites: > > On Dec 15, 2016, at 06:35, Ted Lemon wrote: > > [Mark Andrews wrote:] > > Why shouldn't a iterative resolver work if we can make it work? > > > > Putting an iterative

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On Dec 15, 2016, at 2:23 PM, Steve Crocker wrote: > I don’t understand what is meant by an “unsecured delegation.” I also don’t > understand what sort of delegation you want, irrespective of whether DNSSEC > is involved. There would be a delegation for .homenet in the

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

In message

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

Ted, I am truly confused by your note. I sense I am missing something fundamental. See specific questions below. Thanks, Steve > On Dec 15, 2016, at 12:20 PM, Ted Lemon wrote: > > On Dec 15, 2016, at 11:05 AM, Jacques Latour

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

(no hats) > On Dec 15, 2016, at 12:20 PM, Ted Lemon wrote: > > On Dec 15, 2016, at 11:05 AM, Jacques Latour > wrote: >> Where do you delegate homenet to? Advanced DNSSEC validation may check for >> proper delegation?

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On Dec 15, 2016, at 11:05 AM, Jacques Latour wrote: > Where do you delegate homenet to? Advanced DNSSEC validation may check for > proper delegation? I think we should ask ICANN to set up an unsecured delegation of .homenet to the AS112 servers. In order for names

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On 12/15/2016 11:59 AM, Ray Bellis wrote: On 15/12/2016 16:57, Bob Harold wrote: If an insecure delegation can be made in the root, then could a local trust anchor be used by those who want their .homenet domain DNSSEC validated? That's what I would have expected to happen. Actually, you

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

On 15/12/2016 16:57, Bob Harold wrote: > If an insecure delegation can be made in the root, then could a local > trust anchor be used by those who want their .homenet domain DNSSEC > validated? That's what I would have expected to happen. > That seems easier than sharing keys or creating

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

If an insecure delegation can be made in the root, then could a local trust anchor be used by those who want their .homenet domain DNSSEC validated? That seems easier than sharing keys or creating subdomains with nsupdate. But I don't know much about trust anchors. -- Bob Harold

Re: [DNSOP] [homenet] WGLC on "redact" and "homenet-dot"

Ted, very clear summary, thank you. I read the DNSSEC related homenet and dnsop comments and I don’t see how you can have DNSSEC validation for a homenet without a properly signed & delegated domain. If we want a one shoe fits all solution then we need to have a single common domain used by

Re: [DNSOP] Second Working Group Last Call - draft-ietf-dnsop-nsec-aggressiveuse

On Wed, Dec 14, 2016 at 8:53 AM, Stephane Bortzmeyer wrote: > On Tue, Dec 13, 2016 at 02:13:27PM -0500, > tjw ietf wrote > a message of 94 lines which said: > > > This starts a Working Group Last Call for: > > "Aggressive use of NSEC/NSEC3" > >

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

> > Why shouldn't a iterative resolver work if we can make it work? > Putting an iterative resolver in a stub resolver is an attack on the DNS infrastructure. If you are doing it because you are testing some theory in an experimental jig, that's perfectly fine; in that case, you are a

Re: [DNSOP] [homenet] Fwd: WGLC on "redact" and "homenet-dot"

> So far so good. The problem is a (largely hypothetical at this point) > stub resolver that wants to do DNSSEC verification of the results the > router gives it. Yes, I'm following this discussion with interest. The only bit I object to is bringing .onion into the discussion -- .homenet is