On Tue, Mar 04, 2014 at 10:08:53AM +0000, Ralf Weber wrote: > or on the ISP auth name server). I have no problem with signing on > the CPE. I just don't want to make it mandatory
For the purposes of this discussion, I'm going to assume that one has an inward-facing zone and and outward-facing one (i.e. this is a split-brain DNS situation). Now, if the inward-facing DNS (wherever it's run -- CPE or elsewhere in the homenet) signs anything, then you must have common keys for the outward-facing DNS. (I suppose as an alternative, you could use extremely low TTLs on your zones -- say, a few minutes). This is because one of the use cases we originally had in mind was that you carry your laptop off to some out-of-homenet network and want access to services inside the homenet. Since we're all wandering around with a DNS cache on our laptops any more, you could easily get an answer back from (say) the homenet DNS with the DNSKEY record. You will cache it. If you then go to some other network, you will try to validate with that DNSKEY that you have cached (until it expires). If you then query for some resource inside the homenet for a record you don't already have cached, you'll need to be able to validate it; so it needs to be validatable using that same cached key record. If it's not, then the data will validate bogus and you'll fail to connect. The same issue is true in the other direction. So if we're going to say that the signing may happen in the ISP's infrastructure, then either (1) we need a mechanism to share private keys (which sounds like a bozo move to me or (2) we need to state that it is incompatible with using DNSSEC in the inward-facing zone or (3) we need to state that any access to any DNSSEC-signed name in the outward zone should be expected to route through the ISP link; inside-homenet-only names may use in-homenet interfaces. (I'm sure there's a more elegant way to say that, but I've written in haste.) Best regards, A -- Andrew Sullivan [email protected] _______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
