Andrew Sullivan <[email protected]> wrote: > Now, if the inward-facing DNS (wherever it's run -- CPE or elsewhere > in the homenet) signs anything, then you must have common keys for the > outward-facing DNS. (I suppose as an alternative, you could use > extremely low TTLs on your zones -- say, a few minutes). This is > because one of the use cases we originally had in mind was that you > carry your laptop off to some out-of-homenet network and want access > to services inside the homenet.
While it's a good use case example, a better one is that your smartphone
wanders on your person, inside your home, and then uses 3G for a few seconds
when you wander onto the porch, and the wifi signal goes to zero.
The important thing is that you didn't do anything to actually "leave" your
home, while the laptop situation is perhaps more intentional, and contains
many possible signals that a cache should be flushed.
> Since we're all wandering around with a DNS cache on our laptops any
> more, you could easily get an answer back from (say) the homenet DNS
> with the DNSKEY record. You will cache it.
The MIF people have some statements about flushing caches, and about caching
on a per-interface basis. (I think that this is all wrong, btw)
> So if we're going to say that the signing may happen in the ISP's
> infrastructure, then either (1) we need a mechanism to share private
> keys (which sounds like a bozo move to me or (2) we need to state that
> it is incompatible with using DNSSEC in the inward-facing zone or (3)
> we need to state that any access to any DNSSEC-signed name in the
> outward zone should be expected to route through the ISP link;
> inside-homenet-only names may use in-homenet interfaces. (I'm sure
> there's a more elegant way to say that, but I've written in haste.)
A fourth option is that the name from the outside is different than the name
From the inside. I think that this is the least interesting version.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting for hire =-
pgpjA3faQrGA4.pgp
Description: PGP signature
_______________________________________________ homenet mailing list [email protected] https://www.ietf.org/mailman/listinfo/homenet
