> On 19 Jul 2018, at 11:30 pm, Juliusz Chroboczek <[email protected]> wrote:
>
>> I am not speaking about discovery within the Homenet. I am speaking about
>> exporting names into the global DNS, which is what Daniel's draft is
>> about.
>
>> Yes, but the problem is that you are treating this as if these are two
>> separate problems, but they are not.
>
> These are two completely different problems, with different default
> behaviours and different failure modes.
>
> The default behaviour for the local zone is that devices should be
> discoverable. The default behaviour for the public DNS is that a device
> should not be published unless it takes explicit action.
>
> It makes a lot of sense to have two different protocols, rather than
> essentially leaking a local zone into the ISP's DNS servers.
>
>> I'm not following your reasoning here -- why does the zone being tied to
>> the ISP imply that we must use a more complex protocol?
>
>> Doing this transaction over HTTP means another service that the ISP has
>> to operate,
>
> Not the ISP, a third-party DNS provider. That's the whole point.
>
>> and another service that the HNR has to connect to.
>
> Not the HNR, the end host. That's the whole point.
>
> And it's literally four lines of shell:
>
> while true; do
> wget --post-data 'name=gameserver.myhome.net&password=topsecret' \
> https://dyndns.example.com
> sleep $((24 * 3600))
> done
vs
while true; do
(
# delete all the existing AAAA records
update delete host.example.com IN AAAA
# add in all the GUA AAAA records
ifconfig -a inet6 |
sed -n -e '/%/d' -e '/ ::1 /d' -e '/
fd[0-9a-f][[0-9a-f]:/dā \
-e 's/inet6/update add host.example.com 3600 IN AAAA/ā \
-e 's/ prefixlen.*//pā
# tell nsupdate to send the update request. Nsupdate will work
out zone and
# DNS servers to send the update request too.
echo send
) | nsupdate -y Khost.example.net.+001+56524
sleep $((24 * 3600))
done
>> Quite the opposite. In the trivial update protocol, the update is
>> end-to-end, encrypted, and only the host and the DNS provider see the
>> data.
>
>> You've published a record in a public zone. It doesn't matter that the
>> protocol you used to publish it is privacy-protecting, because the
>> publication of the name immediately negated that.
>
> With delegation through an ISP-controlled hidden master, the ISP gets
> a database of all the names published by all of its users.
>
> With an encrypted connection to a DNS provider, the ISP needs to troll all
> of the DNS providers in order to build such a database.
>
>> I actually share your concern that what he's got written down right now
>> is more complicated than it needs to be, and this is partly because it
>> was originally motivated by his work at an ISP.
>
> Uh-huh.
>
> -- Juliusz
>
> _______________________________________________
> homenet mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/homenet
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
homenet mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/homenet
