> On 19 Jul 2018, at 11:58 pm, Mark Andrews <ma...@isc.org> wrote: > > > >> On 19 Jul 2018, at 11:30 pm, Juliusz Chroboczek <j...@irif.fr> wrote: >> >>> I am not speaking about discovery within the Homenet. I am speaking about >>> exporting names into the global DNS, which is what Daniel's draft is >>> about. >> >>> Yes, but the problem is that you are treating this as if these are two >>> separate problems, but they are not. >> >> These are two completely different problems, with different default >> behaviours and different failure modes. >> >> The default behaviour for the local zone is that devices should be >> discoverable. The default behaviour for the public DNS is that a device >> should not be published unless it takes explicit action. >> >> It makes a lot of sense to have two different protocols, rather than >> essentially leaking a local zone into the ISP's DNS servers. >> >>> I'm not following your reasoning here -- why does the zone being tied to >>> the ISP imply that we must use a more complex protocol? >> >>> Doing this transaction over HTTP means another service that the ISP has >>> to operate, >> >> Not the ISP, a third-party DNS provider. That's the whole point. >> >>> and another service that the HNR has to connect to. >> >> Not the HNR, the end host. That's the whole point. >> >> And it's literally four lines of shell: >> >> while true; do >> wget --post-data 'name=gameserver.myhome.net&password=topsecret' \ >> https://dyndns.example.com >> sleep $((24 * 3600)) >> done > > vs > > while true; do > ( > # delete all the existing AAAA records > update delete host.example.com IN AAAA > # add in all the GUA AAAA records > ifconfig -a inet6 | > sed -n -e '/%/d' -e '/ ::1 /d' -e '/ > fd[0-9a-f][[0-9a-f]:/dā \ > -e 's/inet6/update add host.example.com 3600 IN AAAA/ā \ > -e 's/ prefixlen.*//pā > # tell nsupdate to send the update request. Nsupdate will work > out zone and > # DNS servers to send the update request too. > echo send > ) | nsupdate -y Khost.example.net.+001+56524 > sleep $((24 * 3600)) > done
And I forgot to mention that this supports multiple AAAA records. > >>> Quite the opposite. In the trivial update protocol, the update is >>> end-to-end, encrypted, and only the host and the DNS provider see the >>> data. >> >>> You've published a record in a public zone. It doesn't matter that the >>> protocol you used to publish it is privacy-protecting, because the >>> publication of the name immediately negated that. >> >> With delegation through an ISP-controlled hidden master, the ISP gets >> a database of all the names published by all of its users. >> >> With an encrypted connection to a DNS provider, the ISP needs to troll all >> of the DNS providers in order to build such a database. >> >>> I actually share your concern that what he's got written down right now >>> is more complicated than it needs to be, and this is partly because it >>> was originally motivated by his work at an ISP. >> >> Uh-huh. >> >> -- Juliusz >> >> _______________________________________________ >> homenet mailing list >> homenet@ietf.org >> https://www.ietf.org/mailman/listinfo/homenet > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet