Re: [homenet] Home DNS server for homenet

[Michael Richardson]

> "Lorenzo" == Lorenzo Colitti  writes:
>> In the DNS space, I would like the WG to declare the name-based
>> selection of DNS servers (what some want to do for walled gardens)
>> should be ruled harmful.

>> If some walled garden wants the name-> mapping private, then
>> just restrict queries to source addresses within the walled garden.
>> If necessary, add level of NS record.


Lorenzo> And do what in response to queries for that name coming
Lorenzo> from outside the 
Lorenzo> walled garden? Return REFUSED? Return NXDOMAIN? Drop the
Lorenzo> query? None of 
Lorenzo> these works, I think.

1) if you use an extra level of NS, then whomever asks for the 
   will get a timeout.  By this, I mean:

   public example.com ns:
walled.example.com INNS ns.walled.example.com.
ns.walled.example.comIN 4000:dead:beef::1

   (Let's assume that walled-gardens get clear Non-Connected Network
   allocation in 4000:/3, but it works fine with 2000:/3 space which is
   either un-advertised or firewalled)

   private walled.example.com ns:
coolserver.walled.example.com   IN   4000:dead:beef::2


   If you ask from within the walled garden, then you can talk to the
   4000:dead:beef:/48  network (and you do so from your 4000:/3 address),
   so you get an answer.

   If you ask from without, you get a timeout.  So even the name of the
   service is hidden, which is what I'm told the providers want.

2) if you do not use this extra level, but have a name server which
   the world can reach, then you can return whatever value you want.
   You can return a different  too if you want.

But, tell how is this any different than what I'm told they originally
wanted, which is that we'd have:

if($domain =~ /.*somesuffice.com$/) {
   $ns = $walledgardendns;
}

in applications and stub resolvers?If you aren't in the walled
garden, what would the application do when $walledgardenns is not
reachable?

-- 
]   He who is tired of Weird Al is tired of life!   |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video 
   then sign the petition. 


pgpKYnIpWmtjW.pgp
Description: PGP signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Lorenzo Colitti]

On Tue, Mar 6, 2012 at 07:05, Michael Richardson  wrote:
>
> In the DNS space, I would like the WG to declare the name-based
> selection of DNS servers (what some want to do for walled gardens)
> should be ruled harmful.
>
> If some walled garden wants the name-> mapping private, then
> just restrict queries to source addresses within the walled garden.
> If necessary, add level of NS record.
>

And do what in response to queries for that name coming from outside the
walled garden? Return REFUSED? Return NXDOMAIN? Drop the query? None of
these works, I think.
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Mark Andrews]

In message <26134.1331236...@marajade.sandelman.ca>, Michael Richardson writes:
> 
> > "Mark" == Mark Andrews  writes:
> >> You didn't answer my question!  I wasn't asking for
> >> justification, I was asking for clarification of what you are
> >> proposing.
> 
> ...
> 
> Mark> One can do essentially the same thing with TKEY and get a TSIG
> Mark> key that can be stored.  The home owner would register the
> Mark> machine with the router using TKEY.  The credentials used
> Mark> would allow registration on behalf.  TKEY support sending
> Mark> additional data in the request we only need a standard
> Mark> description on how to do "on behalf of".
> 
> So, we need no additional protocol, we just need a DHCP option to tell
> the host that where this service is available.

More a TKEY option.
 
> -- 
> ]   He who is tired of Weird Al is tired of life!   |  firewalls 
>  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architec
> t[
> ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device drive
> r[
>Kyoto Plus: watch the video 
>  then sign the petition. 
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Mark Andrews]

In message 
, Dave Taht writes:
> On Thu, Mar 8, 2012 at 1:20 AM, Mark Andrews  wrote:
> >
> > In message <26689.1331127...@marajade.sandelman.ca>, Michael Richardson w=
> rites:
> >> > "Mark" =3D3D=3D3D Mark Andrews  writes:
> >> =A0 =A0 Mark> In message <19226.1331046...@marajade.sandelman.ca>, Micha=
> el Rich=3D
> >> ardson writes:
> >> =A0 =A0 >> > "Mark" =3D3D=3D3D Mark Andrews  writes:
> >> =A0 =A0 Mark> A significant percentage of home machines will roam and th=
> ose
> >> =A0 =A0 Mark> machines will need to be able to register their current
> >> =A0 =A0 Mark> address in the DNS. =A0I do this today when my Mac roams. =
> =A0TSIG
> >> =A0 =A0 Mark> is unavoidable and cheap. =A0UPDATE itself is relatively c=
> heap.
> >>
> >> =A0 =A0 >> Are you asking for a link-local/mDNS-across-the-homenet leap-=
> of-faith
> >> =A0 =A0 >> way to do key establishment so that TSIG can be initialized?
> >>
> >> =A0 =A0 Mark> For homes a shared key is fine or if you want a small data=
> base of
> >> =A0 =A0 Mark> keys.
> >>
> >> You didn't answer my question! =A0I wasn't asking for justification, I w=
> as
> >> asking for clarification of what you are proposing.
> >
> > Ok. Lets look at a working model that Microsoft has with AD. =A0You boot
> > the machine them a Adminstrator adds the machine to the AD domain using
> > the administrators credentials.
> >
> > One can do essentially the same thing with TKEY and get a TSIG key
> > that can be stored. =A0The home owner would register the machine with
> > the router using TKEY. =A0The credentials used would allow registration
> > on behalf. =A0TKEY support sending additional data in the request we
> > only need a standard description on how to do "on behalf of".
> 
> An implementation problem is that the 'publishable' quality is not
> representable with things like bind9. Bind9 supports 'views', and in
> my case, I have a 'us' (for inside the network) and 'them' view (for
> everybody else). Inside the network, machines generally have rfc1918
> addresses and ipv6 addresses, and outside, only ipv6 addresses.

Named already transfers in a zone, strips out any NSEC, DNSKEY,
NSEC3, NSEC3PARAM and RRSIG records to get a clean unsigned zone,
the signs the zone using a new set of DNSKEY records to perform
inline signing.  Filtering out RFC 1918 address in addition would
not be a major issue, basically you would have to define a acl to
determine what is filtered.  Zones are transferable between views.
UPDATE requests on the outside view can be forwarded to the inside
view, processed, the resulting zone is transfered, filtered and
signed.  This requires the inside view to be a superset of the
outside view.  If you don't give the inline signing zone a set of
DNSKEYs to work with it just serves the filtered version of the
zone.

> So you need to update both views/databases in order to have a
> consistent namespace. You don't want to leak the rfc1918 addresses to
> the outside world, but you (probably) want to make your ipv6 addresses
> available both inside and outside.
> 
> >
> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 INTERNET: marka@is=
> c.org
> > ___
> > homenet mailing list
> > homenet@ietf.org
> > https://www.ietf.org/mailman/listinfo/homenet
> 
> 
> 
> --=20
> Dave T=E4ht
> SKYPE: davetaht
> US Tel: 1-239-829-5608
> http://www.bufferbloat.net
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Michael Richardson]

> "Dave" == Dave Taht  writes:
Dave> which is used rarely anyway). Make sure to not run multiple reflectors
Dave> between the same networks, this might cause them to play Ping Pong
Dave> with mDNS packets. Defaults to "no". reflect-ipv= Takes a
Dave> boolean

In other words, don't have a loop.

homenet has assumed loops.

-- 
]   He who is tired of Weird Al is tired of life!   |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video 
   then sign the petition. 
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Michael Richardson]

> "Mark" == Mark Andrews  writes:
>> You didn't answer my question!  I wasn't asking for
>> justification, I was asking for clarification of what you are
>> proposing.

...

Mark> One can do essentially the same thing with TKEY and get a TSIG
Mark> key that can be stored.  The home owner would register the
Mark> machine with the router using TKEY.  The credentials used
Mark> would allow registration on behalf.  TKEY support sending
Mark> additional data in the request we only need a standard
Mark> description on how to do "on behalf of".

So, we need no additional protocol, we just need a DHCP option to tell
the host that where this service is available.

-- 
]   He who is tired of Weird Al is tired of life!   |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video 
   then sign the petition. 
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Dave Taht]

On Thu, Mar 8, 2012 at 1:20 AM, Mark Andrews  wrote:
>
> In message <26689.1331127...@marajade.sandelman.ca>, Michael Richardson 
> writes:
>> > "Mark" =3D=3D Mark Andrews  writes:
>>     Mark> In message <19226.1331046...@marajade.sandelman.ca>, Michael Rich=
>> ardson writes:
>>     >> > "Mark" =3D=3D Mark Andrews  writes:
>>     Mark> A significant percentage of home machines will roam and those
>>     Mark> machines will need to be able to register their current
>>     Mark> address in the DNS.  I do this today when my Mac roams.  TSIG
>>     Mark> is unavoidable and cheap.  UPDATE itself is relatively cheap.
>>
>>     >> Are you asking for a link-local/mDNS-across-the-homenet leap-of-faith
>>     >> way to do key establishment so that TSIG can be initialized?
>>
>>     Mark> For homes a shared key is fine or if you want a small database of
>>     Mark> keys.
>>
>> You didn't answer my question!  I wasn't asking for justification, I was
>> asking for clarification of what you are proposing.
>
> Ok. Lets look at a working model that Microsoft has with AD.  You boot
> the machine them a Adminstrator adds the machine to the AD domain using
> the administrators credentials.
>
> One can do essentially the same thing with TKEY and get a TSIG key
> that can be stored.  The home owner would register the machine with
> the router using TKEY.  The credentials used would allow registration
> on behalf.  TKEY support sending additional data in the request we
> only need a standard description on how to do "on behalf of".

An implementation problem is that the 'publishable' quality is not
representable with things like bind9. Bind9 supports 'views', and in
my case, I have a 'us' (for inside the network) and 'them' view (for
everybody else). Inside the network, machines generally have rfc1918
addresses and ipv6 addresses, and outside, only ipv6 addresses.

So you need to update both views/databases in order to have a
consistent namespace. You don't want to leak the rfc1918 addresses to
the outside world, but you (probably) want to make your ipv6 addresses
available both inside and outside.

>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet



-- 
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Dave Taht]

On Thu, Mar 8, 2012 at 4:57 PM, Michael Richardson  wrote:
>
>
> > "Jim" == Jim Gettys  writes:
>    >> (%)-one need not have a globally reachable name.  One might be
>    >> registering into .homenet/.lan/.local.  This may be for the
>    >> benefit of machines which are still at home, and which need to
>    >> find your laptop.  Or the home user might have a global DNS
>    >> name. The difference is really just a matter of NS/DS records.
>
>    Jim> BTW, it appears Dave Taht has mDNS forwarding working between
>    Jim> networks in CeroWrt using Avah; but we need to do more testing.
>
> so, basically it's just a proxy?


 yes. they call it a 'reflector'. From avaha-daemon's man page

Section [reflector]

enable-reflector= Takes a boolean value ("yes" or "no"). If set to
"yes" avahi-daemon will reflect incoming mDNS requests to all local
network interfaces, effectively allowing clients to browse mDNS/DNS-SD
services on all networks connected to the gateway. The gateway is
somewhat intelligent and should work with all kinds of mDNS traffic,
though some functionality is lost (specifically the unicast reply bit,
which is used rarely anyway). Make sure to not run multiple reflectors
between the same networks, this might cause them to play Ping Pong
with mDNS packets. Defaults to "no". reflect-ipv= Takes a boolean
value ("yes" or "no"). If set to "yes" and enable-reflector is
enabled, avahi-daemon will forward mDNS traffic between IPv4 and IPv6,
which is usually not recommended. Defaults to "no".

...

there are other problems with the mdns spec, notably the TTL figure is
fixed, making routing problematic, even if multicast routing worked
worth beans.

>
>    Jim> I don't think that is the only place where we may have such
>    Jim> issues; SNMP comes to mind, but I don't know how commonly that
>    Jim> is used in home environments.  - Jim
>
> SNMP is unused in home networks.
> I don't know why there is any issue with SNMP though.
>

The elephant in the room is that we no longer have E2E connectivity in
much of the world, so centralized polling utilities
such as those that use snmp, can't work through the multiple layers of NAT.

The edge has gone dark.

I wouldn't claim that snmp is unused in home networks, but it is
sorely underused, as the relevant monitoring utilities are complex to
setup and maintain.

I've been explicitly enabling snmp over ipv6, I note, and using tools
such as those available from 'dartware'


--
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Michael Richardson]

> "Jim" == Jim Gettys  writes:
>> (%)-one need not have a globally reachable name.  One might be
>> registering into .homenet/.lan/.local.  This may be for the
>> benefit of machines which are still at home, and which need to
>> find your laptop.  Or the home user might have a global DNS
>> name. The difference is really just a matter of NS/DS records.

Jim> BTW, it appears Dave Taht has mDNS forwarding working between
Jim> networks in CeroWrt using Avah; but we need to do more testing.

so, basically it's just a proxy?

Jim> I don't think that is the only place where we may have such
Jim> issues; SNMP comes to mind, but I don't know how commonly that
Jim> is used in home environments.  - Jim

SNMP is unused in home networks.
I don't know why there is any issue with SNMP though.

-- 
]   He who is tired of Weird Al is tired of life!   |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video 
   then sign the petition. 


___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Jim Gettys]

On 03/07/2012 08:46 AM, Michael Richardson wrote:
>> "Mark" == Mark Andrews  writes:
> Mark> In message <19226.1331046...@marajade.sandelman.ca>, Michael 
> Richardson writes:
> >> > "Mark" == Mark Andrews  writes:
> Mark> A significant percentage of home machines will roam and those
> Mark> machines will need to be able to register their current
> Mark> address in the DNS.  I do this today when my Mac roams.  TSIG
> Mark> is unavoidable and cheap.  UPDATE itself is relatively cheap.
>
> >> Are you asking for a link-local/mDNS-across-the-homenet leap-of-faith
> >> way to do key establishment so that TSIG can be initialized?
>
> Mark> For homes a shared key is fine or if you want a small database of
> Mark> keys.
>
> You didn't answer my question!  I wasn't asking for justification, I was
> asking for clarification of what you are proposing.
>
> I imagine a situation where one plugs into the homenet with your laptop.
> Some application/agent on the laptop realizes (via mDNS/Bonjour? via
> DCHP? TBD) that this network supports IPv6, and supports persistent
> names.  It asks you if you'd like to persist your name into the local
> zone.  It has an option to say, "make this name follow me"(%).
>
> There is a protocol exchange (TBD) with the designated homenet DNS
> server(s), and this establishes a TSIG for later use.  
> Same TSIG could also be used to update the reverse map, but as you
> indicate, TCP from the address you want to update is probably good
> enough for addresses considered "local".
>
> While this might seems bit out of scope for homenet (to provide names for
> laptops which are not at home), it's actually not.   Depending upon how
> the protocol works, it might be another way to deal with the
> mDNS/Bonjour-does-not-cross-link problem.   If the TSIG setup protocol
> can be mediated(proxied) in a link-layer attached way, then it might be
> that we do not need to make Bonjour cross links, as we can just use DNS.
>
> (%)-one need not have a globally reachable name.  One might be
> registering into .homenet/.lan/.local.  This may be for the
> benefit of machines which are still at home, and which need to
> find your laptop.  Or the home user might have a global DNS
> name. The difference is really just a matter of NS/DS records.
>
>

BTW, it appears Dave Taht has mDNS forwarding working between networks
in CeroWrt using Avah; but we need to do more testing.

I don't think that is the only place where we may have such issues; SNMP
comes to mind, but I don't know how commonly that is used in home
environments.
- Jim

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Mark Andrews]

In message <26689.1331127...@marajade.sandelman.ca>, Michael Richardson writes:
> > "Mark" =3D=3D Mark Andrews  writes:
> Mark> In message <19226.1331046...@marajade.sandelman.ca>, Michael Rich=
> ardson writes:
> >> > "Mark" =3D=3D Mark Andrews  writes:
> Mark> A significant percentage of home machines will roam and those
> Mark> machines will need to be able to register their current
> Mark> address in the DNS.  I do this today when my Mac roams.  TSIG
> Mark> is unavoidable and cheap.  UPDATE itself is relatively cheap.
> 
> >> Are you asking for a link-local/mDNS-across-the-homenet leap-of-faith
> >> way to do key establishment so that TSIG can be initialized?
> 
> Mark> For homes a shared key is fine or if you want a small database of
> Mark> keys.
> 
> You didn't answer my question!  I wasn't asking for justification, I was
> asking for clarification of what you are proposing.

Ok. Lets look at a working model that Microsoft has with AD.  You boot
the machine them a Adminstrator adds the machine to the AD domain using
the administrators credentials.

One can do essentially the same thing with TKEY and get a TSIG key
that can be stored.  The home owner would register the machine with
the router using TKEY.  The credentials used would allow registration
on behalf.  TKEY support sending additional data in the request we
only need a standard description on how to do "on behalf of".

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Michael Richardson]

> "Mark" == Mark Andrews  writes:
Mark> In message <19226.1331046...@marajade.sandelman.ca>, Michael 
Richardson writes:
>> > "Mark" == Mark Andrews  writes:
Mark> A significant percentage of home machines will roam and those
Mark> machines will need to be able to register their current
Mark> address in the DNS.  I do this today when my Mac roams.  TSIG
Mark> is unavoidable and cheap.  UPDATE itself is relatively cheap.

>> Are you asking for a link-local/mDNS-across-the-homenet leap-of-faith
>> way to do key establishment so that TSIG can be initialized?

Mark> For homes a shared key is fine or if you want a small database of
Mark> keys.

You didn't answer my question!  I wasn't asking for justification, I was
asking for clarification of what you are proposing.

I imagine a situation where one plugs into the homenet with your laptop.
Some application/agent on the laptop realizes (via mDNS/Bonjour? via
DCHP? TBD) that this network supports IPv6, and supports persistent
names.  It asks you if you'd like to persist your name into the local
zone.  It has an option to say, "make this name follow me"(%).

There is a protocol exchange (TBD) with the designated homenet DNS
server(s), and this establishes a TSIG for later use.  
Same TSIG could also be used to update the reverse map, but as you
indicate, TCP from the address you want to update is probably good
enough for addresses considered "local".

While this might seems bit out of scope for homenet (to provide names for
laptops which are not at home), it's actually not.   Depending upon how
the protocol works, it might be another way to deal with the
mDNS/Bonjour-does-not-cross-link problem.   If the TSIG setup protocol
can be mediated(proxied) in a link-layer attached way, then it might be
that we do not need to make Bonjour cross links, as we can just use DNS.

(%)-one need not have a globally reachable name.  One might be
registering into .homenet/.lan/.local.  This may be for the
benefit of machines which are still at home, and which need to
find your laptop.  Or the home user might have a global DNS
name. The difference is really just a matter of NS/DS records.

-- 
]   He who is tired of Weird Al is tired of life!   |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video 
   then sign the petition. 



pgpTGjvqFtO2Y.pgp
Description: PGP signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Mark Andrews]

In message <19226.1331046...@marajade.sandelman.ca>, Michael Richardson writes:
> > "Mark" == Mark Andrews  writes:
> Mark> A significant percentage of home machines will roam and those
> Mark> machines will need to be able to register their current
> Mark> address in the DNS.  I do this today when my Mac roams.  TSIG
> Mark> is unavoidable and cheap.  UPDATE itself is relatively cheap.
> 
> Are you asking for a link-local/mDNS-across-the-homenet leap-of-faith
> way to do key establishment so that TSIG can be initialized?

For homes a shared key is fine or if you want a small database of
keys.

Businesses would use a shared database between the nameserver and
the provision system for storing the TSIG key associations.  The
TSIG key should be assigned as part of the machines registration
process.

The machines do the same thing in both environments.  Just the
implementation differs slightly.  TSIG is nothing more than a
name/secret pair.  One could go all the way to using GSS-TSIG but
that is overkill for the home network and for many small businesses.

The point is that the home router is expecting to see signed UPDATE
requests from both inside and outside and to potententially be a
master for zone transfers to external nameserver which publish the
zone to the world.  With IPv6 homes don't need to be second class
entities.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Randy Turner]

+1



On Mar 6, 2012, at 11:00 AM, Jim Gettys  wrote:

> On 03/06/2012 01:49 PM, Dave Taht wrote:
>> 
>> 
>> On Tue, Mar 6, 2012 at 10:23 AM, james woodyatt > > wrote:
>> 
>>On Mar 6, 2012, at 07:15 , Michael Richardson >> wrote:
>>> "Mark" == Mark Andrews mailto:ma...@isc.org>>
>>writes:
>>>   Mark> A significant percentage of home machines will roam and
>>those
>>>   Mark> machines will need to be able to register their current
>>>   Mark> address in the DNS.  I do this today when my Mac roams.
>> TSIG
>>>   Mark> is unavoidable and cheap.  UPDATE itself is relatively
>>cheap.
>>> 
>>> Are you asking for a link-local/mDNS-across-the-homenet
>>leap-of-faith
>>> way to do key establishment so that TSIG can be initialized?
>> 
>> 
>>The alternative is to delegate all that business to 3rd parties
>>with big data centers in the proverbial cloud.  Yes, that means
>>that you're relying on Internet service to be constantly available
>>to resolve service locations on your local home network, but it
>>does seem to work reasonably well today.
>> 
>> 
>> In some parts of the world, maybe, like california.
>> 
>> Elsewhere, say in Nicaragua... not so much. I would personally prefer
>> that those designing this stuff with *any* dependencies on centralized
>> services spend some time doing research in south america, Libya,
>> africa, eastern europe, the australian outback, and places like that...
>> 
>> 
> 
> Or Peru, or Uruguay, or Uganda, or (given my OLPC experience).
> 
> I have to emphasise what Dave's saying here: requiring centralised
> services to work at all is really a non-starter, not to mention what
> happens when things break in the developed world. 
> 
> What's more, in those parts of the world, they can't afford either the
> reliable connectivity or expensive kit in schools/houses and often use
> off the shelf commodity home routers even in places we'd probably do
> something much better.  My point of view is to do it right in the home,
> so everyone benefits at the low end.
>- Jim
> 
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
> 
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Jim Gettys]

On 03/06/2012 01:49 PM, Dave Taht wrote:
>
>
> On Tue, Mar 6, 2012 at 10:23 AM, james woodyatt  > wrote:
>
> On Mar 6, 2012, at 07:15 , Michael Richardson  > wrote:
> > "Mark" == Mark Andrews mailto:ma...@isc.org>>
> writes:
> >Mark> A significant percentage of home machines will roam and
> those
> >Mark> machines will need to be able to register their current
> >Mark> address in the DNS.  I do this today when my Mac roams.
>  TSIG
> >Mark> is unavoidable and cheap.  UPDATE itself is relatively
> cheap.
> >
> > Are you asking for a link-local/mDNS-across-the-homenet
> leap-of-faith
> > way to do key establishment so that TSIG can be initialized?
>
>
> The alternative is to delegate all that business to 3rd parties
> with big data centers in the proverbial cloud.  Yes, that means
> that you're relying on Internet service to be constantly available
> to resolve service locations on your local home network, but it
> does seem to work reasonably well today.
>
>
> In some parts of the world, maybe, like california.
>
> Elsewhere, say in Nicaragua... not so much. I would personally prefer
> that those designing this stuff with *any* dependencies on centralized
> services spend some time doing research in south america, Libya,
> africa, eastern europe, the australian outback, and places like that...
>
>

Or Peru, or Uruguay, or Uganda, or (given my OLPC experience).

I have to emphasise what Dave's saying here: requiring centralised
services to work at all is really a non-starter, not to mention what
happens when things break in the developed world. 

What's more, in those parts of the world, they can't afford either the
reliable connectivity or expensive kit in schools/houses and often use
off the shelf commodity home routers even in places we'd probably do
something much better.  My point of view is to do it right in the home,
so everyone benefits at the low end.
- Jim

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Dave Taht]

On Tue, Mar 6, 2012 at 10:23 AM, james woodyatt  wrote:

> On Mar 6, 2012, at 07:15 , Michael Richardson  wrote:
> > "Mark" == Mark Andrews  writes:
> >Mark> A significant percentage of home machines will roam and those
> >Mark> machines will need to be able to register their current
> >Mark> address in the DNS.  I do this today when my Mac roams.  TSIG
> >Mark> is unavoidable and cheap.  UPDATE itself is relatively cheap.
> >
> > Are you asking for a link-local/mDNS-across-the-homenet leap-of-faith
> > way to do key establishment so that TSIG can be initialized?
>
>
> The alternative is to delegate all that business to 3rd parties with big
> data centers in the proverbial cloud.  Yes, that means that you're relying
> on Internet service to be constantly available to resolve service locations
> on your local home network, but it does seem to work reasonably well today.
>

In some parts of the world, maybe, like california.

Elsewhere, say in Nicaragua... not so much. I would personally prefer that
those designing this stuff with *any* dependencies on centralized services
spend some time doing research in south america, Libya, africa, eastern
europe, the australian outback, and places like that...


> --
> james woodyatt 
> member of technical staff, core os networking
>
>
>
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
>



-- 
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[james woodyatt]

On Mar 6, 2012, at 07:15 , Michael Richardson  wrote:
> "Mark" == Mark Andrews  writes:
>Mark> A significant percentage of home machines will roam and those
>Mark> machines will need to be able to register their current
>Mark> address in the DNS.  I do this today when my Mac roams.  TSIG
>Mark> is unavoidable and cheap.  UPDATE itself is relatively cheap.
> 
> Are you asking for a link-local/mDNS-across-the-homenet leap-of-faith
> way to do key establishment so that TSIG can be initialized?


The alternative is to delegate all that business to 3rd parties with big data 
centers in the proverbial cloud.  Yes, that means that you're relying on 
Internet service to be constantly available to resolve service locations on 
your local home network, but it does seem to work reasonably well today.


--
james woodyatt 
member of technical staff, core os networking



___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Michael Richardson]

> "Mark" == Mark Andrews  writes:
Mark> A significant percentage of home machines will roam and those
Mark> machines will need to be able to register their current
Mark> address in the DNS.  I do this today when my Mac roams.  TSIG
Mark> is unavoidable and cheap.  UPDATE itself is relatively cheap.

Are you asking for a link-local/mDNS-across-the-homenet leap-of-faith
way to do key establishment so that TSIG can be initialized?

-- 
]   He who is tired of Weird Al is tired of life!   |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video 
   then sign the petition. 
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Mark Andrews]

In message <5cff9c2c-e605-400a-b76b-acea4eced...@nominet.org.uk>, Ray Bellis wr
ites:
> 
> On 5 Mar 2012, at 15:15, Kazunori Fujiwara wrote:
> 
> > RI see. DHCP has enough function. RFC 2132 defines DHCP client host
> > name option, and RFC 4702 Section 3.2. "Client Desires to Update A
> > RRs" defines the option to DNS RR.
> > 
> > # I'm not aware that DHCPv6 has the same option.
> 
> Me neither, although whether DHCPv6 actually gets used within the Homenet (as
>  opposed to standard Neighbor Discovery) remains to be seen.
> 
> > Using DHC client host name option is easier than implementing DNS
> > Update client in each client.
> 
> Agreed, and it removes the need for the TSIG key management normally required
>  for DNS Dynamic Updates.

A significant percentage of home machines will roam and those
machines will need to be able to register their current address in
the DNS.  I do this today when my Mac roams.  TSIG is unavoidable
and cheap.  UPDATE itself is relatively cheap.

For PTR records TCP is a good enough authenticator for UPDATE.

> >> 1.  naming updates and queries between subnets
> > 
> > One upstream, and multiple subnets case, it may be solved by using one
> > DHCP server and multiple DHCP relay agents.
> 
> I was more thinking about mDNS - there's no standardised mechanism (although 
> drafts are forthcoming) for using "link-local mDNS" in multiple segments.
> 
> The options would appear to be either a multicast relay agent running on inte
> rnal CPE, or an enhancement to mDNS to support "site-local" multicast.
> 
> > Multiple upstream case, manual configuration is necessary.  An end
> > user setup one DNS server which serves local zone and multiple
> > reverse zones. DHCP servers send updates to the DNS server.
> 
> The unicast case is likely simpler, but we also need to beware the case where
>  the entire Homenet stops working because of the failure of a single "super n
> ode".
> 
> >> 2.  integration (or otherwise) of unicast DNS and mDNS
> > 
> > It is same as now.
> > Using different TLDs solves the problem.
> 
> It does, but without my co-chair hat on, I would prefer not to have different
>  namespaces for unicast vs multicast naming and discovery mechanisms.
> 
> 
> >> 3.  DNSSEC validation
> > 
> > DNS proxy can forward global queries to DNSSEC validators.
> 
> There are a lot of people who think that DNSSEC validation should be done as 
> close to the host as possible.  I'm inclined to agree with them.
> 
> The downside is that one then needs a way to bootstrap the root's DNSSEC key,
>  and also a way to replace it should the RFC 5011 automated trust anchor upda
> te mechanism become unusable.
> 
> > Local zones does not require DNSSEC validation, I think.
> 
> I'm undecided on that.
> 
> > I thought to write I-D, but now, DHCP has enough capability,
> > I will consider the issure more.
> 
> Thank you - your input is much appreciated.
> 
> Ray
> 
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Michael Richardson]

In the DNS space, I would like the WG to declare the name-based
selection of DNS servers (what some want to do for walled gardens)
should be ruled harmful.

If some walled garden wants the name-> mapping private, then 
just restrict queries to source addresses within the walled garden.
If necessary, add level of NS record.  

(IPv4 thinking would lead you to think you do not want to pollute
"public" DNS with RFC1918 A records, but IPv6 has no such problem)

-- 
]   He who is tired of Weird Al is tired of life!   |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[
] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video 
   then sign the petition. 


pgpE8kMdaeeDc.pgp
Description: PGP signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Kazunori Fujiwara]

> From: Simon Perreault 
> On 2012-03-05 04:25, Ray Bellis wrote:
>> Thanks for your note.  The idea of running a local authoritative zone
>> alongside a forwarding proxy or full recursive server has been seen
>> already, for example in the "dnsmasq" software used by many CPE
>> vendors.
>>
>> It is also listed as requirement LAN.DNS.6 in the Broadband Forum's
>> TR-124 Issue 2.  As such a draft describing this is probably
>> unnecessary.
> 
> If I understand the original post correctly, it goes much further than
> just saying "home router MUST have an authoritative server". It
> specifies a new usage pattern of that server on the home net. That
> could mean new draft in this WG, wouldn't it?

I think an BCP document or implementation guide is necessary.

There are at least three points, I think.

+---+---+--+--
| function  ||mDNS  | DHCP |
+---+---+--+--
| resolving:|| mDNS | normal DNS query via DNS proxy
| holding zones:|| mDNS | authoritative DNS server
+---++--+--+-
| declaring client name || mDNS | DHCP client name | DNS update (directly)
+---++--+--+--
|implementation || mDNS |dnsmasq or DHCPD+BIND |  new
+-

mDNS requires special code to resolve the domain name. (Isn't it?)

dnsmasq has an authoritative server function in it.

--
Kazunori Fujiwara, JPRS
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Ray Bellis]

On 5 Mar 2012, at 15:15, Kazunori Fujiwara wrote:

> RI see. DHCP has enough function. RFC 2132 defines DHCP client host
> name option, and RFC 4702 Section 3.2. "Client Desires to Update A
> RRs" defines the option to DNS RR.
> 
> # I'm not aware that DHCPv6 has the same option.

Me neither, although whether DHCPv6 actually gets used within the Homenet (as 
opposed to standard Neighbor Discovery) remains to be seen.

> Using DHC client host name option is easier than implementing DNS
> Update client in each client.

Agreed, and it removes the need for the TSIG key management normally required 
for DNS Dynamic Updates.

>> 1.  naming updates and queries between subnets
> 
> One upstream, and multiple subnets case, it may be solved by using one
> DHCP server and multiple DHCP relay agents.

I was more thinking about mDNS - there's no standardised mechanism (although 
drafts are forthcoming) for using "link-local mDNS" in multiple segments.

The options would appear to be either a multicast relay agent running on 
internal CPE, or an enhancement to mDNS to support "site-local" multicast.

> Multiple upstream case, manual configuration is necessary.  An end
> user setup one DNS server which serves local zone and multiple
> reverse zones. DHCP servers send updates to the DNS server.

The unicast case is likely simpler, but we also need to beware the case where 
the entire Homenet stops working because of the failure of a single "super 
node".

>> 2.  integration (or otherwise) of unicast DNS and mDNS
> 
> It is same as now.
> Using different TLDs solves the problem.

It does, but without my co-chair hat on, I would prefer not to have different 
namespaces for unicast vs multicast naming and discovery mechanisms.


>> 3.  DNSSEC validation
> 
> DNS proxy can forward global queries to DNSSEC validators.

There are a lot of people who think that DNSSEC validation should be done as 
close to the host as possible.  I'm inclined to agree with them.

The downside is that one then needs a way to bootstrap the root's DNSSEC key, 
and also a way to replace it should the RFC 5011 automated trust anchor update 
mechanism become unusable.

> Local zones does not require DNSSEC validation, I think.

I'm undecided on that.

> I thought to write I-D, but now, DHCP has enough capability,
> I will consider the issure more.

Thank you - your input is much appreciated.

Ray

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Ray Bellis]

On 5 Mar 2012, at 15:10, Simon Perreault wrote:

> That could mean new draft in this WG, wouldn't it?

It _might_, but IMHO not until we've addressed those "bigger picture" issues I 
mentioned.

In practise, all such CPE servers that I know of that implement the TR-124 
requirement do it using the same usage pattern as Fujiwara-san described.

Ray

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Kazunori Fujiwara]

Ray-san,

Thanks for your comments.

> From: Ray Bellis 
> Thanks for your note.  The idea of running a local authoritative zone 
> alongside a forwarding proxy or full recursive server has been seen already, 
> for example in the "dnsmasq" software used by many CPE vendors.

I see. DHCP has enough function. RFC 2132 defines DHCP client host
name option, and RFC 4702 Section 3.2. "Client Desires to Update A
RRs" defines the option to DNS RR.

# I'm not aware that DHCPv6 has the same option.

Using DHC client host name option is easier than implementing DNS
Update client in each client.

"dnsmasq" seems to have enough function (except multiple subnets,
multiple upstreams).

Or a combintion of isc-dhcpd and BIND 9 may achieve all of DNS related
works.

> It is also listed as requirement LAN.DNS.6 in the Broadband Forum's TR-124 
> Issue 2.  As such a draft describing this is probably unnecessary.
> 
> Your DNS expertise would of course be much appreciated as we start to tackle 
> the wider issues around naming in the Homenet, specifically:
> 
> 1.  naming updates and queries between subnets

One upstream, and multiple subnets case, it may be solved by using one
DHCP server and multiple DHCP relay agents.

Multiple upstream case, manual configuration is necessary.  An end
user setup one DNS server which serves local zone and multiple
reverse zones. DHCP servers send updates to the DNS server.

> 2.  integration (or otherwise) of unicast DNS and mDNS

It is same as now.
Using different TLDs solves the problem.

> 3.  DNSSEC validation

DNS proxy can forward global queries to DNSSEC validators.
Local zones does not require DNSSEC validation, I think.


I thought to write I-D, but now, DHCP has enough capability,
I will consider the issure more.

Regards,

--
Kazunori Fujiwara, JPRS
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Simon Perreault]

On 2012-03-05 04:25, Ray Bellis wrote:

Thanks for your note.  The idea of running a local authoritative zone alongside a 
forwarding proxy or full recursive server has been seen already, for example in the 
"dnsmasq" software used by many CPE vendors.

It is also listed as requirement LAN.DNS.6 in the Broadband Forum's TR-124 
Issue 2.  As such a draft describing this is probably unnecessary.


If I understand the original post correctly, it goes much further than 
just saying "home router MUST have an authoritative server". It 
specifies a new usage pattern of that server on the home net. That could 
mean new draft in this WG, wouldn't it?


Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source--> http://ecdysis.viagenie.ca
STUN/TURN server   --> http://numb.viagenie.ca
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Jim Gettys]

On 03/02/2012 06:21 AM, fujiw...@jprs.co.jp wrote:
> Hello,
>
> I have an idea of home DNS server written in section 3.4.9 of
> homenet-arch-01.
>
> Home gateways (CPE) have a DNS proxy function,
> and all nodes in the network usually send DNS queries via the DNS proxy.
>
> My idea is to add authoritative DNS server function of local zone to
> home gateways.
>
> A home gateway serves one forward local zone and local reverse zones
> which the home gateway manage/offer by RA or DHCP.
>
> The authoritative DNS server function accepts DNS dynamic updates
> whose owner name is within the forward local zone and whose IP adress
> is within the IP addresses which the home gateway manages.
>
> When An end node starts, It gets IP/IPv6 address and DNS server
> information, DNS domain name prefix information from the home gateway.
> (option domain-name-servers and option domain-name in ISC dhcpd)
> option domain-name can be used to provide the local forward zone name.
>
> If the end node wants to register its name into home DNS server,
> it sends DNS dynamic update to the DNS servers which it got by DHCP.
>
> Clients can access the registered hostname using normal DNS lookup via
> the DNS proxy.
>
> There are many points to be cleared. But the idea may work well and
> it does not require new protocol and rewriting clients.
>
> It requires new home gateway (DNS proxy) and new dynamic update
> program used by home servers.
>
> If there are multiple subnets and multiple home gateways,
> DNS protocol has enough functions
> (relaying dynamic updates, zone transfers,...).
>
> I think the idea works for both IPv4 with NAT and IPv6.
>
> Does the idea work for homenet WG?
> Or already discussed ?
>
> If the idea is valuable, I will write a draft and sample DNS server.
>
>
Note that CeroWrt (a derivative of OpenWrt in which we are doing our
bufferbloat work) has a full Bind 9.9 implementation you can experiment
with today, and that this has been our intent from the beginning, both
to simplify naming for users, and to get a DNSSEC implementation.

A dnsmasq implementation would be welcome, for a couple reasons:
competition is good, and it would likely be a lot smaller than ISC Bind
is.  But code that exists and runs trumps code not yet ready for
primetime

We'd love to have some help to flesh this out properly; it needs
scripting support to get fully implemented the way we've envisioned it.

We don't currently use ISC DHCP, as it's currently (due to an
implementation crock being worked on) too big; there is a dibbler
implementation being shaken down.

See http://www.bufferbloat.net/projects/cerowrt
- Jim

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Simon Kelley]

On 05/03/12 09:25, Ray Bellis wrote:

The idea of running a local authoritative zone alongside a forwarding
proxy or full recursive server has been seen already, for example in
the "dnsmasq" software used by many CPE vendors.


I'm the principle author of dnsmasq, and on this list to try and make 
dnsmasq better in the Brave New World. I'm happy to get any suggestions 
on developments to dnsmasq that would further the Homenet remit, either 
on or off list. In the meantime I'll point out that the next release of 
dnsmasq, which features DHCPv6 and Router Advertisement support, is 
imminent.



Cheers,

Simon.
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Home DNS server for homenet

[Ray Bellis]

On 2 Mar 2012, at 11:21, 
  wrote:

> I think the idea works for both IPv4 with NAT and IPv6.
> 
> Does the idea work for homenet WG?
> Or already discussed ?
> 
> If the idea is valuable, I will write a draft and sample DNS server.

Fujiwara-san

Thanks for your note.  The idea of running a local authoritative zone alongside 
a forwarding proxy or full recursive server has been seen already, for example 
in the "dnsmasq" software used by many CPE vendors.

It is also listed as requirement LAN.DNS.6 in the Broadband Forum's TR-124 
Issue 2.  As such a draft describing this is probably unnecessary.

Your DNS expertise would of course be much appreciated as we start to tackle 
the wider issues around naming in the Homenet, specifically:

1.  naming updates and queries between subnets
2.  integration (or otherwise) of unicast DNS and mDNS
3.  DNSSEC validation

kind regards,

Ray




___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet