Re: [homenet] I-D Action: draft-ietf-homenet-dot-11.txt (FINAL?)

2017-08-09 Thread Mark Andrews 

In message

Re: [homenet] I-D Action: draft-ietf-homenet-dot-11.txt (FINAL?)

2017-08-09 Thread Ted Lemon 
What does forwarding DS lookups for home.arpa out of the homenet do?   That
is, suppose I implement a cache that doesn't do this: what bad thing
happens?   It's going to return NXDOMAIN, right?   Isn't it the NSEC
lookups that have to succeed, and the NS record lookup?   And doesn't the
NS record have to be forged?

I think this actually means that it does have to be an unsigned delegation.
  Argh.

Hm, thinking farther, no, it doesn't, because it's okay to return the right
answer for the delegation as long as the stub resolver is willing to rely
on the cache, which we've already specified it must do.   So what's the
failure mode that this new text prevents?  Oh, you have to look up the DS
record to get the NSEC that validates it?

(I'm leaving in all of the stuff I typed while I was thinking this through
because I'm not sure I got it right, and you can point out what I got
wrong.)

On Tue, Aug 8, 2017 at 11:17 PM, Mark Andrews  wrote:

>
> In message <79597e4d-dec0-4622-a410-003b45eb5...@fugue.com>, Ted Lemon
> writes:
> > I updated homenet-dot with the change that Mark requested regarding
> > signed, unsigned and insecure delegations.   I believe the text is
> > correct now, but would appreciate a sanity check.   Otherwise, I think
> > it's up to the chairs to make the next move.
>
> I would explictly list DS home.arpa as a exception.  (I had to file
> a bug report against recursive server that failed to have this
> exception this week for AS112 zones.  The bug has been fixed.)  Also
> I wouldn't be using '.home.arpa.' as we also want to stop queries
> for 'home.arpa' leaving the home.  There are a couple of references
> to '.home.arpa'.
>
> e.g.
>
> Old:
>DNS queries for names ending with '.home.arpa.' are resolved using
>local resolvers on the homenet.  Such queries MUST NOT be recursively
>forwarded to servers outside the logical boundaries of the homenet.
>
> New:
>DNS queries for names ending with 'home.arpa.' are resolved using
>local resolvers on the homenet.  Such queries MUST NOT be recursively
>forwarded to servers outside the logical boundaries of the homenet with
>the exception of DS lookups for 'home.arpa.'.
>
> Mark
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] I-D Action: draft-ietf-homenet-dot-11.txt (FINAL?)

2017-08-08 Thread Mark Andrews 

In message <79597e4d-dec0-4622-a410-003b45eb5...@fugue.com>, Ted Lemon writes:
> I updated homenet-dot with the change that Mark requested regarding
> signed, unsigned and insecure delegations.   I believe the text is
> correct now, but would appreciate a sanity check.   Otherwise, I think
> it's up to the chairs to make the next move.

I would explictly list DS home.arpa as a exception.  (I had to file
a bug report against recursive server that failed to have this
exception this week for AS112 zones.  The bug has been fixed.)  Also
I wouldn't be using '.home.arpa.' as we also want to stop queries
for 'home.arpa' leaving the home.  There are a couple of references
to '.home.arpa'.

e.g.

Old:
   DNS queries for names ending with '.home.arpa.' are resolved using
   local resolvers on the homenet.  Such queries MUST NOT be recursively
   forwarded to servers outside the logical boundaries of the homenet.

New:
   DNS queries for names ending with 'home.arpa.' are resolved using
   local resolvers on the homenet.  Such queries MUST NOT be recursively
   forwarded to servers outside the logical boundaries of the homenet with
   the exception of DS lookups for 'home.arpa.'.

Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] I-D Action: draft-ietf-homenet-dot-11.txt (FINAL?)

2017-08-08 Thread Ted Lemon 
I updated homenet-dot with the change that Mark requested regarding signed, 
unsigned and insecure delegations.   I believe the text is correct now, but 
would appreciate a sanity check.   Otherwise, I think it's up to the chairs to 
make the next move.

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet