On Dec 15, 2016, at 4:41 PM, Michael StJohns <m...@nthpermutation.com> wrote: > The problem with providing an unsecured delegation for .homenet is that items > subsidiary to .homenet become spoofable in the wider internet and that's not > necessarily a good thing. It might make life easier for the homenet folks to > use the unsecured .homenet local zone, but it might have adverse consequences > for the non-homenet folken.
Until every single zone in the DNS is signed, this problem will exist. This problem would exist if we used .home.arpa. instead of .homenet. If we want to solve this problem, it’s going to require an extension to the DNS that provides a way to mark zones of this sort. I would be more willing to fall on this sword if we actually got more security out of it, but I don’t think we do. The other thing the IETF could say to the homenet working group is simply "no, you have to solve the naming hierarchy problem on homenets, and you don’t get to have an unsigned delegation at all." But that solution would have an unreasonably large number of moving parts. I would rather see us take a step in a direction towards things working, and then based on our wish that things be more secure, make incremental steps in that direction. Those incremental steps do not now exist, and requiring any or all of them as a prerequisite for working service discovery on homenets is too much.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
