Last Call Review of draft-ietf-homenet-dot-12
review-ietf-homenet-dot-12-secdir-lc-migault-2017-08-18-00
| Request | Review of | draft-ietf-homenet-dot |
|---|---|---|
| Requested revision | No specific revision (document currently at 14) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2017-08-25 | |
| Requested | 2017-08-11 | |
| Authors | Pierre Pfister , Ted Lemon | |
| I-D last updated | 2017-08-18 | |
| Completed reviews |
Opsdir Early review of -03
by Jon Mitchell
(diff)
Intdir Early review of -03 by Dave Thaler (diff) Secdir Last Call review of -12 by Daniel Migault (diff) Genart Last Call review of -12 by Dale R. Worley (diff) |
|
| Assignment | Reviewer | Daniel Migault |
| State | Completed | |
| Request | Last Call review on draft-ietf-homenet-dot by Security Area Directorate Assigned | |
| Reviewed revision | 12 (document currently at 14) | |
| Result | Has nits | |
| Completed | 2017-08-18 |
review-ietf-homenet-dot-12-secdir-lc-migault-2017-08-18-00
Thank you for writing the draft. Please find my comments. I hope there are helpful.
Yours,
Daniel
Special Use Domain 'home.arpa.'
draft-ietf-homenet-dot-12
Abstract
This document specifies the behavior that is expected from the Domain
Name System with regard to DNS queries for names ending with
'.home.arpa.', and designates this domain as a special-use domain
name. 'home.arpa.' is designated for non-unique use in residential
home networks. Home Networking Control Protocol (HNCP) is updated to
use the 'home.arpa.' domain instead of '.home'.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: I would personally start by saying the document defines a
special-use domain name and then defines the behavior.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 11, 2018.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Pfister & Lemon Expires February 11, 2018 [Page 1]
Internet-Draft dot homenet August 2017
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. General Guidance . . . . . . . . . . . . . . . . . . . . . . 3
4. Domain Name Reservation Considerations . . . . . . . . . . . 3
5. Updates to Home Networking Control Protocol . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. Delegation of 'home.arpa.' . . . . . . . . . . . . . . . . . 7
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 7
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
10.1. Normative References . . . . . . . . . . . . . . . . . . 8
10.2. Informative References . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
Users and devices within a home network (hereafter "homenet") require
devices and services to be identified by names that are unique within
the boundaries of the homenet [RFC7368]. The naming mechanism needs
to function without configuration from the user. While it may be
possible for a name to be delegated by an ISP, homenets must also
function in the absence of such a delegation. A default name with a
scope limited to each individual homenet needs to be used.
This document corrects an error in [RFC7788], replacing '.home' with
'home.arpa.' as the default domain-name for homenets. '.home' had
been selected as the most user-friendly option. However, there are
existing uses of '.home' that may be in conflict with this use:
evidence indicates that '.home' queries frequently leak out and reach
the root name servers [ICANN1] [ICANN2].
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: I believe that more important than the leak is that the
introduction of .home in the root zone has been identified as
highly risky. Another reason for not adopting it are also some
uncertainty about its introduction into the root zone.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
In addition, it's necessary, for compatibility with DNSSEC
(Section 6), that an insecure delegation ([RFC4035] section 4.3) be
present for the name. There is an existing process for allocating
names under '.arpa' [RFC3172]. No such process is available for
requesting a similar delegation in the root at the request of the
IETF, which does not administer that zone. As a result, the use of
'.home' is deprecated.
This document registers the domain '.home.arpa.' as a special-use
domain name [RFC6761] and specifies the behavior that is expected
from the Domain Name System with regard to DNS queries for names
whose rightmost non-terminal labels are 'home.arpa.'. Queries for
Pfister & Lemon Expires February 11, 2018 [Page 2]
Internet-Draft dot homenet August 2017
names ending with '.home.arpa.' are of local significance within the
scope of a homenet, meaning that identical queries will result in
different results from one homenet to another. In other words, a
name ending in 'home.arpa.' is not globally unique.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: I think the text mentioned in the beginning of the paragraph
above should be in the abstract. That was the sense of my previous
comment.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Although this document makes specific reference to RFC7788, it is not
intended that the use of 'home.arpa.' be restricted solely to
networks where HNCP is deployed; it is rather the case that
'home.arpa.' is the correct domain for uses like the one described
for '.home' in RFC7788: local name service in residential homenets.
2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. General Guidance
The domain name '.home.arpa.' is to be used for naming within
residential homenets. Names ending with '.home.arpa.' reference a
locally-served zone, the contents of which are unique only to a
particular homenet, and are not globally unique. Such names refer to
nodes and/or services that are located within a homenet (e.g., a
printer, or a toaster).
DNS queries for names ending with '.home.arpa.' are resolved using
local resolvers on the homenet. Such queries MUST NOT be recursively
forwarded to servers outside the logical boundaries of the homenet.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: "local resolvers" seems to me mis-leading. Your resolver may
be local but still forward the query to the Global Internet. I do
not see better ways to say it other than inside the boundaries of
the homenet. Maybe we could say:
DNS queries for names ending with '.home.arpa.' are resolved using
homenet specific resolution mechanisms.
Eventually an informational reference to the simple naming
architecture may be added so the reader can refer to the doc
for further information. For full disclosure Ted and I are
co-authors.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Some service discovery user interfaces that are expected to be used
on homenets conceal information such as domain names from end users.
However, it is still expected that in some cases, users will need to
see, remember, and even type, names ending with 'home.arpa.'. It is
therefore desirable that users identify the domain and understand
that using it expresses the intention to connect to a service that is
specific to the homenet to which they are connected. Enforcing the
fulfillment of this intention is out of scope for this document.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: I have difficulties understanding the paragraph above. If
the idea is to say home.arpa has special meaning that should be
considered by GUIs I would propose the following ordering.
It is
therefore desirable that users identify the domain and understand
that using it expresses the intention to connect to a service that is
specific to the homenet to which they are connected.
Some service discovery user interfaces that are expected to be used
on homenets conceal information such as domain names from end users.
However, it is still expected that in some cases, users will need to
see, remember, and even type, names ending with 'home.arpa.'.
Enforcing the
fulfillment of this intention is out of scope for this document.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
4. Domain Name Reservation Considerations
This section defines the behavior of systems involved in domain name
resolution when resolving queries for names ending with '.home.arpa.'
(as per [RFC6761]).
Pfister & Lemon Expires February 11, 2018 [Page 3]
Internet-Draft dot homenet August 2017
1. Users can use names ending with '.home.arpa.' just as they would
use any other domain name. The 'home.arpa.' name is chosen to be
readily recognized by users as signifying that the name is
addressing a service on the homenet to which the user's device is
connected.
2. Application software SHOULD NOT treat names ending in
'home.arpa.' differently than other names. In particular, there
is no basis for trusting names that are subdomains of
'home.arpa.' (see Section 6).
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: a domain name ending in home.arpa may be resolved differently
that a regular domain name. As a result a different treatment is
applied. I think that "treat" means that no special meaning - other
that the domain name is inside the homenet boundaries - should be
associated to a home.arpa. If I am correct I would limit the
consideration to the name rather then the application.
I would suggest the text below:
names ending in home.arpa SHOULD NOT be associated any other
properties than the affiliation to the homenet. In particular, there
is no basis for trusting names that are subdomains of
'home.arpa.' (see Section 6).
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
3. Name resolution APIs and libraries MUST NOT recognize names that
end in '.home.arpa.' as special and MUST NOT treat them
differently. Name resolution APIs MUST send queries for such
names to a recursive DNS server that is configured to be
authoritative for the 'home.arpa.' zone appropriate to the
homenet.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: I believe the text below does not concern the library but
the resolver. It is different to say libraries MUST NOT have
specific considerations for home.arpa than a resolution service
that may use different libraries MUST NOT consider the home.arpa
differently.
My understanding of the text below is that the resolver and the
authoritative server for the home.arpa MUST be co-located. The
reasons I think this is not exact is that resolution for
home.arpa can also be provided by other mechanisms than an
authoritative server. Typically, resolution can be done by
requesting Authoritative Servers, Advertising Proxies, Hybrid
Proxies (now called Discovery Proxies)....
The other reason is do not see the text below accurate is that
you may have a DNS Proxy that transparently to the end user split
the resolution between homenet specific resolutions when home.arpa
is encountered while other names are sent to the ISP resolver.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
One or more IP addresses for recursive DNS servers will
usually be supplied to the client through router advertisements
or DHCP. If a host is configured to use a resolver other than
one that is authoritative for the appropriate 'home.arpa.' zone,
the client may be unable to resolve, or may receive incorrect
results for, names in sub domains of 'home.arpa.'.
4. Caching resolvers conforming to this specification MUST support
DNSSEC queries. While validation is not required, it is strongly
encouraged; a caching resolver that does not validate answers
that can be validated may cache invalid data; this will prevent
validating stub resolvers from successfully validating answers.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: I see the text above as a recommendation for caching resolvers
in the homenet, but the relation to the home.arpa is unclear to me.
Was the intention to say that names under the home.arpa zone SHOULD
be secured with DNSSEC so caching resolvers MUST support DNSSEC
validation. In addition, these caching resolvers MUST also be able
to be configured with a Trust Anchor for the home.arpa.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Unless configured otherwise, recursive resolvers and DNS proxies
MUST behave as described in Locally Served Zones ([RFC6303]
Section 3). That is, queries for domains that are subdomains of
'home.arpa.' MUST NOT be forwarded, with one important
exception: a query for a DS record when the DO bit ([RFC4035]
section 3.2.1) set MUST return the correct answer for that
question, including correct information in the authority section
that proves that the record is nonexistent.
So for example a query for the NS record for 'home.arpa.' MUST
NOT result in that query being forwarded to an upstream cache nor
to the authoritative DNS server for '.arpa.'. However, as
necessary to provide accurate authority information, a query for
the DS record MUST result in whatever queries are necessary being
forwarded; typically, this will just be a query for the DS
record, since the necessary authority information will be
included in the authority section of the response if the DO bit
is set.
Pfister & Lemon Expires February 11, 2018 [Page 4]
Internet-Draft dot homenet August 2017
In addition to the behavior specified above, recursive resolvers
that can be used in a homenet MUST be configurable with a
delegation to an authoritative server for that particular
homenet's instance of the domain 'home.arpa.'.
It is permissible to combine the recursive resolver function for
general DNS lookups with an authoritative resolver for
'home.arpa.'; in this case, rather than forwarding queries for
subdomains of 'home.arpa.' to an authoritative server, the
caching resolver answers them authoritatively. The behavior with
respect to forwarding queries specifically for 'home.arpa.'
remains the same.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: The full consideration seems to me to be conformance to RFC6303.
In particular the recommendations for DNSSEC in RFC 6303 seems to me
accurated and are not specifically mentioned here. Maybe that should
be clearly stated that all considerations of RFC6303 should be
considered as home.arpa is of local scope.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
5. No special processing of 'home.arpa.' is required for
authoritative DNS server implementations. It is possible that an
authoritative DNS server might attempt to check the authoritative
servers for 'home.arpa.' for a delegation beneath that name
before answering authoritatively for such a delegated name. In
such a case, because the name always has only local significance
there will be no such delegation in the 'home.arpa.' zone, and so
the server would refuse to answer authoritatively for such a
zone. A server that implements this sort of check MUST be
configurable so that either it does not do this check for the
'home.arpa.' domain, or it ignores the results of the check.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: I understand this as being incorrect. The resolver can also be configured
with a trust anchor. I would refer to the RFC6303:
As DNSSEC is deployed within the IN-ADDR.ARPA and IP6.ARPA
namespaces, the zones listed above will need to be delegated as
insecure delegations, or be within insecure zones. This will allow
DNSSEC validation to succeed for queries in these spaces despite not
being answered from the delegated servers.
It is recommended that sites actively using these namespaces secure
them using DNSSEC [RFC4035] by publishing and using DNSSEC trust
anchors. This will protect the clients from accidental import of
unsigned responses from the Internet.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
6. DNS server operators MAY configure an authoritative server for
'home.arpa.' for use in homenets and other home networks. The
operator for the DNS servers authoritative for 'home.arpa.' in
the global DNS will configure any such servers as described in
Section 7.
7. 'home.arpa.' is a subdomain of the 'arpa' top-level domain, which
is operated by IANA under the authority of the Internet
Architecture Board according to the rules established in
[RFC3172]. There are no other registrars for .arpa.
5. Updates to Home Networking Control Protocol
The final paragraph of Home Networking Control Protocol [RFC7788],
section 8, is updated as follows:
OLD:
Names and unqualified zones are used in an HNCP network to provide
naming and service discovery with local significance. A network-
wide zone is appended to all single labels or unqualified zones in
order to qualify them. ".home" is the default; however, an
administrator MAY configure the announcement of a Domain-Name TLV
Pfister & Lemon Expires February 11, 2018 [Page 5]
Internet-Draft dot homenet August 2017
(Section 10.6) for the network to use a different one. In case
multiple are announced, the domain of the node with the greatest
node identifier takes precedence.
NEW:
Names and unqualified zones are used in an HNCP network to provide
naming and service discovery with local significance. A network-
wide zone is appended to all single labels or unqualified zones in
order to qualify them. 'home.arpa.' is the default; however, an
administrator MAY configure the announcement of a Domain-Name TLV
(Section 10.6) for the network to use a different one. In case
multiple are announced, the domain of the node with the greatest
node identifier takes precedence.
The 'home.arpa.' special-use name does not require a special
resolution protocol. Names for which the rightmost two labels are
'home.arpa.' are resolved using the DNS protocol [RFC1035].
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: If home.arpa are no different than other resolutions and we
start from the root zone responses are likely to be NXDOMAIN. I
think we should clarify that DNS is used as a transport protocol,
but that resolution may be handled differently.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
6. Security Considerations
A DNS record that is returned as a response to a query for an FQDN in
the domain '.home.arpa.' is expected to have local significance. It
is expected to be returned by a server involved in name resolution
for the homenet the device is connected in. However, such response
MUST NOT be considered more trustworthy than would be a similar
response for any other DNS query.
Because 'home.arpa.' is not globally scoped and cannot be secured
using DNSSEC based on the root domain's trust anchor, there is no way
to tell, using a standard DNS query, in which homenet scope an answer
belongs. Consequently, users may experience surprising results with
such names when roaming to different homenets. To prevent this from
happening, it may be useful for the resolver to identify different
homenets on which it has resolved names, but this is out of scope for
this document.
It is not possible to install a trust anchor for this zone in the
'.arpa' zone. The reason for this is that in order to do so, it
would be necessary to have the key-signing key for the zone
([RFC4034] Section 5). Since the zone is not globally unique, no one
key would work.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: I think that DS is meant rather than trust anchor.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
An alternative would be to install a authenticated denial of
existence ([RFC4033] Section 3.2).
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: This is unclear where the denial of existence is set. Is
that in the home.arpa zone or the arpa zone.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
However, this assumes that
validation is being done on a caching resolver that is aware of the
special local meaning of 'home.arpa.'. If a host stub resolver
attempts to validate a name in 'home.arpa.', an authenticated denial
Pfister & Lemon Expires February 11, 2018 [Page 6]
Internet-Draft dot homenet August 2017
of existence of 'home' as a subdomain of 'arpa.' would cause the
validation to fail. Therefore, the only delegation that will allow
names under 'home.arpa.' to be resolved is an insecure delegation, as
in [RFC6303] section 7.
Consequently, unless a trust anchor for the particular instance of
the 'home.arpa.' zone being validated is manually configured on the
validating resolver, DNSSEC signing of names within the 'home.arpa.'
zone is not possible.
Although in principle it might be useful to install a trust anchor
for a particular instance of 'home.arpa.', it's reasonable to expect
that a host with such a trust anchor might from time to time connect
to more than one network with its own instance of 'home.arpa.'. Such
a host would be unable to access services on any instance of
'home.arpa.' other than the one for which a trust anchor was
configured.
It is in principle possible to attach an identifier to an instance of
'home.arpa.' that could be used to identify which trust anchor to
rely on for validating names in that particular instance. However,
the security implications of this are complicated, and such a
mechanism, as well as a discussion of those implications, is out of
scope for this document.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: There are also some privacy issues associated to leaking names
outside the homenet boundaries. For example daniel_smith.home.arpa
reveal the identity of the member of the homenet, my_ipad.home.arpa
reveals the devices you own, the application.
home.arpa may also used in larger environment such as corporate /
private. going from one to the other may also leak such information.
The leak can be from the homenet to the outside world in which case
one neeed to control the queries sent. But in intruder (or guest)
may also access the homenet and proceed to discovery of the names.
As a result even though homenet is believe to be a trusted environment,
care should be considered while publishing under the home.arpa. as
well as whose the information is accessible to.
They might be collision as well. myprinter.home.arpa may be found
in various environments, and upon discovery you may also -
in this example - print confidential information to that printer.
In some case you may not even be aware, for example, if your
printing information failed home, and is re-activated once you
are in another environment.
As information may be sensitive it may be encrypted using IPsec
DTLS as described by dprive for both authentication and confidentiality.
When the trust anchor is configured in the resolver, these must be
able to roll-over the key and should follows the requirements for DNSSEC
validators. if it is impossible for a resolver to see the difference
between an attack and a re-key we are in trouble.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
7. Delegation of 'home.arpa.'
In order to be fully functional, there must be a delegation of
'home.arpa.' in the '.arpa.' zone [RFC3172]. This delegation MUST
NOT include a DS record, and MUST point to one or more black hole
servers, for example 'blackhole-1.iana.org.' and 'blackhole-
2.iana.org.'. The reason that this delegation must not be signed is
that not signing the delegation breaks the DNSSEC chain of trust,
which prevents a validating stub resolver from rejecting names
published under 'home.arpa.' on a homenet name server.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: The zone home.arpa MUST NOT be seen as belonging to the
homenet. As a result, NS and DS records for home.arpa does not
have meanings outside a specific domain. A Public server outside
the boundaries of the homenet MUST consider this traffic as
irrelevant and sink.
Redirection to as112 without coordination with as112 operator
may rather be performed using DNAME. I believe more text should
document the two alternative. With the proposed configuration,
the query will be directed to a server that is not authoritative for
the zone. The response is likely to be REFUSED, while in the other
case it is likely to be NXDOMAIN.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
8. IANA Considerations
IANA is requested to record the domain name 'home.arpa.' in the
Special-Use Domain Names registry [SUDN]. IANA is requested, with
the approval of IAB, to implement the delegation requested in
Section 7.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
MGLT: OK if IANA may make the direct way work. In that case is
there any need to update a registry for zone served by as112?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%