Re: [Add] some background on split DNS with DNSSEC
Ben Schwartz <bemasc@google.com> Wed, 10 November 2021 19:48 UTC
Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 714A13A12F7 for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 11:48:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level:
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mXsb4rWO1BO1 for <add@ietfa.amsl.com>; Wed, 10 Nov 2021 11:48:03 -0800 (PST)
Received: from mail-ua1-x929.google.com (mail-ua1-x929.google.com [IPv6:2607:f8b0:4864:20::929]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0D143A12F8 for <add@ietf.org>; Wed, 10 Nov 2021 11:48:02 -0800 (PST)
Received: by mail-ua1-x929.google.com with SMTP id o26so7211471uab.5 for <add@ietf.org>; Wed, 10 Nov 2021 11:48:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EedsouI3Rg01XaruZLXVujHPCsEF6vjqTQYTUwVEY30=; b=hK2Ip+vG6PpoEw265+9nTNW7/fRTLdJ+pcYOWWp1h7M0RZbBHrWQnSHJiVnIotcknV Ct3JOXkTLIRYQuNJRGzKaTPKpKHHY3JWAtlmg+OmD1d8EtNflLIK2A3cBB6ADCofJTJM zBeiZiAcjDd8n+BHQaSk9kkIW6lEuagt3Jcv8omfT7I0975JNWNrK5zMq0h6eHFzOX+x ulHxG/FcKkQWX+nCgaHPmQaIBi8P45l/rKr406oafVXyh6bSNCTccDPzVgHzIlXW/Ik/ CN3VpvHj5mulo/MqI747VyJK7g8rtzQGhBN0T9ZdzQxy69P+jXVYhGmJjWzNFVaGGjfv fCZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EedsouI3Rg01XaruZLXVujHPCsEF6vjqTQYTUwVEY30=; b=8CpbGMk1V89DmoSwuNO9bifafkE6UQQakLefFEf5tcHz8TjFTb2xTNB1FtwoiWnrqQ b7tbubTjkisSEnrKNdCdq97aWFvAJOOSYz1jfzRXeqMtXcQdv2aBfIaV6kwRd5KVdvuv Ckbkj78rDQP0Oy/sPJaI9SFqPAvFchnPWDs+9TisBNhPB1ZpVg8IJxeJut6v4X+nSZws XwPYdjIcm64g0S8ovWHzN0PnPIt8OOfCgd1bYfXoUMTkrHkEgLXzprE+XUaLUvQ2uH32 DoxGQ1YKvmJt2KaQxfFtE6ezC2EJL7YEV8Z0A7H2lUojp36ZrpJoye6JCnwop3/EtduA BwUg==
X-Gm-Message-State: AOAM531a90m3H0MqTW9Mz0mCr/NRRb34t5SQvMaccDDZtpFrGOn50vzc pacREJqVPaDTqz0AVKV/yOTJ2KkHFqV6qL8m40Hg8Q==
X-Google-Smtp-Source: ABdhPJzTbbpD3EF62zeT7Em4zZ+CztzIiX3Swx+9tzD9vuofJ2oDVeSS6b6Iv3jOFxe2/NCJigOyl7I4p7WiVSYGD1Y=
X-Received: by 2002:a67:e90d:: with SMTP id c13mr2163694vso.12.1636573680802; Wed, 10 Nov 2021 11:48:00 -0800 (PST)
MIME-Version: 1.0
References: <DD51ECDC-9787-4DEB-A2AF-39C3CF2ABEE8@nbcuni.com> <A3966F94-86DA-436A-903F-94724D3B5833@gmail.com>
In-Reply-To: <A3966F94-86DA-436A-903F-94724D3B5833@gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 10 Nov 2021 14:47:49 -0500
Message-ID: <CAHbrMsCdEhgeJOZd9JNqT3DMgQyoFEhhDBD3CbPDSy8Z8wkngg@mail.gmail.com>
To: Dan Wing <danwing@gmail.com>
Cc: "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>, "add@ietf org" <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000ead61905d0748028"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/YbdRHzunYP9ny0B1HAjSLPwKkMs>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 19:48:06 -0000
On Wed, Nov 10, 2021 at 12:43 PM Dan Wing <danwing@gmail.com> wrote: > On item 3, > > We could use DNSSEC to prove the PvD dnsZones is truthful to avoid asking > the same question of the public DNS. > > However, we already need IPv6 (for RFC8801's PvD) and adding a DNSSEC > requirement means we are deeper in the "room of non-deployability", a > dreaded space for our D&D character. That's why split-dns queries the > public DNS: the procedure in split-dns establishes a *similar* proof of > domain ownership as DNSSEC could have provided. > I think the right approach for this draft is to say that the client should acquire independent confirmation of the delegation's validity before proceeding, and not get too specific about how it should do that. Valid client behaviors should include: * Send the NS query through the network's resolver and require a valid DNSSEC signature chain**. * Send the NS query through a trusted third-party resolver over a secure channel. * Same as above but requiring AD=1 in the response. * Perform full iterative resolution for this NS query, requiring DNSSEC. * etc. If a network signs their domains, any participating clients will accept the delegation. Otherwise, some compliant clients might ignore the instruction because it fails their validity check. That seems fine to me. Many clients won't implement this at all, so operators already can't rely on it unless they have knowledge of a specific client's behavior. **This is harder than it sounds due to chain-walking, loose consistency, etc.
- [Add] some background on split DNS with DNSSEC Wes Hardaker
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Tommy Pauly
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Ted Lemon
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- [Add] Why so complex? (was Re: some background on… Martin Thomson
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Jim Reid
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] Why so complex? (was Re: some backgroun… Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Deen, Glenn
- Re: [Add] some background on split DNS with DNSSEC Deen, Glenn
- Re: [Add] some background on split DNS with DNSSEC Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC Dan Wing
- Re: [Add] some background on split DNS with DNSSEC Dan Wing
- Re: [Add] some background on split DNS with DNSSEC Wes Hardaker
- Re: [Add] Why so complex? (was Re: some backgroun… Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] Why so complex? (was Re: some backgroun… Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] Why so complex? (was Re: some backgroun… Martin Thomson
- Re: [Add] some background on split DNS with DNSSEC Ted Hardie
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy