Re: [Add] some background on split DNS with DNSSEC
Ted Hardie <ted.ietf@gmail.com> Thu, 11 November 2021 11:13 UTC
Return-Path: <ted.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 741A83A0D9D for <add@ietfa.amsl.com>; Thu, 11 Nov 2021 03:13:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yOdd5et1ZWCj for <add@ietfa.amsl.com>; Thu, 11 Nov 2021 03:13:26 -0800 (PST)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B1983A0D4E for <add@ietf.org>; Thu, 11 Nov 2021 03:13:26 -0800 (PST)
Received: by mail-il1-x131.google.com with SMTP id h2so5453995ili.11 for <add@ietf.org>; Thu, 11 Nov 2021 03:13:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=M1qLgg2S9txOl/scPIYOaQVap69RFwqnAP9+STIi0yY=; b=GJgPHwG42BaMhDCWi3w/YFCVb7a0pBHjM6WOqdUOfOHSPyTNYCPOr2fBYGCmRsc5pa 7rhxKm067MIvnNCZp3cN5qZ9sk93WZGiWU5/iJ+SsGz9krJw2ICNXPcGlxli+6YCcjV+ CO+TF1e6OL6fxpofNQ/PWBPcKcNe2lgq2iDGD9VKDa+x8qDbXT+RnUfHR8WC9pJTPObH yHK54TkOUSZNeAAWvEmzkCijmPehj2LSCclekVcLv/t/4XqlQx60FpOVs+E8HdlOrqwT ASAbHXk5mlWgAdErF6j0ZREYIqoH9AdRnoNV9yYqX44v2ShyHdp4TD+GkAypdu9Ci48N J03g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M1qLgg2S9txOl/scPIYOaQVap69RFwqnAP9+STIi0yY=; b=Rh7+pLXzUgKNZKEdOvMctlHNXmkMDjfWhobMk2cTM7C+z6Vzv4/y4GK3Os4cQeQ8E2 EMzjWKiwe5Mykl6gPGGIfN/kD3CFXaxNGqcUTzn61NfLD/JR4zs4TKqWbC1UQ662FmfL rX8iKEwQ0tM8ZpJ33aK8CrOYl5p3HDlpeCgALtISrKJM3GySKhnC4s9JmROnOlIBZgbp KWWWKxBBHaM+tlRANDVI6y3D+YpCoXcj8euqlQSP0RnRaiAxuj9EWTFZ3tgVxOxhWrKK l1jh5733OHoqtoT5KA+qBe+gwk6p1Rhv7RKSh5lBsBQjHtzFFYRn9cUSARN59Ea/U1X8 CBRA==
X-Gm-Message-State: AOAM533WZVw2EWJ/MgCtC8QCJZHCvjfAx6/G8XY4sl6qPWxcLhLru/54 NAh0TTOCs+XlJjBY2Wk1O/mci4aMYa6WpEGwJno=
X-Google-Smtp-Source: ABdhPJzjQOkxgw0d6rUbe5FfhwWZJgnsIIHBhhU5resTH8xz+OBbMEESpLgPGjs+me3dXSGOiDdx43mfMYIoJIul1aE=
X-Received: by 2002:a05:6e02:16cc:: with SMTP id 12mr3711779ilx.99.1636629205372; Thu, 11 Nov 2021 03:13:25 -0800 (PST)
MIME-Version: 1.0
References: <DD51ECDC-9787-4DEB-A2AF-39C3CF2ABEE8@nbcuni.com> <A3966F94-86DA-436A-903F-94724D3B5833@gmail.com> <CAHbrMsCdEhgeJOZd9JNqT3DMgQyoFEhhDBD3CbPDSy8Z8wkngg@mail.gmail.com>
In-Reply-To: <CAHbrMsCdEhgeJOZd9JNqT3DMgQyoFEhhDBD3CbPDSy8Z8wkngg@mail.gmail.com>
From: Ted Hardie <ted.ietf@gmail.com>
Date: Thu, 11 Nov 2021 11:12:59 +0000
Message-ID: <CA+9kkMDbgoJG1NBEu=aLo0_Ki9XeGJ67kvo9gwxjZBC5gd993w@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Dan Wing <danwing@gmail.com>, "add@ietf org" <add@ietf.org>, "Deen, Glenn" <Glenn_Deen=40comcast.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006a544205d0816e1f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/_3vNmyTf0c52q2SqJtdgsmrBd7M>
Subject: Re: [Add] some background on split DNS with DNSSEC
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2021 11:13:35 -0000
On Wed, Nov 10, 2021 at 7:48 PM Ben Schwartz <bemasc= 40google.com@dmarc.ietf.org> wrote: > > > On Wed, Nov 10, 2021 at 12:43 PM Dan Wing <danwing@gmail.com> wrote: > >> On item 3, >> >> We could use DNSSEC to prove the PvD dnsZones is truthful to avoid asking >> the same question of the public DNS. >> >> However, we already need IPv6 (for RFC8801's PvD) and adding a DNSSEC >> requirement means we are deeper in the "room of non-deployability", a >> dreaded space for our D&D character. That's why split-dns queries the >> public DNS: the procedure in split-dns establishes a *similar* proof of >> domain ownership as DNSSEC could have provided. >> > > I think the right approach for this draft is to say that the client should > acquire independent confirmation of the delegation's validity before > proceeding, and not get too specific about how it should do that. Valid > client behaviors should include: > * Send the NS query through the network's resolver and require a valid > DNSSEC signature chain**. > * Send the NS query through a trusted third-party resolver over a secure > channel. > * Same as above but requiring AD=1 in the response. > * Perform full iterative resolution for this NS query, requiring DNSSEC. > * etc. > > This seems like it both provides too many options and like it is too easy for someone to misunderstand or deliberately misconstrue what independent validation counts. I would prefer picking one or two that are fully described in the eventual draft, with what amounts to mandatory-to-implement language (e.g. one for v6-available and one for v6-unavailable situations). Obviously, we might not be able to get to that level of common practice, but I think it will be easier for everyone if we can get close; otherwise there will be a lot of code paths and a real risk that nothing at all gets wide deployment. Just my two cents, Ted > If a network signs their domains, any participating clients will accept > the delegation. Otherwise, some compliant clients might ignore the > instruction because it fails their validity check. That seems fine to me. > Many clients won't implement this at all, so operators already can't rely > on it unless they have knowledge of a specific client's behavior. > > **This is harder than it sounds due to chain-walking, loose consistency, > etc. > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] some background on split DNS with DNSSEC Wes Hardaker
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Tommy Pauly
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Ted Lemon
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- [Add] Why so complex? (was Re: some background on… Martin Thomson
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Jim Reid
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC Eliot Lear
- Re: [Add] Why so complex? (was Re: some backgroun… Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Deen, Glenn
- Re: [Add] some background on split DNS with DNSSEC Deen, Glenn
- Re: [Add] some background on split DNS with DNSSEC Paul Wouters
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC Dan Wing
- Re: [Add] some background on split DNS with DNSSEC Dan Wing
- Re: [Add] some background on split DNS with DNSSEC Wes Hardaker
- Re: [Add] Why so complex? (was Re: some backgroun… Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Joe Abley
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Michael Richardson
- Re: [Add] some background on split DNS with DNSSEC Bill Woodcock
- Re: [Add] Why so complex? (was Re: some backgroun… Bill Woodcock
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] Why so complex? (was Re: some backgroun… Martin Thomson
- Re: [Add] some background on split DNS with DNSSEC Ted Hardie
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy
- Re: [Add] some background on split DNS with DNSSEC Ben Schwartz
- Re: [Add] some background on split DNS with DNSSEC tirumal reddy