Re: [dd] DS pinning for secondaries
Petr Špaček <pspacek@isc.org> Wed, 28 February 2024 08:54 UTC
Return-Path: <pspacek@isc.org>
X-Original-To: dd@ietfa.amsl.com
Delivered-To: dd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4EC8C1C4D9E for <dd@ietfa.amsl.com>; Wed, 28 Feb 2024 00:54:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="m8OuB09x"; dkim=pass (1024-bit key) header.d=isc.org header.b="Ctkh6u0O"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BUgzaVvbvDML for <dd@ietfa.amsl.com>; Wed, 28 Feb 2024 00:54:35 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBDF6C1C4D9B for <dd@ietf.org>; Wed, 28 Feb 2024 00:54:35 -0800 (PST)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id B684B3AB13B; Wed, 28 Feb 2024 08:54:34 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org B684B3AB13B
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709110474; cv=none; b=WAK0QJE/pZhVnSDDpULfTNQqT/X+nX6kdyzgxgMLwJe4Ez0O0tTnQchESHZILnE7CeSrEIc8n4B0ngPh119uzMiZmBMHnUgWmZd306sBMnmqA1qmGTSwn7pNzDvdId8+VOwl4qigub+7NOimbnzSSn6zkJkA5TkG0g5mAdtFQkg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1709110474; c=relaxed/relaxed; bh=dOvI8JFO/Kc5wi0v4lUa/lkFIBKWmimMrt6OczZGam4=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version: Subject:To:From; b=jfxQtAaOcENL79Z7tB880Zz8gP7Qu4lDDf5QInSw2S8CigpibBJZ0YEOKglzRZV2X9pbo9Voxp77v9XjgiEFiwnhioHFCENJUk0t/aKRosRO7TB4ePZm4lnEDeu1IwLLSdWmIjyOKCAKzzvBIx8aC4r9eY1oHUOHFOjbVHc/sQs=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org B684B3AB13B
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1709110474; bh=dOvI8JFO/Kc5wi0v4lUa/lkFIBKWmimMrt6OczZGam4=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=m8OuB09xcqr/wCTjb6/Srs9YIGTKMV9e9M9vc/Zk3tPo/pfCh71eubClCum9HyKii 3/Z++sfyH4jUlJAVnjMdniSH249FCUjcpDJyMQ0DwzuZaUxKLgsRjLvM3un4WGjt3p wi4trLIrHJeKt95xLt6JL/RkL2ajM7VQNHaj74/w=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id B0371114B959; Wed, 28 Feb 2024 08:54:34 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 889EB114BA7C; Wed, 28 Feb 2024 08:54:34 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 889EB114BA7C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1709110474; bh=dOvI8JFO/Kc5wi0v4lUa/lkFIBKWmimMrt6OczZGam4=; h=Message-ID:Date:MIME-Version:To:From; b=Ctkh6u0OC9+2nUH2Uy+mGEGjefW+xbZEJdd6YDTItvRv+mww4P4z9Ojd44fRlL21V Z9FhJrwLVYZazNGFZ1drZ2DIzk2S/Lx+XURFdu6MlRf5+OzhtXR+gxGdD8/LtL4s0K Oj6b7vff+3DmcUwjPLIcPh+b8YD68fG29gCLI0FY=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id ODb12zyvSHRv; Wed, 28 Feb 2024 08:54:34 +0000 (UTC)
Received: from [192.168.0.157] (ip-86-49-236-123.bb.vodafone.cz [86.49.236.123]) by zimbrang.isc.org (Postfix) with ESMTPSA id EC3CD114B959; Wed, 28 Feb 2024 08:54:33 +0000 (UTC)
Message-ID: <4b17b7ec-ccc3-48d1-b4df-54bba4202e5d@isc.org>
Date: Wed, 28 Feb 2024 09:54:29 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Paul Wouters <paul@nohats.ca>
Cc: dd@ietf.org
References: <9ffd0747-054d-4f84-a7f9-43265974b07d@isc.org> <45b4a54d-8d85-caf0-e1df-74f61c81b1a6@nohats.ca>
From: Petr Špaček <pspacek@isc.org>
Autocrypt: addr=pspacek@isc.org; keydata= xsFNBF/OJ/4BEAC0jP/EShRZtcI9KmzVK4IoD/GEDtcaNEEQzPt05G8xtC0P4uteXUwW8jaB CdcKIKR4eUJw3wdXXScLNlyh0i+gm5mIvKPrBYNAMOGGnkbAmMQOt9Q+TyGeTSSGiAjfvd/N nYg7L/KjVbG0sp6pAWVORMpR0oChHflzKSjvJITCGdpwagxSffU2HeWrLN7ePES6gPbtZ8HY KHUqjWZQsXLkMFw4yj8ZXuGarLwdBMB7V/9YHVkatJPjTsP8ZE723rV18iLiMvBqh4XtReEP 0vGQgiHnLnKs+reDiFy0cSOG0lpUWVGI50znu/gBuZRtTAE0LfMa0oAYaq997Y4k+na6JvHK hhaZMy82cD4YUa/xNnUPMXJjkJOBV4ghz/58GiT32lj4rdccjQO4zlvtjltjp9MTOFbRNI+I FCf9bykANotR+2BzttYKuCcred+Q7+wSDp9FQDdpUOiGnzT8oQukOuqiEh3J8hinHPGhtovH V22D0cU6T/u9mzvYoULhExPvXZglCLEuM0dACtjVsoyDkFVnTTupaPVuORgoW7nyNl0wDrII ILBqUBwzCdhQpYnyARSjx0gWSG1AQBKkk5SHQBqi1RAYC38M59SkpH0IKj+SaZbUJnuqshXh UIbY1GMHbW/GDhz7pNQFFYm2S4OPUBcmh/0O0Osma151/HjF7wARAQABzR9QZXRyIMWgcGHE jWVrIDxwc3BhY2VrQGlzYy5vcmc+wsGXBBMBCABBAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B AheAAhkBFiEEEVO2++xeDVoSYmDzq9WHzfBlga4FAmWT+REFCQelsxMACgkQq9WHzfBlga7y 2Q//Ug58UI9mlnD/guf9mHqpJIMrBs/vX8HlzylsDcZUBTp2TJpzNh/CygPWrHY+IvA9I9+t Ygp0sB+Z9OtVZgW3bpWJ0iWe6N89Q0kwOuhJ75LsfR1V73L5C826M6bLQjYTj6HiwS9Nf+N0 jADhEV/p1KtCuZfwBkYJ4ZM+Na0zWerGPkGw9T9O0gfs0ePehzJ5V0OK0nCqMuC1h8o/rhCb vRCmxdAbNjrOrgKa7HN5DadP/tKstJMM09aXlT5q96fRIyCQyqXQoCrijCWvgAxgjABdh1TB /XsYvBC8+4wy5ZBtTcnxXGrMhrSxU2/vIK6RjDju7OIRClMNepEzvt0gNzxwwxIXVOzl5ioC i/Okovk1rZneFFxbVvaMyIJgY/hShJV7Ei+5S9UZUv6UUmRQ6zukeiSVZrtXs6fWLVlUnBDl Cv/fXi25hrymqNfPSBSB0tyc6YepR1Rq9omTni6DYmEHQuhPMHJ2fuiNNyBaH+9EI7go5e0J LvXVLJGXkMdTcmYHja1pDjmQ1K71gewfPWGFmn0JTa92GuZJaR/4MVePvoV0NTpCP0HiKIg5 0+AOdpvkJReFKTQOX08SwkUkgvy9h9WjBMpD5ymMs4gjJwXtcT1+aVtj9Xcw6tQde9Yyjxde a6UZ3TUfys8qZ8ZKmMKTaCUFukKzWDJMZ91V1b/OwU0EX84n/gEQANARNXihDNc1fLNFZK5s O14Yg2TouK9eo9gGh4yLSrmZ3pjtnuJSpTWmGD4g0EYzhwWA/T+CqjUnrhsvzLQ1ECYVqLpM VqK2OJ9PhLRbx1ITd4SKO/0xvXFkUqDTIF6a5mUCXH5DzTQGSmJwcjoRv3ye+Z1lDzOKJ+Qr gDHM2WLGlSZAVGcUeD1S2Mp/FroNOjGzrFXsUhOBNMo8PSC4ap0ZgYeVBq5aiMaQex0r+uM4 45S1z5N2nkNRYlUARkfKirqQxJ4mtj5XPC/jtdaUiMzvnwcMmLAwPlDNYiU0kO5IqJFBdzmJ yjzomVk1zK9AYS/woeIxETs+s6o7qXtMGGIoMWr6pirpHk4Wgp4TS02BSTSmNzParrFxLpEU dFKq3M0IsBCVGvfNgWL2pKKQVq34fwuBhJFQAigR9B3O9mfaeejrqt73Crp0ng0+Q74+Llzj EIJLOHYTMISTJyxYzhMCQlgPkKoj+TSVkRzBZoYFkUt4OXvlFj73wkeqeF8Z1YWoOCIjwXH9 0u2lPEq0cRHHyK+KSeH1zQJ4xgj0QDGPmkvi81D13sRaaNu3uSfXEDrdYYc+TSZd2bVh2VCr xrcfzQ1uz9fsdC9NPdNd7/mHvcAaNc5e9IhNh67L54aMBkzlJi18d0sWXOOHkyLSvbHnC/OP wv7qCf69PUJmtoeHABEBAAHCwXwEGAEIACYCGwwWIQQRU7b77F4NWhJiYPOr1YfN8GWBrgUC ZZP5UgUJB6WzVAAKCRCr1YfN8GWBrgxpD/949Tz7EtrE9e2yJ4np+y7uW8EDusVM3QsBdkYk yaQTupITew8WWQtNF/QK/MKRi+e/382t78nBq+T7G9PrRi7E4WS9dXdgJiFz25h3mC4TABJZ b6MLcEreLWTaqnR/D6F3AnNXh7GJFY4E6PAwC60W0R9G6R0E+2XeZX011NEGiBMvgZnqzzjU L9h8Gz7a/EsQync4cvLbruPt/UaOV0khKTefsOFj3q3wLY6qN2qw7HfgFRBCh6ME2XRvnwAd iv0pF4HRbXoFalkAsNEYkWQ6mkJjdYCHOWm3TWqXhalgGKqIOrQyMpH2mJpZllKBQiBiQMUz qz0cO9OqBk3xvNLplI3VNcC0WeQ8LEqyYKth2T78hVaIw8K0IcVmZQwXVxL03gojaJ5bK2O+ 2FfqKMcIiU+bqaTXntx+FYRQKblsUBYD77uU9sPVyKWIiHvukLTx7GY1ttn6gZDSIek/tTR7 oaei+xLh5JUgZpMZ4JHnirDWHbrJzYN95e8HWA/+qAOTsa+igZGsc6yA1oJIAnCwkclcLAgc x3GVVeEL+/b9CugZ+1OfbxlRK7gAeu0kyKiEXrUvCQPnPByIIfj4I4IvZO4552cmmnbn31f9 X/9nw+M4qAqOK7bRg65ucv71TayUehNJrfJSYx6P1tXIwzu19tIgtdWTcsszNWALfaUFtg==
In-Reply-To: <45b4a54d-8d85-caf0-e1df-74f61c81b1a6@nohats.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dd/-vWzvt_9eOskhw31cYgc4NStbSE>
Subject: Re: [dd] DS pinning for secondaries
X-BeenThere: dd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Delegation <dd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dd>, <mailto:dd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dd/>
List-Post: <mailto:dd@ietf.org>
List-Help: <mailto:dd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dd>, <mailto:dd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 08:54:39 -0000
On 27. 02. 24 18:31, Paul Wouters wrote: > On Tue, 27 Feb 2024, Petr Špaček wrote: > >> Today I've presented DELEG work to CENTR Tech group [1] and there was >> a request to support use-case where ALIAS points to secondaries who >> are supposed to serve signed version of the zone, but cannot resign it >> themselves. >> >> In my mind that translates to syntax like this: >> >> signed.example.net. DELEG 0 operator.example. ds="12345678" > > Why not a regular DS at the parent to lock this? And only use DELEG > for NS/glue. Makes sense to me - if we think through various compatibility scenarios with legacy vs. DELEG-aware clients. > > Or rather, what would this use case gain from a DELEG record, other > than various transport security options? ALIAS allows to offload NS RRset maintenance to operator who IMHO logically should be in charge of _technical parameters_ how to connect to auths. I.e. even without fancy extra parameters the operator will get ability to modify NS set, which is will simplify operations. > You would also need a signal for this. Combing alias + non-alias seems > to open pandoras box of contradictions and complicated error paths. It > seems the easiest signal is the old fashioned DS record trumping DELEG > ds= entries. -- Petr Špaček
- [dd] DS pinning for secondaries Petr Špaček
- Re: [dd] [Ext] DS pinning for secondaries Paul Hoffman
- Re: [dd] DS pinning for secondaries Paul Wouters
- Re: [dd] DS pinning for secondaries Petr Špaček
- Re: [dd] DS pinning for secondaries Philip Homburg
- Re: [dd] [Ext] DS pinning for secondaries Ben Schwartz