IETF Logo Mail Archive

Re: [dd] [Ext] DS pinning for secondaries

Ben Schwartz <bemasc@meta.com> Tue, 05 March 2024 22:05 UTC

Return-Path: <prvs=879478b896=bemasc@meta.com>
X-Original-To: dd@ietfa.amsl.com
Delivered-To: dd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1EBBC14EB19 for <dd@ietfa.amsl.com>; Tue, 5 Mar 2024 14:05:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.804
X-Spam-Level:
X-Spam-Status: No, score=-2.804 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1RgKxMwuUOaU for <dd@ietfa.amsl.com>; Tue, 5 Mar 2024 14:05:38 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70894C14F5EB for <dd@ietf.org>; Tue, 5 Mar 2024 14:05:38 -0800 (PST)
Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 425KHlQK023233; Tue, 5 Mar 2024 14:05:17 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=RP+WPqvFdB3XkF3tJN9eXBU/xvGTukMjFBQAOHpS5Sw=; b=TTxfAaVC9vbVgfyGCBsS3raBM4LVFv1yumslovZxkEeSJoBtgrAoFy2mb8sIP7C35LMV U1eHgnMoROE/ScxxtWhSN5VltwkOYqNE7olsyCRAOR0NBebzq21xxrIJMuF+yT/BweNL MAkRvMxW4DpqsO4F2h6BABQfFTs1YHU6k8u0VsWakl4aP8slq1nnGiRdrxkNhysG71aA S3VykRDe0Vqy+WOYONCz5Y8gSLGpRmEoL9AFzro2iU7wloGOYyBrCqswtMeTloB4J2eD PL0tBETSnyrauVYRIbOt7Q9xR3zlqkKF8uVkYpbm5DSDqXHNBqWARnLkxSx2EKVN0E3T tg==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2168.outbound.protection.outlook.com [104.47.57.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3wp5cs3cm9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 Mar 2024 14:05:16 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MsRAArO424I3k7yeOjCbXrZ9FHn97E+iRnSQK1BwhHdjmNJiH0m8wCEUQj10LpCxU0DsgaQhU2ms62vQh53jyn1e0L9aSAPO1vxmOrHUkb+q7i8zd6HcPL5YE9tLeGUWqAycogamlY5OHcBBthFYkUkOp49N4puHERJIVrFWkdZJt99IDP0R6J5QlkMqlCuHnijWqhkiCHDjxIUN1B5VmJlNFyZ6FScVncnMLwr+oxNvkQWsxf4tLOGapDkbR5p2cbtEXV994kSkZi9QOPw09opFLWiAfIyGjQXeRvE88zlUXMdd74gE4rTGRWJ33nlcjJSvlmGPPuNYS9akd5UX9A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UBsN5dWdx5trYUxSdpEL0pgj35lPYzQKS/52/vEfwr0=; b=mTnqQ/7SKDKJrPYgtIPQ+pPsVIKo3S/sHT8s+A+NLYRUtrFQqSp2X8FK+viHmkvuShOWP4qa6iA2Sx1tS5UHuiwD6H2Q6/qpmbX0EsEO9sGmD3EciUWkuj2ZnWBmLz0Mcue+MgsmX0bNtfdKCeecVKYb3M8RSQ2sIcqmXjLm30HLiJIesbDF710fQ/FPffiqPF0CjR4meGbR2vYq7d6y+iF+PH4bqyV9K9JkA4aDIBmuABqdvYa4SJ5YewuK+v8ZxqiEv9gqpnkvxB1+vXX7VWTwwEQSuJpTCyp+8Qpw7GwjZeJY+nMj3IiZ9OvxVpjg+lulyFdIaByrBBx3WlvPIQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by SA1PR15MB4888.namprd15.prod.outlook.com (2603:10b6:806:1d3::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.24; Tue, 5 Mar 2024 22:05:14 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a%5]) with mapi id 15.20.7362.019; Tue, 5 Mar 2024 22:05:14 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Paul Hoffman <paul.hoffman@icann.org>, Petr Špaček <pspacek@isc.org>
CC: "dd@ietf.org" <dd@ietf.org>
Thread-Topic: [dd] [Ext] DS pinning for secondaries
Thread-Index: AQHaaZ8NPi/oAdtQrUuL/HMi1UMTN7EptK3M
Date: Tue, 05 Mar 2024 22:05:14 +0000
Message-ID: <SA1PR15MB4370908C6E666478F2F702B3B3222@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <9ffd0747-054d-4f84-a7f9-43265974b07d@isc.org> <2409EBB4-285A-484E-9070-87DDCB1C615F@icann.org>
In-Reply-To: <2409EBB4-285A-484E-9070-87DDCB1C615F@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|SA1PR15MB4888:EE_
x-ms-office365-filtering-correlation-id: b83607b4-c852-4816-0580-08dc3d6055ce
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JaMfXGIC75DHZzwP8pUCHxrAmR+p2fxDGDnR7XmRyzMT/Z2mX6ew/SASR3Xlh8VMqZ9fk799oIXXrtkbUbBprfCm/DX9hL8OZooMtxs79e6xKltJWu4qKvPKkicfIyu+FI4YTmwPTWgv5d58wKxv8mHhpQJ5a4OApXm+OD9KFuTH4QimvCfGygfiiZJ/RHk9ak9RdBGxbg35PIuEnqVqkD6M8euZl6MGubd2ti0WB7bRR+MgZpkmpzANS7cUR+s0xXPLFx7FrWLmvRgsOGwWl9iwFxhSZrcQlIhQOQ3RTa5modxAMrMao031/tOFJ6FKDbkEYnSV1QC9mUuArVzvVwFtb8HJdb3WRR4vBULTm2zdFT4O3B7F43h34lHR3Ou9/2ANxpg2uc4QQzUDGgGNbopiJ1jN2OMvu4EcoDBY4uReDgufQVB7iaPKe5XwCH00y7+RrQEBJbQqUZmDnU4Xpf1j73pJPpxFsnEGJGuwbXj59W6qtkr7NsyiOE8MhWxOwufe6yFmyU0MNxQRwehZ8ZgUHrCy7U9TC9euZEn5guXmxyHt9qiFcJJg0xoUw/XCrHC84JKsqrHccB2wdwjNjhVZ3kDmj69ZAc5RqWOznp7i7E4u9YHWoS+L2UMSNClP60nhHr4L69QXc9ntPut8GaQCV/RJqIelaLPmbO0yf2U=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR15MB4370.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ih6DXMzVloCWt2B/McPe/CD/U6VImmt2Ivt81bCBr5fDSIi3KCQxRGD5PmBUIN6r7McH2UMtsy3I6JKHt+YlvhagVl0RMuLV1aTBd3YU4VYpGEQ1gwXu9/HNR1+dC1AbrbHaabDNnZdlYzyg53jua+amwjmh/dlB3baLpxapfdxTtfh1Grxz/OaoQ5MzEvxHZcXjbhA8G6y0tBkuL+Q9dcD8fBN7IigXZh92E41V7K48YysDABE63BQr5X0VKUdEHCQN8TKk1XkwcrYpVicxcqmTTPoo3DnnQDGhnGCptX/DionHZ+d0WtKms78CR9ozTCAvot1lBCyljbZiLg2HwYo0ows4XikIguxXF2HXqSWdYkhkUEjbZPnvfVi29TBF0jS2nI4OyA6UwwrGVE4IHbQmKi/n4w+LsBzw9uRMQuZ99QLoRhznHZubC86WTZEj4KDKy8oFoeI3neJWtXWOgItDLs9eQQyhPWeRcvh+LAx2b87vR6cOVlfBXvGP2+19fqFvgFPsvaSVrkFe6CN8KYg3D7+zIxY7GVWUUxXIWa8jz7aMlGrO7vnUqMrHg7/aEwcalZ4nXA+8HJRFIhDekp7+NbQdjZyv70zwZwei3fE+NvIXaToZAybhYEZicfjZNBtoLsWHsDbnZm5/dXgq25IXTzga9T9zCVAd1zeWj2GO2H3Q/xfkeq698l1eOguGCJEHCcGbUNDW8bkCnJC+lNUd7Di/ulXKo4jSXRw/CmqmD9uIdZksHCzoR+U7stYsH5trLMDBypA7q4p6bvdIX6QPAJc/hLB994f5tyNRia+GrgNuo7JiHAuGXyqmLcvCU0SvwtVzSHO9eGv5Ai3jJNbgBjdL2b/82i/I9ohUuk0HNUNQM5eOmM1T/ZNECm+bVOsbFhQpWTJxutIUf0VVHphvS9SkKpTFOg+ZwcSAhHinML7cNgFbGG4TLuETYCb3vQ+E+doGRDJTBILqLH9SkyoEx1ZWtm3GHoYJvod+O4/cli4M95wlEouCtpAhfhiBzDm39LEWPsFq7HUCpzPotpUGn/Jx/2WkXsDYep4OXjbUbhaA6l1GZUk8MYtSJlf/eE5QR1hoNrpK0igxN1lvtLaD18T8JiZsh/sALOP56xhhBUsTRNKVw6uA6K2VbCLG2m1KLfXUazSvwTf3LJUWqeknfWbdzjycSu/BFIaSHFtcwHtZkYb/kCLySklr6cOxvoQPv01cTpOkeMpNB2UCZtPwDsn0UvpaS884EMLUouyaIsATLx1NNCU8DTYbBfdkm3aph19ObikPeAtOQKIVsvkhZou11t1u+ZjTCFl5kxuhI7DbH6DhvczIh54+NmaeJk7Sd6WpG0IP+sq19goIrIuTQloNmVSl8MbKJb2trU84weki5ewabgEkNHhBNhXOUEoXWqqyLtQ3MrCrShT9dha7nBn7+fqRFbWn7+JOochKC+CYKMODFHybmu/CkzMkiWeA55r5Is7nwjkxLiZc1CslXgmROIsNAJgJW7aN+pFGkH0X0Zo9Z8dG4DfkFvXeDpdmDKgnXrSijqPqCthRvvLzyl6K4J9ipOpSL9HUou8z1LEjJoDQi+O5IGapXIE7tvPx2EfR1SiHKaiBCDofZA==
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370908C6E666478F2F702B3B3222SA1PR15MB4370namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b83607b4-c852-4816-0580-08dc3d6055ce
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2024 22:05:14.5389 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6lTU2Vcc36i2Ft2PcITqsMVPsMsj2iGAKNWbebeaYb/zA+7jmscN80IZBwPpihJt
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA1PR15MB4888
X-Proofpoint-GUID: gg-IRz4qB-fFkyDjv0d4AEyPFUcaeRQs
X-Proofpoint-ORIG-GUID: gg-IRz4qB-fFkyDjv0d4AEyPFUcaeRQs
X-Proofpoint-UnRewURL: 4 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-05_18,2024-03-05_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dd/8yNCCNTn1_OXKcwk4fQd86wBswk>
Subject: Re: [dd] [Ext] DS pinning for secondaries
X-BeenThere: dd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Delegation <dd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dd>, <mailto:dd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dd/>
List-Post: <mailto:dd@ietf.org>
List-Help: <mailto:dd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dd>, <mailto:dd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 22:05:43 -0000

It sounds to me like this is related to the "sharedds" idea in https://github.com/fl1ger/deleg/blob/main/draft-dnsop-deleg-dnssec.md.  That idea definitely has some unsolved problems.  Supporting "untrusted delegations" is one of them, although it's not hard to fix by adding a "trusted" flag to the alias.  A harder problem, I suspect, is the compatibility with validating stubs: https://github.com/fl1ger/deleg/issues/42.

--Ben
________________________________
From: dd <dd-bounces@ietf.org> on behalf of Paul Hoffman <paul.hoffman@icann.org>
Sent: Tuesday, February 27, 2024 12:04 PM
To: Petr Špaček <pspacek@isc.org>
Cc: dd@ietf.org <dd@ietf.org>
Subject: Re: [dd] [Ext] DS pinning for secondaries

!-------------------------------------------------------------------|
  This Message Is From an External Sender

|-------------------------------------------------------------------!

On Feb 27, 2024, at 08:55, Petr Špaček <pspacek@isc.org> wrote:
>
> Today I've presented DELEG work to CENTR Tech group [1] and there was a request to support use-case where ALIAS points to secondaries who are supposed to serve signed version of the zone, but cannot resign it themselves.

That sounds like a good use case.

>
> In my mind that translates to syntax like this:
>
> signed.example.net. DELEG 0 operator.example. ds="12345678"

Why that, and not
   signed.example.net. DELEG 0 operator.example.
   signed.example.net. DS 32859 13 2 12345678
That is, the parent continues to publish the (signed) DS as normal, and operator.example just publishes the rest of the delegation information?

--Paul Hoffman
--
dd mailing list
dd@ietf.org
https://www.ietf.org/mailman/listinfo/dd

v2.43.4 | Report a Bug | By Email | System Status