[dd] Re: A generalised delegation extension mechanism
Roy Arends <roy@dnss.ec> Wed, 22 May 2024 15:08 UTC
Return-Path: <roy@dnss.ec>
X-Original-To: dd@ietfa.amsl.com
Delivered-To: dd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5A26C14F69C for <dd@ietfa.amsl.com>; Wed, 22 May 2024 08:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLwyvuIu-J9Z for <dd@ietfa.amsl.com>; Wed, 22 May 2024 08:08:14 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA37BC14F691 for <dd@ietf.org>; Wed, 22 May 2024 08:08:13 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id af79cd13be357-7948b7e4e5dso209509885a.1 for <dd@ietf.org>; Wed, 22 May 2024 08:08:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; t=1716390493; x=1716995293; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:date:in-reply-to :from:subject:mime-version:from:to:cc:subject:date:message-id :reply-to; bh=IEjGu2CkDx5Q4DdTQD3fVgu2+LYZxEeALBMmUQBaDhU=; b=HOaDzDOvMnxzN3q7JWxC+Lu0z+ceQ5K3pNvL/tRlEC5B8L5dRi2ZPNylJY3J11jso+ AHRL0g0cMegqzvB10+6nFNmzx4YAl6wrCdxu3rsihXr0t1yquJ0mjEcuKX0I4uNmKAoq 0KQbOJ/FB39jBz+xe4zkut8nEITl/r8CeQiQs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716390493; x=1716995293; h=to:references:message-id:content-transfer-encoding:date:in-reply-to :from:subject:mime-version:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=IEjGu2CkDx5Q4DdTQD3fVgu2+LYZxEeALBMmUQBaDhU=; b=hVS83K9EES9zgLGCDBff3I2CA3hZijJAg5djE1E3MhoiCDLY0ivVPHPiwuuIGSuVdc xTuR9qg/knqDsAV4xhUkbFySDgCUHfBRvOZWskJmqG0Elc+t8vPL0HI7umzvZtZj5MyT rxYJpXQiDm8N5ak4UWjO1pfK3uyPeA6HB7KkMP7aDs9yB0aScasrotS+sH3cLEHnEhXY DnoLTQctw1KlbbVfs59MiOGfHiwAdeC1m80/Q7zGbCiCbzUx5BRFp9r8/JNDdEK2xLm8 XnT974Rdv2hkJ9eFU6Lkir7TVx2ytgnkEJjPBHx76VbAR7z+82stlXY+sqGMJgX/vZ4M LxMA==
X-Gm-Message-State: AOJu0Yz8uLCpN2mbiXGB8cPjtoQ85tgBANWkjsVWBglolQR+mOowVFe+ p21OqDkhNqw48llzTnEYD0w+v8iSwJa2di+HkCskl2OgVymHBkVxMu2JIzKQZ56z8qbQ1QVh2f8 gUTKrvw==
X-Google-Smtp-Source: AGHT+IHwdhws+kgVFEtOvDpVnC9uc234frp3xOPhw2H1kVmWcg+GCcCWEZdZnaHeYq6TCUEnvKjnug==
X-Received: by 2002:a05:620a:2194:b0:792:bb93:6876 with SMTP id af79cd13be357-7949941cc61mr282342285a.3.1716390492535; Wed, 22 May 2024 08:08:12 -0700 (PDT)
Received: from smtpclient.apple ([88.81.146.139]) by smtp.gmail.com with ESMTPSA id af79cd13be357-792bf340b32sm1407250985a.126.2024.05.22.08.08.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 May 2024 08:08:12 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <788F5802-B7BB-4C18-A274-9A6BE2C23E30@dnss.ec>
Date: Wed, 22 May 2024 16:07:58 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <45920ADE-9790-40ED-9D06-6415B54980F5@dnss.ec>
References: <788F5802-B7BB-4C18-A274-9A6BE2C23E30@dnss.ec>
To: dd@ietf.org
X-Mailer: Apple Mail (2.3774.600.62)
Message-ID-Hash: 3V7474ZXVHKJCZJPVYQCCIOZZRLZUXB5
X-Message-ID-Hash: 3V7474ZXVHKJCZJPVYQCCIOZZRLZUXB5
X-MailFrom: roy@dnss.ec
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [dd] Re: A generalised delegation extension mechanism
List-Id: DNS Delegation <dd.ietf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dd>
List-Help: <mailto:dd-request@ietf.org?subject=help>
List-Owner: <mailto:dd-owner@ietf.org>
List-Post: <mailto:dd@ietf.org>
List-Subscribe: <mailto:dd-join@ietf.org>
List-Unsubscribe: <mailto:dd-leave@ietf.org>
I haven't seen a response to this. This may be due to it being send before the charter was finalized, but let me rephrase: The secure signal (a dedicated DNSKEY or DS type) by which resolvers expect proof of non-existent types at delegations (as we have for DS records) should not just be tied to DELEG, but should be used in all new delegation type responses. The document that describes this should be separate and independent of the DELEG type description. I am working on that document, and will share shortly. Warmly, Roy > On 22 Mar 2024, at 00:17, Roy Arends <roy@dnss.ec> wrote: > > The following is based on [1] by Petr Spacek and Peter van Dijk and conversations with Paul Wouters and Ben Schwartz (This namedropping should not be seen as endorsements for the following, but merely credit where credit is due). > > To make delegations truly extensible, the extension mechanism (the changes to the DNS protocol) to allow DELEG to work, and DELEG (the record, and what it facilitates) should be separate and the extension mechanism should be generalised.. > > The “generalised” delegation extension mechanism states what to include in a delegation response and how to signal to the validator that it must expect this information. It would contain an IANA request to mark a range of RRTYPEs as “parent side only”. (See [1]). An authoritative server must include these in a delegation when they are present in a zone (such as DS records), including the authenticated denial record (this “always include NSEC/NSEC3” is an idea from Ben Schwartz) > > Why? > > Future "parent side only” record types should not require a new signalling mechanism. (Paul Wouters insight, and I agree) > Authoritative (secondary) servers that know to include records from a range in a delegation do not need to understand these records. They can be an opaque blob. > > Roy Arends > > [1] see https://www.ietf.org/archive/id/draft-peetterr-dnsop-parent-side-auth-types-00.txt >
- [dd] A generalised delegation extension mechanism Roy Arends
- [dd] Re: A generalised delegation extension mecha… Roy Arends
- [dd] Re: A generalised delegation extension mecha… Peter Thomassen
- [dd] FYI, my drafts for discussion uploaded, was … Paul Wouters
- [dd] Re: FYI, my drafts for discussion uploaded, … Peter Thomassen