IETF Logo Mail Archive

Re: [dnsext] [dnsdir] [EXT] Asking for review on this errata by DNSSEC experts Re: [Errata Verified] RFC4035 (5226)

Dave Lawrence <tale@dd.org> Mon, 14 August 2023 20:44 UTC

Return-Path: <tale@dd.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3CB3C14CEFA; Mon, 14 Aug 2023 13:44:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.923
X-Spam-Level:
X-Spam-Status: No, score=-0.923 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SORBS_DUL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0N4SMEsf9j5; Mon, 14 Aug 2023 13:44:31 -0700 (PDT)
Received: from gro.dd.org (c-24-147-123-196.hsd1.vt.comcast.net [24.147.123.196]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16C9EC1526F7; Mon, 14 Aug 2023 13:44:31 -0700 (PDT)
Received: by gro.dd.org (Postfix, from userid 102) id EF7A61487AF; Mon, 14 Aug 2023 16:44:29 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25818.37421.962559.965419@gro.dd.org>
Date: Mon, 14 Aug 2023 16:44:29 -0400
From: Dave Lawrence <tale@dd.org>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Mark Andrews <marka@isc.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "dnsdir@ietf.org" <dnsdir@ietf.org>, "roy.arends@telin.nl" <roy.arends@telin.nl>, "sra@isc.org" <sra@isc.org>, "mlarson@verisign.com" <mlarson@verisign.com>, "massey@cs.colostate.edu" <massey@cs.colostate.edu>, "scott.rose@nist.gov" <scott.rose@nist.gov>, "dnsext@ietf.org" <dnsext@ietf.org>
In-Reply-To: <fe59864c27d8a5fe54373410a50df687d0f98f34.camel@powerdns.com>
References: <1B5D0B11-9930-4D7B-ABC5-0AEDA3A4553F@cisco.com> <fe59864c27d8a5fe54373410a50df687d0f98f34.camel@powerdns.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/4j4uXNOxmrQ-v88OnJsC-nVDdwA>
X-Mailman-Approved-At: Mon, 14 Aug 2023 15:04:07 -0700
Subject: Re: [dnsext] [dnsdir] [EXT] Asking for review on this errata by DNSSEC experts Re: [Errata Verified] RFC4035 (5226)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2023 20:44:35 -0000

Peter van Dijk via dnsdir writes:
> Before I posted the erratum, this was discussed on DNSOP:
> https://mailarchive.ietf.org/arch/browse/dnsop/?gbt=1&index=zlZRR37eirlOz5Rt55xU3tMzngo
> 

I am highly confident in your skills as an implementer, and I trust
that you encountered a real problem here that arose from your approach
to DNSSEC validation, but I'm not readily grokking what your approach
was that would have led to it.

In the mailing list examples, you asked authoritative nameservers
authoritative for root-servers.net for the DS for root-servers.net.
They both gave reasonable* answers, with d.root-servers.net giving an
auth nodata for DS at its apex, and e.root-servers.net giving an
upward referral to ask the .net servers.

* [ignoring, for the moment, the general "upward referrals considered
  harmful" sentiment that is no doubt part of Mark's reaction]

It is also my understanding that you preferred the referral
response and had to implement a workaround for the auth nodata
response.  

I'm guessing this isn't a qname minimisation problem, because with
that you'd learn where the .net authorities are and would have asked
them for the DS for root-servers.net, right?  (Maybe I'm not right.)

So if it's a full-name resolution issue, where you got data for
whatever.root-servers.net that you're trying to build the validation
chain for, and ... targeted the DS query at the root zone, and were
unhappy when it answered from the point of view of root-servers.net
zone?  Because you were hoping that the query would return a
delegation to the real authorities for it?  Oh hey my debugging duck
worked, I think.

That doesn't seem to have been an unreasonable expectation on your
part, yet I'm not sure that this exposes a specification fault.  The
workaround, I'm guessing, is the usual kind of "figure out who is
really authoritative" stuff that we've needed since we came up with 
the DS being authoritative on the parent side.

If the errata is accepted then it should probably then come with a
side of "so this means upward referrals" and some kind of
corresponding update to BCP 219's "In normal DNS operation, this kind
of [upward referral] response is not required for resolution or for
correctly answering any query."  I don't think the errata as-is helps
clarify the potential pitfall and how to avoid it.

Personally I'm somewhere more inclined to patch up the language around
"showing that the DS RRset does not exist in the child zone's apex"
because in this specific case we're not really talking about "the
child zone's apex"; the zone is answering for it's own apex.

v2.23.0 | Report a Bug | By Email