Re: [dnsext] [dnsdir] [EXT] Asking for review on this errata by DNSSEC experts Re: [Errata Verified] RFC4035 (5226)
Dave Lawrence <tale@dd.org> Mon, 14 August 2023 20:44 UTC
Return-Path: <tale@dd.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3CB3C14CEFA; Mon, 14 Aug 2023 13:44:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.923
X-Spam-Level:
X-Spam-Status: No, score=-0.923 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SORBS_DUL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0N4SMEsf9j5; Mon, 14 Aug 2023 13:44:31 -0700 (PDT)
Received: from gro.dd.org (c-24-147-123-196.hsd1.vt.comcast.net [24.147.123.196]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16C9EC1526F7; Mon, 14 Aug 2023 13:44:31 -0700 (PDT)
Received: by gro.dd.org (Postfix, from userid 102) id EF7A61487AF; Mon, 14 Aug 2023 16:44:29 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <25818.37421.962559.965419@gro.dd.org>
Date: Mon, 14 Aug 2023 16:44:29 -0400
From: Dave Lawrence <tale@dd.org>
To: Peter van Dijk <peter.van.dijk@powerdns.com>
Cc: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, Mark Andrews <marka@isc.org>, RFC Errata System <rfc-editor@rfc-editor.org>, "dnsdir@ietf.org" <dnsdir@ietf.org>, "roy.arends@telin.nl" <roy.arends@telin.nl>, "sra@isc.org" <sra@isc.org>, "mlarson@verisign.com" <mlarson@verisign.com>, "massey@cs.colostate.edu" <massey@cs.colostate.edu>, "scott.rose@nist.gov" <scott.rose@nist.gov>, "dnsext@ietf.org" <dnsext@ietf.org>
In-Reply-To: <fe59864c27d8a5fe54373410a50df687d0f98f34.camel@powerdns.com>
References: <1B5D0B11-9930-4D7B-ABC5-0AEDA3A4553F@cisco.com> <fe59864c27d8a5fe54373410a50df687d0f98f34.camel@powerdns.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsext/4j4uXNOxmrQ-v88OnJsC-nVDdwA>
X-Mailman-Approved-At: Mon, 14 Aug 2023 15:04:07 -0700
Subject: Re: [dnsext] [dnsdir] [EXT] Asking for review on this errata by DNSSEC experts Re: [Errata Verified] RFC4035 (5226)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2023 20:44:35 -0000
Peter van Dijk via dnsdir writes: > Before I posted the erratum, this was discussed on DNSOP: > https://mailarchive.ietf.org/arch/browse/dnsop/?gbt=1&index=zlZRR37eirlOz5Rt55xU3tMzngo > I am highly confident in your skills as an implementer, and I trust that you encountered a real problem here that arose from your approach to DNSSEC validation, but I'm not readily grokking what your approach was that would have led to it. In the mailing list examples, you asked authoritative nameservers authoritative for root-servers.net for the DS for root-servers.net. They both gave reasonable* answers, with d.root-servers.net giving an auth nodata for DS at its apex, and e.root-servers.net giving an upward referral to ask the .net servers. * [ignoring, for the moment, the general "upward referrals considered harmful" sentiment that is no doubt part of Mark's reaction] It is also my understanding that you preferred the referral response and had to implement a workaround for the auth nodata response. I'm guessing this isn't a qname minimisation problem, because with that you'd learn where the .net authorities are and would have asked them for the DS for root-servers.net, right? (Maybe I'm not right.) So if it's a full-name resolution issue, where you got data for whatever.root-servers.net that you're trying to build the validation chain for, and ... targeted the DS query at the root zone, and were unhappy when it answered from the point of view of root-servers.net zone? Because you were hoping that the query would return a delegation to the real authorities for it? Oh hey my debugging duck worked, I think. That doesn't seem to have been an unreasonable expectation on your part, yet I'm not sure that this exposes a specification fault. The workaround, I'm guessing, is the usual kind of "figure out who is really authoritative" stuff that we've needed since we came up with the DS being authoritative on the parent side. If the errata is accepted then it should probably then come with a side of "so this means upward referrals" and some kind of corresponding update to BCP 219's "In normal DNS operation, this kind of [upward referral] response is not required for resolution or for correctly answering any query." I don't think the errata as-is helps clarify the potential pitfall and how to avoid it. Personally I'm somewhere more inclined to patch up the language around "showing that the DS RRset does not exist in the child zone's apex" because in this specific case we're not really talking about "the child zone's apex"; the zone is answering for it's own apex.
- [dnsext] Asking for review on this errata by DNSS… Eric Vyncke (evyncke)
- Re: [dnsext] Asking for review on this errata by … Rob Austein
- Re: [dnsext] Asking for review on this errata by … Rose, Scott W. (Fed)
- Re: [dnsext] [EXT] Asking for review on this erra… Peter van Dijk
- Re: [dnsext] [dnsdir] [EXT] Asking for review on … Dave Lawrence