IETF Logo Mail Archive

[DNSOP] Re: Fwd: New Version Notification for draft-yorgos-dnsop-dry-run-dnssec-02.txt

Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> Sat, 20 July 2024 23:49 UTC

Return-Path: <yorgos@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B13BC14F615 for <dnsop@ietfa.amsl.com>; Sat, 20 Jul 2024 16:49:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXvSLUhACy96 for <dnsop@ietfa.amsl.com>; Sat, 20 Jul 2024 16:49:17 -0700 (PDT)
Received: from mout-b-105.mailbox.org (mout-b-105.mailbox.org [IPv6:2001:67c:2050:102:465::105]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B988DC14F6A0 for <dnsop@ietf.org>; Sat, 20 Jul 2024 16:49:13 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-105.mailbox.org (Postfix) with ESMTPS id 4WRNYH71R8z9vK0; Sun, 21 Jul 2024 01:49:07 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1721519348; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=xhy/5PilKUiW05wzMX+ayyDhSN346Ve/lX+K92LkRAg=; b=tFn8syaw8ouIwevUrPueOW+4jz9gzfhOyvGxTa54bCYhCkuTuNh4g9K2ZqmOulQNgnTXtB vfodxlZhZHAYFV5A8SpZUpAYp6W1twJhccl6zxFQh++R2Rb33XzcEbsTB6AjNE/t/0X1Da wC6JQeellPIuP+AwhegAYQqC7NKqm69LpBTp0SKUCrcIEnGvGycjzWFvl81VuqbdnQ1oa1 xeRe083NeSxphDLwMiXZJ1NeoV1i8K1+gdw49KJpamk/Ev7rhbZWaJxlCSXsjUJm0T7Xtb qRonrZRsjdJPF0VixNu9Gwq7X1MGzJO40uDIZZot2IPzWn/Vatk+Xf3QFjtdlw==
Message-ID: <25e9c213-9737-42cd-8df9-4a2c4a9b269f@nlnetlabs.nl>
Date: Sun, 21 Jul 2024 01:49:03 +0200
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
References: <659a0f2a-eb82-4769-ad80-63e4f3a24978@nlnetlabs.nl> <91EFD619-1F1E-4E5F-8BCC-4527E49C0B83@isc.org>
Content-Language: en-GB
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Autocrypt: addr=yorgos@nlnetlabs.nl; keydata= xsFNBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8SJr7Y+hr 6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBvomb9s8Bo28uKn8tb TMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jIqxDYS8sylWlDn6Qim+77feLl ObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6W6AqukhpuKuWvoAUXKjfguXQolxeexub mKaLcGOTvecw+cbh/a5SPHRtRVr9qTxpelk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpA k1fXA+mYfx5BcFpECYdU9kz4UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36Tg AP8RKrvFfPUym5OPYbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2y BVbGnjNrS9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS 2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVrg3LssVS2 bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQABzStZb3Jnb3MgVGhl c3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+wsGABBMBCAAqAhsjBQkPGq82BQsJ CAcCBhUICQoLAgQWAgMBAh4BAheABQJlEZpoAhkBAAoJEM/zNE2Qh6SQKwQP/2kt4M0be9OB vpRQbQ5Zz5C8eWChCcoEP4aMnS0jYtoe6t4B01WvuqQNplXlxiwFrjIZ/3xwH20jSWtn4wnI SYZYob3DvkUy5f4GglP0lGb4yZiLMNBWBOwVNPr5E77FZWJ6n7cPxkB30VUZhv0L+k6gUYXg 6jZm6Mij7c0wU1/M7KPn+ZwQC5IT/TTue1+CfaQwJJMQHUv96EwnrohiwROb70wyt+ZfUIdK E/2uaF8d2DR03rgr179I2sFfiraDxcS5Gzij0ZdtdD51tRZ+S3JG7wCpQ+yZSaF+SeN9yAjM 4sMe00xT0e8L2xhFPqaBiDoxbQxRP3rhwg8OfQ8eSO7Th+TqqfM08ijcTjhHCTD/PSanC7CJ dP0+Uvk1wO8xlM5q5bGEExoNcUrrLUf9UZc5VbVjxmGz/m6uDQZhGoPYv0wASEhlO976nM6V lwmn7XfwqbmgvwtwKTzxeCyjhYneamM72If9TuypV2Fyi98RmqiJ0lxHrQ5dD/SDHWOjmONU TSHMsdhpFndH1QlKgDJ6mY1BMLHE4m568mTn1jMvs5iHyMzjJTUBvsSb4zZHyyIuizKz1YUZ gDfq7ALIoMfSt63P6D7vXdidEEMDjcnsSQpvJ/LQWfwWx9E4PhmkBuH1vdk3/SH7U+5QCgJL 9g9I59Ipgsr0zhJSNXBuD4BYzsFNBFfYHeYBEAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+R O43dotGH9eFnVwE4/ftcK1SN42ihlF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8s aPqJP6zTUmPqp/GSzS6YrhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ck eXyl77/lHVhWYylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVP NCYmZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64NW/RJ 7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvPGFxr4xBiyMX1 JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf6RcZ02fr7SCZZhdBrlrf lvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4hmQBxPvXxI2ERmKRomo6lrMaDMzI jD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e 7wNYE4a/fb8xYM4j7p6qYtnNZPb8sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibr YwARAQABwsFlBBgBCAAPAhsMBQJlEZm7BQkPGq9VAAoJEM/zNE2Qh6SQS0MP/16XU1WaPLyY 8wIeincUS52KzudWWi9nfQvZvL0H7+w8iRpkP3qjFRMW3jYKOKGD4hF7FXl8hKHNxhyFgmIh T/beqrA9MhgQslIHZ88Jd7P0Jfi+EiCqzOCVo86avBxCi74Uk0AEzSQ3lpmqfiYnViXxs6tH IUsdcd/m3lwv5M/O/wu/WlPNFx0HSkZlWIRAEsyL13zaoF+UwRRjrMrELL6s4lffO3jzGo9F Z3BTDB7gRlU26sxwPHrIva91txhtZbNlE81/zvRmkOAMKG8HA3y9atwez4jP8pn+wJnj/WlI jWTcrmVv8uBTh2CtYymI2/fHIyJ1HElBb/V77JMlhNK/3eMOLLO8ajc96K/O1Y3R/5pijDDG DELPWrqNdGV9mGq5owG7sjYGSKQ9WFJ0Y5WvEzg11z8/Fh2Pw6O0ojteWhhNrI0s7HbudZn2 xO4QY9kdNA+UzUxmealXgef5kb8M2msF0tWuGn+xP/hcljLg2bk8V5ZCzVNTO9b8Z+bGVQR1 GmnkLePj7NGBVSciCvcR79JJG0kyPsirdjORMXQQWA5i8IYukO8amUcYeSQW6MR7tKq7+7+4 mLKtwOXV2EZ2B+nHhiTTiqb8rCt0nsY0lt7gHni83InToz4k2eFo4WuOXMdLPwmQPJwaXCFg 3B8+NrtIAE8F4VHNKaM70rYX
In-Reply-To: <91EFD619-1F1E-4E5F-8BCC-4527E49C0B83@isc.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4WRNYH71R8z9vK0
Message-ID-Hash: NR73KNWBHWDSG3D3OIIHMCUPVRS7JVDL
X-Message-ID-Hash: NR73KNWBHWDSG3D3OIIHMCUPVRS7JVDL
X-MailFrom: yorgos@nlnetlabs.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification for draft-yorgos-dnsop-dry-run-dnssec-02.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-4RkPh0gKs-T_HoYFr2KclZ83Fo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Mark,

On 21/07/2024 00:20, Mark Andrews wrote:
> DS is the wrong logical point to signal dry run or at least there should also be a key flag otherwise a parent can downgrade the security of zones that don’t want dry run semantics.  Additional validation doesn’t require the DS to be present. It is only required to validate the DNSKEY RRset.

Isn't the parent downgrade attack the same as the parent pulling the DS 
altogether?

In the beginning we were thinking that a flag in the DNSKEY itself could 
also work for dry-run but that has the disadvantage of requiring to 
change things in your signing procedure.

What we strive for with dry-run and DS signaling is that if the zone 
under dry-run testing is ready to be secure, the operator does not need 
to touch anything on the already signed (and tested!) zone.
The turn-key solution is to just replace the dry-run DS with the real DS 
in the parent.

Best regards,
-- Yorgos

v2.43.4 | Report a Bug | By Email | System Status