IETF Logo Mail Archive

[DNSOP] Re: Last Call: <draft-ietf-dnsop-structured-dns-error-12.txt> (Structured Error Data for Filtered DNS) to Proposed Standard

Stephane Bortzmeyer <bortzmeyer@nic.fr> Thu, 24 April 2025 13:15 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2FFF3209942E; Thu, 24 Apr 2025 06:15:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=nic.fr
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GpB2LiBx9jJs; Thu, 24 Apr 2025 06:15:13 -0700 (PDT)
Received: from mx2.nic.fr (mx2.nic.fr [IPv6:2001:67c:2219:10::51:2]) by mail2.ietf.org (Postfix) with ESMTP id AC9452099424; Thu, 24 Apr 2025 06:15:13 -0700 (PDT)
Received: from pps.filterd (mx2.nic.fr [127.0.0.1]) by mx2.nic.fr (8.18.1.2/8.18.1.2) with ESMTP id 53OAoQW3007628; Thu, 24 Apr 2025 13:15:07 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nic.fr; h=cc : content-type : date : from : in-reply-to : message-id : mime-version : references : subject : to; s=nic-20240601; bh=ka7y4rba8785BErtmZPnc5rurnjc9d0C1EnfcU7PM4E=; b=OLX1I9OFmPk6c6pCNXpGGSgJwkEPkHAR9TmfDLLkMggXycv/OcrxcOqTp2uzT8A6mlrt mqa/FzEYIvxaaAsSyIbHXGqTO746eRjvkN9mx/GGCZhBCo8JXB2lcyTVaBUUyLM6U12N 5873N8G1ZKlvICKblzcxR5l1nGL6N4HZyvRndstTlwXSkbs//7QsycTcVtxMZVlUOc4j vWiMOYM939MHVecOZoAVA+GgMRyoaA5uVGTWok030DFuIPGlVWon17mEHGrZOjj62z2S Tejn5eWKgEdyX2U751rCb40q08M3vHg9u96qMfNFaeEUPL7ax+tAax43JbMo5MzfVW75 FQ==
Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [10.1.50.11]) by mx2.nic.fr (PPS) with ESMTP id 466jbfg7xf-1; Thu, 24 Apr 2025 13:15:07 +0000
Received: from b12.nic.fr (b12.users.prive.nic.fr [IPv6:2001:67c:1348:4001::23:32]) by relay01.prive.nic.fr (Postfix) with ESMTP id 7D9886441674; Thu, 24 Apr 2025 15:15:07 +0200 (CEST)
Received: by b12.nic.fr (Postfix, from userid 1000) id 6C5574073C; Thu, 24 Apr 2025 15:15:07 +0200 (CEST)
Date: Thu, 24 Apr 2025 15:15:07 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: tirumal reddy <kondtir@gmail.com>
Message-ID: <aAo5W6v1fG3OXMyX@nic.fr>
References: <174464390945.1162397.14602311698065057813@dt-datatracker-64c5c9b5f9-hz6qg> <1A869C1E-5AA4-4463-AB6D-ADF0C47004CD@mnot.net> <CAFpG3ge+AXQUtCjq0PVcwsOm5MHTTm_Sn-4fWDjSZYOVbTwejg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAFpG3ge+AXQUtCjq0PVcwsOm5MHTTm_Sn-4fWDjSZYOVbTwejg@mail.gmail.com>
X-Operating-System: Debian GNU/Linux 12.10
X-Kernel: Linux 6.1.0-33-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
X-Proofpoint-ORIG-GUID: qnn1N12xl0BclFjjwpqrp8CRT2cnf2JY
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNDI0MDA4OSBTYWx0ZWRfX1frR1LCPjyzt LTH1Ig9wMsxSDeHUzve2jmaCAPWahtyyTF0h3Hccv9vyWKoHVj9FxyD3dQWgqT5AhnFnZJuHUcj QidpBv7W3v5W4+FQbicGPRle0qalhk9wDLplO7mybiB6RO3Q4N7qKgAlDYbG+97Op8cofeNl8xA gtX16H5HuCcE6Bh5ma/8zliJ+SNbOeTn6IMTAZ1cxv92UWGRobv1FpgBHaejnrpmCbyQMEBGtEZ ++Q6y/gGn0WS6jF8gAnBKRC3PUEpRLBqzRzz2HWTwFIZXpGHhfumcFU0RbTRvrbEV1jJaTV736Q G2OXr2yfLR1kMifNsm2
X-Proofpoint-GUID: qnn1N12xl0BclFjjwpqrp8CRT2cnf2JY
Message-ID-Hash: 3CXWKYZY2HDH6TAZ6CIYV3PCD26WKM6S
X-Message-ID-Hash: 3CXWKYZY2HDH6TAZ6CIYV3PCD26WKM6S
X-MailFrom: bortzmeyer@nic.fr
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Mark Nottingham <mnot=40mnot.net@dmarc.ietf.org>, last-call@ietf.org, dnsop@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Last Call: <draft-ietf-dnsop-structured-dns-error-12.txt> (Structured Error Data for Filtered DNS) to Proposed Standard
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-G2fhfg-c77tqyJyZcHHhOGT8BA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Wed, Apr 23, 2025 at 11:19:26AM +0530,
 tirumal reddy <kondtir@gmail.com> wrote 
 a message of 450 lines which said:

> > * In Section 3, "However, this approach is ineffective when DNSSEC
> > is deployed given that DNSSEC ensures the integrity and
> > authenticity of DNS responses, preventing forged DNS responses
> > from being accepted."  There are assumptions about DNSSEC
> > deployment baked into this statement. In practice, it has little
> > preventative force.
> >
> 
> The existing text in Section 3 is intended to describe the behavior
> when DNSSEC is deployed, and is agnostic to the actual deployment
> levels of DNSSEC globally. It makes no claim about how commonly
> DNSSEC is used in practice.

I suspect that Mark was not referring to the size of the DNS
deployment but to the fact that there are several deployment
strategies possible. For instance, DNSSEC validation can be done on a
remote resolver (ISP, corporate network) but also on a resolver local
to the machine. In the first case, forged DNS responses won't be a
problem for DNSSEC is the forgery is done by the remote resolver.

v2.34.0 | Report a Bug | By Email | System Status