[DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-ns-revalidation "Delegation Revalidation by DNS Resolvers"
Philip Homburg <pch-dnsop-6@u-1.phicoh.com> Tue, 18 March 2025 13:23 UTC
Return-Path: <pch-b6CAFA0C7@u-1.phicoh.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 63BFBDEC671 for <dnsop@mail2.ietf.org>; Tue, 18 Mar 2025 06:23:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MOe4ieTbBVmJ for <dnsop@mail2.ietf.org>; Tue, 18 Mar 2025 06:23:06 -0700 (PDT)
Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [IPv6:2a10:3781:2413:1:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-ECDSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 918E9DEC655 for <dnsop@ietf.org>; Tue, 18 Mar 2025 06:23:06 -0700 (PDT)
Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305) (Smail #158) id m1tuWuO-0000NOC; Tue, 18 Mar 2025 14:23:04 +0100
Message-Id: <m1tuWuO-0000NOC@stereo.hq.phicoh.net>
To: dnsop@ietf.org
From: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>
Sender: pch-b6CAFA0C7@u-1.phicoh.com
References: <CADyWQ+GHwYS3T=M+7655Ps5f-mJ7H3FfstDGvHsR_D=eHXf43g@mail.gmail.com> <SA1PR15MB43705D3DBC37FB92F3BA5714B3DF2@SA1PR15MB4370.namprd15.prod.outlook.com> <551bb4a8-f787-4caf-8615-c284203d7b7e@nic.cz> <CAHPuVdWwFGKE7QRHXP1Ru9geQdV+VY4-Z-AYgkhac7dQuB9cZw@mail.gmail.com> <6fa27e23-ec6d-4989-8068-aafb4925d1dd@nic.cz> <CAHPuVdUy1s9gaQyJ=GiqdxAPZwUc2-4HvQBCb77c-Zh5feAjvg@mail.gmail.com> <C5ABE18F-AB8B-4654-BF93-D660D4240446@fl1ger.de> <2a6088fb-3275-464d-bca1-92a4cbaa78aa@nlnetlabs.nl> <2b862da9-e428-47f3-9ecc-c55a4e589bac@desec.io> <a23915b8-3a28-417c-a709-ef3123c4a74d@nlnetlabs.nl> <bc9d2dba-9a9c-4fe5-a484-ace272836007@desec.io> <94da4d77-2904-43ba-9bcd-27e22e6a4604@nlnetlabs.nl> <CAHPuVdUgisVwUm+67x54RnkypAR+=mC9D8uFB_nkRkq_0+2pPg@mail.gmail.com> <13acb74f-c109-42b4-bc74-0cc10e7ad5c4@isc.org> <m1tuT8u-0000N4C@stereo.hq.phicoh.net> <d987e221-b96b-4651-8cc9-700935404198@nic.cz> <m1tuWCF-0000MkC@stereo.hq.phicoh.net> <2b7c7027-2007-4561-9fed-014b06c8832d@nic.cz>
In-reply-to: Your message of "Tue, 18 Mar 2025 14:14:21 +0100 ." <2b7c7027-2007-4561-9fed-014b06c8832d@nic.cz>
Date: Tue, 18 Mar 2025 14:23:04 +0100
Message-ID-Hash: ZGK56ICJLX7GP5LDMZV5R4FBMKDQXLTH
X-Message-ID-Hash: ZGK56ICJLX7GP5LDMZV5R4FBMKDQXLTH
X-MailFrom: pch-b6CAFA0C7@u-1.phicoh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-ns-revalidation "Delegation Revalidation by DNS Resolvers"
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/25RuAV777nAsEd8D4cRkt1DOxIc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
>> This is a question of attack model. If we say that this attack model is >> unrealistic, then we should document that somewhere. And explcitly say >> that those types of attacks will not be considered by the wg. > >If a name wants poisoning protection, they should sign it. Parent-side NS records are never signed. But I think we should not make such statements only on the mailing list. Unbound contains a significant amount of processing to try to protect unsigned zones. If we have consensus that unsigned zones are not worth protection then we need to be public about that. It is possible that quite a few stateholders that use the internet would become quite upset if we were publish a statement like that. So maybe until we find consensus about a statement that unsigned zones are not worth protection, we continue to act as if they do. Finally, there is also the issue of privacy. Because parent-side NS records are never signed, an attacker that can subvert the priming query for the root zone can inspect all of a parent-centric resolver's traffic. I think that is not in line with the IETF's stance on privacy.
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- [DNSOP] Re: Working Group Last Call for draft-iet… Ben Schwartz
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Ralf Weber
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Ondřej Surý
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Shreyas Zare
- [DNSOP] Re: Working Group Last Call for draft-iet… Ralf Weber
- [DNSOP] Re: Working Group Last Call for draft-iet… Ondřej Surý
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Shreyas Zare
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Philip Homburg
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Philip Homburg
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Philip Homburg
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Philip Homburg
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Ben Schwartz
- [DNSOP] Re: fujiwara-dnsop-resolver-update Ondřej Surý
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Ralf Weber
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: fujiwara-dnsop-resolver-update Kazunori Fujiwara
- [DNSOP] Re: fujiwara-dnsop-resolver-update Shumon Huque
- [DNSOP] Re: fujiwara-dnsop-resolver-update Ondřej Surý
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Benno Overeinder