IETF Logo Mail Archive

[DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-cds-consistency

Joe Abley <jabley@strandkip.nl> Wed, 11 June 2025 12:13 UTC

Return-Path: <jabley@strandkip.nl>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2D2FE33A574C for <dnsop@mail2.ietf.org>; Wed, 11 Jun 2025 05:13:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=strandkip.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9bKy9W8BrSu for <dnsop@mail2.ietf.org>; Wed, 11 Jun 2025 05:13:52 -0700 (PDT)
Received: from dane.soverin.net (dane.soverin.net [185.233.34.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 3A31933A5731 for <dnsop@ietf.org>; Wed, 11 Jun 2025 05:13:52 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4bHPhY3pV0zcLC; Wed, 11 Jun 2025 12:13:49 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.100]) by soverin.net (Postfix) with ESMTPSA id 4bHPhY1qY1zPf; Wed, 11 Jun 2025 12:13:49 +0000 (UTC)
Authentication-Results: smtp.soverin.net; dkim=pass (2048-bit key; unprotected) header.d=strandkip.nl header.i=@strandkip.nl header.a=rsa-sha256 header.s=soverin1 header.b=mBFRRj5Y; dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=strandkip.nl; s=soverin1; t=1749644029; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=T1rvNg8VWnQgg4Rh/lojtt5p7CqcWxPqCbkccQUt+6M=; b=mBFRRj5Yx7JOuXssG3igKxLPlQdvwDUdWpX0fEZrGUdW2yRfEbIEk8p8Dno/YNI/ReIAtb XVH2GKQaPZqOTRzdNy/ffzXunqo1KlT+ApYl+oT04S9vEkQ/Rkw0UmkJxA8co8xOXr1RiM mznwjQ3bHyu2o9zBJfpMYyWVqNX8eLGll1b7FobESOmoXMDTyOHwzXCHiSZKyjDZ+Zveqx W+Q23PQRjJURttERIeWi8KTTfTh3vIg/FgSdlbvdYNWvU7PRt8KgGascfVCkQNXtCWGq7H znVEnWJ+TPx492fso/Dj4so4nhj+icsBkGcHX9pOUaA+TOg7+PapyMIcc6/3OQ==
X-CM-Analysis: v=2.4 cv=UsCZN/wB c=1 sm=1 tr=0 ts=684972fd a=efeJSdlRpCmiidMa2kZs2g==:617 a=xqWC_Br6kY4A:10 a=48vgC7mUAAAA:8 a=Wu7z_i5_AAAA:8 a=myXJySGqxRMtCqzeZiwA:9 a=QEXdDO2ut3YA:10 a=uQS3TObfUh-gkXd_:21 a=_W_S_7VecoQA:10 a=iYyrv_djfsieO7j-mCZ5:22 a=ADiJHLWpjGBBXEl7-v_j:22
X-CM-Envelope: MS4xfGmkD/YrUShPUR5lCzEgQda8lKhpjsJugj02VK0MZm1c1SubA0y90HX/olICwnIzVr2cQ4lR3zoGQISo4XG74qVfaQRaWJscveHxz2u0pk6r7TfkqU6V d3ZdhtfNZBTDNZx+U3ws62usR8ujyc3Uf7genrqo7NhpZ+u4haiT0YskxHLrg/uWQjFp0OB5loQB4us49aEproKsaqlU5VgV8AJxzvcQTJRqhoGdOgN/lXit 0KHsXOib6uzeF+db1BmwFT4k53rJCRvob+wldtERUAY=
Content-Type: multipart/alternative; boundary="Apple-Mail-9DBA71FA-4DDC-4CDE-AA23-77E3E0022357"
Content-Transfer-Encoding: 7bit
From: Joe Abley <jabley@strandkip.nl>
Mime-Version: 1.0 (1.0)
Date: Wed, 11 Jun 2025 14:13:38 +0200
Message-Id: <AE182B59-62AD-42BA-8490-FC6F7F80D4F1@strandkip.nl>
References: <C586176E-4D7E-454D-8607-ADFAD602B01E@sury.org>
In-Reply-To: <C586176E-4D7E-454D-8607-ADFAD602B01E@sury.org>
To: Ondřej Surý <ondrej@sury.org>
X-Spampanel-Class: ham
Message-ID-Hash: YIO4ZOYHEHWG4WEVTRFNYOPA26N5PM7Z
X-Message-ID-Hash: YIO4ZOYHEHWG4WEVTRFNYOPA26N5PM7Z
X-MailFrom: jabley@strandkip.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-cds-consistency
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3FCTBQ5VQSHkY8NHWO_lTe6-oi4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Ondrej,

On 28 May 2025, at 14:42, Ondřej Surý <ondrej@sury.org> wrote:

> this starts a Working Group Last Call for draft-ietf-dnsop-cds-consistency
> 
> Current versions of the draft is available here:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-cds-consistency/
> 
> The Current Intended Status of this document is: Proposed Standard

I don't think the recommendations in the document will do any harm, and some people think they are useful, so I think it is fine to publish this advice. However, I do have some reservations, about which I am happy to be told why I am wrong.

The core advice:

   This document therefore specifies that parent-side entities MUST
   ensure that the updates indicated by CDS/CDNSKEY and CSYNC record
   sets are consistent across all of the child's authoritative
   nameservers, before taking any action based on these records.

is, in general, not actionable. The full set of authority servers for a zone are frequently not available from a single vantage point, since a single nameserver address often maps to many different individual servers which may or may not serve consistent information (e.g. when an individual NS target is deployed using anycast in one or more address families). Depending on how you count them, most nameservers are anycast, so I think it could be said that this is not a niche observation. The revised advice might boil down to "instead of just looking for an answer as a stub resolver would, look at a random two out of 100,000 possible authoritative servers" and I'm not convinced that is much of an improvement.

I am also not very convinced that incoherence between authoritative servers or the effects of caching are good reasons to do this. I can see how there are failure modes where those effects could be unhelpful, but there are always more failure modes and sometimes I think a failure should just be a failure and the greater mission  is not actually helped by the application of yet more duct tape.

With respect to multi-signer configurations, I think the right way to solve that is to sync CDS and CDNSKEY between participating signers just as the corresponding DNSKEY RRs are synced. This seems like a solution that is more effectively aligned with the problem; to put it another way, multi-signer implementations would be more robust if they didn't have to make assumptions about whether the polling advice in this document was followed or not.


Joe

v2.39.1 | Report a Bug | By Email | System Status