Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

"John Levine" <johnl@taugh.com> Tue, 15 May 2018 18:29 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 686A312E04F for <dnsop@ietfa.amsl.com>; Tue, 15 May 2018 11:29:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=pTxKFrK/; dkim=pass (1536-bit key) header.d=taugh.com header.b=ardg19b0
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RoxbaQ609B9H for <dnsop@ietfa.amsl.com>; Tue, 15 May 2018 11:29:08 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D858D1241FC for <dnsop@ietf.org>; Tue, 15 May 2018 11:29:07 -0700 (PDT)
Received: (qmail 50658 invoked from network); 15 May 2018 18:29:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=c5de.5afb26f2.k1805; bh=vbdRae9aU5z8WMtcCo+qvdYcgQhyDB2/3V0NWHlok/E=; b=pTxKFrK/tmo9FFEOECXwaQw7QqYRQTCERvz1jTuFKcTTyS7Po30O27fhgXim+8tv9J5FwdqODleL/W70wm/3nHvuRVNlbPMq90b7xrIpQX+6T5dMxq8bd6xIED5gKFzldjOFoo/5HeohQppdkcNF1OvYyYrhAFrUHfPtKQ5o2khKky10Z7/7ANWwfPHgT/tracoX30y7SWY8P5lZeegCKF5kuKTWJ55scBpsjs+apIZY9Cbp8E3pNnFe4OIgVZc1
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=c5de.5afb26f2.k1805; bh=vbdRae9aU5z8WMtcCo+qvdYcgQhyDB2/3V0NWHlok/E=; b=ardg19b0gf1WUVg0tx4py7uvLbg7HLgLy4nxscaln2Bm9lBDV62o7O9EmUQbEKmKAsr1Eqy9yZdk9N+Fhs8owoZtxsyiSPvIVp/OQgDM/dbAyVU4c690ahEmez3slB2bdOORJ7B1UycAsI2i1Id+tImxazfuLnJNyRKF2vfVIBiO2SVizqxqom43jFdTrtdhmtNfm3Fc4vb9Dk1YRVQtDAY5AaZaziE5HvvWNRRslpNU8V1Xmdy+A8L1rpByFsMv
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 15 May 2018 18:29:06 -0000
Received: by ary.qy (Postfix, from userid 501) id 5E92F2698BF1; Tue, 15 May 2018 14:29:05 -0400 (EDT)
Date: Tue, 15 May 2018 14:29:05 -0400
Message-Id: <20180515182906.5E92F2698BF1@ary.qy>
From: John Levine <johnl@taugh.com>
To: dnsop@ietf.org
Cc: ietf-dane@dukhovni.org
In-Reply-To: <1D06889C-770F-4F92-BF06-A76338AEB320@dukhovni.org>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/48UsFwkWCf2AtSFxAFWuGmZKWpY>
Subject: Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2018 18:29:09 -0000

In article <1D06889C-770F-4F92-BF06-A76338AEB320@dukhovni.org> you write:
>For example, nazwa.pl has recently signed a bunch of domains with lame
>wildcard NS records under the zone apex.  This breaks denial of existence
>for all child domains, including TLSA lookups, and therefore breaks email
>delivery to the newly signed domains.

I think you will find that attempts to legislate against being stupid
do not generally turn out well.  It makes sense to check for mistakes
that might screw up the upper level name server like an invalid
algorithm number, but if they want to shoot themselves in the foot,
there's not much we can do about that.

There's no way to make a list of every possible stupid thing that
someone might do, so I wouldn't try.

R's,
John