[DNSOP] Re: Last Call: draft-ietf-dnsop-ds-automation-05 — audit continuity for automated DS decisions
Peter Thomassen <peter@desec.io> Sun, 10 May 2026 11:11 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 635EAEC0B217; Sun, 10 May 2026 04:11:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778411475; bh=MHArjB8DHztUuSk9QHQImL82WEMfG5B9SGYQe9C/5dk=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=OM3oWDa2PGx771GxVoZ2W1tf4dTAgVpT74G5DmBu2zemUIrFpRdwZ3u7CkCI5waS5 yLmAuxZGAiiNTFZtXzlNU8viPw/qyG7V9JeZ7/QCEe+89Obc2ibxgQawSAGZPTslEy dZZospr170uZhNt5wZXzQTSSfcUx/L+OnLEyOnks=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmG_SylUHwjg; Sun, 10 May 2026 04:11:11 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 59BC3EC0B20E; Sun, 10 May 2026 04:11:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=oR0jkvIOC5fTEh//FY8X0z9D1uf2VAEfD7HRaAwSSOk=; b=LOXAI3fGztQFtkTARLrblEC8Mc L+3Yn5DP+ZU3LQrhp2xAmTD0ZYIhyF4uB7yVTvwAVPZjfuUIqQcvJKcwJiQTEVd3h9v9S1jtt+jap ZPlJdgaz/jp+fiF7fvDf6zjPjwa7h4J1yDXyiOw1fTc4ooqGkJqj/YxS/KObDaB/LNkvE+PG+X/Qk FLk82VKmhDk0zWb9F1g1R8L8uR5+HKH8+2QMN3iEHIjfdz0HeFTS5w3KrksdWyiGo0lihhiFByHjR 28NEzxpDXd9CvLp+Co094H0tTvIn9Yym6xpZjr0S7iLKyvBvxv7NMuvAbUCQagFz7n7LQb2+XXdF7 X/et0zDg==;
Received: from [2001:9e8:16dc:d300:5f2:7fc5:684:f030] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97) (envelope-from <peter@desec.io>) id 1wM23s-00000001MET-1aCc; Sun, 10 May 2026 13:11:04 +0200
Message-ID: <8f28d04a-23e7-4114-b028-bb4fd425bd3d@desec.io>
Date: Sun, 10 May 2026 13:11:03 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Meir Goldman <fazon=40fazoncore.org@dmarc.ietf.org>, Last Call <last-call@ietf.org>
References: <TLZP290MB03039B719E48F9F684D79A87B52B2@TLZP290MB0303.ISRP290.PROD.OUTLOOK.COM>
Content-Language: en-US, de-DE
From: Peter Thomassen <peter@desec.io>
Autocrypt: addr=peter@desec.io; keydata= xsFNBFRjVn0BEADXqtra70yxQrT4MQ9DEhN0mxG6XRAOHE6nP18mqxwSlcET7D6w+z3h4ole v0tyvUU02c2wg04X8WVfjoHnAvIa1dfUcNpB1+QmfFsw0xIJlbT1ogHkMiPQqR4ChDvE3ND/ 6YCS5+HT6hY+tfU+hpLsKw4l+u1Pg2NPVLYosET1jU84b7xhFnoicnCV3kUNltLtxLKSBAfk AXtp1AWWKJbfCr3y0qKElMriicoe5DUZfLrZK2iPcWBxh+n7KMO2g7aqx3aQqwW1+S7Sq7Is l6iSurYfIcHb4AfUy4o5nPB8kKACR6BuJmkEQ5WLuTGruWA2fcxaNpICmolMinTzW1CrIjgN PoskMYCNIZ2uWxS6LN8hBiGCRL4h9aL4wuT09SvR13oAPI1HD5ph+mH6wD37/ONBXrdjcFNb 1l/uVkHU/SwwcKDJOsX18T60Ao00fciTbFHgmKtFube0xGK/vjh461TyU+xKD8Orvyeovvxy MzCwM3UVq/dkdG2Ys/7Qy/4bUC1nJEwKlLv7ZTdtSckdoU2M6JpPX6i4KDB2YCMbwtqJ842z 8A/UuE2bL9aDimh/sF8WgPIhlxqF1STNqW1JTIbDPv8HeZnM4nyJOUWStj4uRiETQhBClPLz YWtnR+EUsfbSLy81vfupbMqRasDlt6aASobgn+K7Rb1Xs/mDnwARAQABzSBQZXRlciBUaG9t YXNzZW4gPHBldGVyQGRlc2VjLmlvPsLBeAQTAQIAIgUCVGNWfQIbIwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQ79YUOj7yLS88Dg//SbHnFGrtaImEiM69wyj4GzWnuGk9/upCym/R RzdBALCYHU9FUFFHwusiO9A0pnO8qv/GEtqqTHrcL205a6FTivkdZmOsWuN4oo7r4HBc/taI FLLUDg2wd8q4m4387sYEqrc3olGfyRB6hrMtEWVJLXHJmpcrxAaI1F2QO4Bu7kcdTnyGFz/p ZD8XAof2TWHqJb2ux69DFhiAJeAZlV+h9QrxTedL84l4hq3x1VWsnOEFaCJiThDX920kTnhJ ijrDocgAbmQBCniPACpPHYhBhmCJxfVqgfMuLMNsukOmKxsGcGV6rO1zB5ZUhm3O/Ixk6ow3 6FDKALWihg6Z4P/cJYySMn0iqvHkO8ryT9oJKX//mKaYoF6henXDRLCcRjKwGxFQTEgX+6yc pjgvX3rlypjkPT5ho4yEc5ePkQ2gIIHhvZburm1Zr4nDPx6v8+3XUjpXBRTWQ8/0/h0rtLJe yOPwGJxcfKf/GutTCqiio0mS01mIY9c2i7JWcljlIuSEUit6CHotc5lBOm2GJwguRJG6cXPY SQecwBdcjH3RTzBOv/DN6xWAIV7BmbX/e7DSGAc60mBO1/M0ut+a6CkxRQK8TaE3B3zh1/QO nG0XvtZfIY8ZYdTrdEDSV1Pj5pof/fqhhegHRxN2qi4qIuVcrW0jsUsx10IgAynHR7qQKsvO wU0EVGNWfQEQAPBA8iPCS4ZRX8stW0WuW7579axSq/Luyik4MWDFalt68lzvUbV0f6faN15+ aV7VwMTw3rSa2tP0U8crYAAAZ5NrRHXlYms5BK9vsi1322dAvhyNRawdprP627SO+Ez/84tY xz1X3M9esbN7gpJtHP6mHW76zYpT447v6c2qlbldjobZTDb6kKSGFCIrPJz9M4jVfya+ovxe 2Ab7hn2R0CcyMHATV5g1Ry0XXaj5y3bWypActbG9nflRn3NjhHZynu+WEPDUJCO8kNVNYKOw HObNTeaLvgvU0ONB8pYJv35kDXMhZLwo5MJuJd5i54CXwpo9mECwLJT1RpJi7u98nBrWyyaH s2brG9LPCRKBKOhiHFu57H+cElh+kOvehuS7DFTzjqDwJlkQzP5Hq0G++hZxfdYocKdcdFoh RP3dtDAe+Lfiy9qzJicZ6ACbzoQIN58xj0VWAn1W7SuMErOjv84D/FiXHD2Kxtx09wQl8vH0 Nbh9UgyDBNupToM0ixT+8Ko8eBuYHR53RPxshQhFw4EMIhXiOaxNe1W2Z95QPnYhUGOMoy3I v4fxMQUHa4kZSF2qxsFB1Cxol/aBPGwkwoqUvzp23pLQtJ6youYXtLgvx3pR4L52Q5CUzHMa HvM67XWgW1KqtnvNBXN9PwtDz/a9fQX1YO4CegrXv8C9Ro+LABEBAAHCwV8EGAECAAkFAlRj Vn0CGwwACgkQ79YUOj7yLS8rXA/9EGX2QRfJS94JTdtseu7saTK9a3IKwk6E33GpfXyUVpMt sOqV756XQwULZSWoxInRQtWojA8pQxDUYrbA4MpX0Efr2Dx1xIsJ5F3JajOqViB1SbOD2m0f bxXbcoWKitsKoag2SlvNOd8rD9FcgDvrkacnaQZcZE8DyyGx0JU451tfoD/igu85NZpTDaWG 6fth7QRlxmdGWrGXRdXAP29jq1n0I1wIyF/bXlZ7MXjOSsfyPddzsnHFTvNMZKps0QXNF+hi ESg9chIeo/IFDDVu6pCtm6mftojx84rczTZiNk8r2T3TU4N8uwWtXn/nj9xd61pnxD0xkTPH zxJrCs59WSfYqj3aFNkWO3Lg0/HGnO9wHQKMXcGPsnKITHVzxCNBQtVHomNA7ds6Kt3/WJgS pU2ciICvrpvKgPNWQ0d/SeY3vYIRvDLZ12Svx6M3eXDrsgZOT5be7kGVr3t7dBOYKcRHkZUq kU1kCcgp0vetISVDOc5fkpdUkAtd5/13pIpz4ikVR3OM4Br4XMVShm6RvoP4pyA+ftCi1+bw 0UbRCrnHgnG+wtCf5nMDGVLc04vITnII+ESZqlF02a1IFj0Z2MuQK2Oszl2Nsx/LG60G1e/R pzKEXIIJgHfbwUCWtV1zQu6v9Ng5H8EqVeWcdaPUwSQMGcDg/sPa4s/OxhgrYBg=
In-Reply-To: <TLZP290MB03039B719E48F9F684D79A87B52B2@TLZP290MB0303.ISRP290.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: SCWEVDK75TTLK7E3F5425JES6U5UW3LJ
X-Message-ID-Hash: SCWEVDK75TTLK7E3F5425JES6U5UW3LJ
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Last Call: draft-ietf-dnsop-ds-automation-05 — audit continuity for automated DS decisions
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5vAfmsZmzbubReB4yOFevpMdhSI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Meir,
Thank you very much for your review!
On 4/24/26 21:17, Meir Goldman wrote:
> I support the direction of draft-ietf-dnsop-ds-automation. One operational gap worth tightening is audit continuity for automated DS decisions.
> The draft already recommends acceptance checks, cancellation when checks fail, notifications, and optional exposure of DS update history through customer portals. For operational safety, I suggest adding a short recommendation that parental agents retain structured decision records for automated DS maintenance, including failed or cancelled requests.
> Suggested addition to Section 5.1 or Section 9:
> Entities performing automated DS maintenance SHOULD retain structured records of DS automation decisions for a locally defined retention period. Records SHOULD include the child zone, triggering CDS/CDNSKEY RRsets or notification channel, authoritative nameserver set consulted, verification results, decision outcome, applied DS RRset or cancellation reason, timestamp, and the responsible parental agent. These records are intended to support troubleshooting, dispute resolution, and post-incident analysis, and need not be made publicly available.
This is a great suggestion. For context, the recommendation to make the DS history available earlier did not find consensus on the SHOULD level, as that would require major refactoring for certain registries. Everyone agreed that it's a reasonable/good thing to do, so it was included as a less binding recommendation.
Similarly, I'd expect there would not be consensus for including your proposal on SHOULD level. I've therefore added the following paragraph in Section 5.2, which describes the details on "Reports and Transparency":
NEW
For troubleshooting, dispute resolution, and post-incident analysis,
it is instrumental for the Parental Agent to retain structured
records of DS automation decisions, including timestamp, triggering
CDS/CDNSKEY RRsets, notification channel, authoritative nameservers
consulted, verification results, decision outcome, and the applied DS
RRset or cancellation reason.
https://github.com/desec-io/draft-ietf-dnsop-ds-automation/commit/c0925cd64e32dcd2924334567f200d220e7626e0
I hope this works for you -- in case it doesn't, please yell :) Preferably this week. Thanks!
Best,
Peter
- [DNSOP] Last Call: draft-ietf-dnsop-ds-automation… Meir Goldman
- [DNSOP] Re: Last Call: draft-ietf-dnsop-ds-automa… Peter Thomassen