[DNSOP] Does DNSSEC need a dry run?
Joe Abley <jabley@strandkip.nl> Sun, 21 July 2024 00:16 UTC
Return-Path: <jabley@strandkip.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1F33C14F5E5 for <dnsop@ietfa.amsl.com>; Sat, 20 Jul 2024 17:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strandkip.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Yzr-JWfQLjt for <dnsop@ietfa.amsl.com>; Sat, 20 Jul 2024 17:16:03 -0700 (PDT)
Received: from pv50p00im-ztdg10021201.me.com (pv50p00im-ztdg10021201.me.com [17.58.6.45]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17120C14F68C for <dnsop@ietf.org>; Sat, 20 Jul 2024 17:16:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=strandkip.nl; s=sig1; t=1721520962; bh=HWU8nm8zAoTDSdAOYTqyVl2l0h0adJTeaPGs8NxeEho=; h=Content-Type:From:Mime-Version:Subject:Message-Id:Date:To; b=OGmOLMaUYoBpLzjH3vUSaA9CCHHso/BRbiTrTUh/ETGGpgrQRvLEGGAwkt3nv52Dv SqzQu+/95gXOvrjSb1kuUbIjm+iwdeKqvBZeYunGpbXGZ/3rfpTjVoeFsZr3Uj0qZC vBIHq7SqBpkEI/7NdTFShVy9fHYRYS7RbLZltnBO8rL4xzdEdzyFOSe4XBOweesclJ owZqgstPX/NFwgZOQuX08lrrGNlQu/IMux1vdt26uvlBzukG3y0HK6M/CKmwALZkc7 0noHtp8SdAASuwY3jBGRnBVVYnA1ScwmXleuv9AVMRBTgi6x8DPecVWp8zTqRH+UJQ BfP75/RbfLZvA==
Received: from smtpclient.apple (pv50p00im-dlb-asmtp-mailmevip.me.com [17.56.9.10]) by pv50p00im-ztdg10021201.me.com (Postfix) with ESMTPSA id 59549680128; Sun, 21 Jul 2024 00:16:01 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail-487BBCCF-D749-4E51-93E2-271535812AD0"
Content-Transfer-Encoding: 7bit
From: Joe Abley <jabley@strandkip.nl>
Mime-Version: 1.0 (1.0)
Message-Id: <0198BFEA-EF0B-48D7-BC44-8563DA68CE62@strandkip.nl>
Date: Sat, 20 Jul 2024 17:15:47 -0700
To: yorgos@nlnetlabs.nl
X-Mailer: iPhone Mail (21F90)
X-Proofpoint-GUID: fc5YmxtXT-gnLMN-UF_VIsV9Fq4c6jgd
X-Proofpoint-ORIG-GUID: fc5YmxtXT-gnLMN-UF_VIsV9Fq4c6jgd
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-20_22,2024-07-18_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxscore=0 malwarescore=0 spamscore=0 phishscore=0 suspectscore=0 adultscore=0 mlxlogscore=523 clxscore=1030 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2407210000
Message-ID-Hash: OAWXVJKVXFZOSUSICD7EXTKPA7YBP5GD
X-Message-ID-Hash: OAWXVJKVXFZOSUSICD7EXTKPA7YBP5GD
X-MailFrom: jabley@strandkip.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Does DNSSEC need a dry run?
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6bKd1e2af5A4ufoDWfBsKzHV_kg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Yorgos, I've lost the original new version announcement to reply to so apologies for the thread crime, but I have a more fundamental question about this draft. You say: DNSSEC was introduced to provide DNS with data origin authentication and data integrity. This brought quite an amount of complexity and fragility to the DNS which in turn still hinders general adoption. When an operator decides to publish a newly signed zone there is no way to realistically check that DNS resolution will not break for the zone. I think I understand the spirit of what you are saying but I am a little unconvinced about the demand for this kind of testing. Even after you have tested with a dry run mechanism, you need to make material changes to your zone to progress to actually signing in a way that you expect people to validate, and you can only get useful test results from validators that have implemented the test mechanism. So the thing you tested is not actually the same thing as what you deploy, and the test coverage might well ve limited. This doesn't make it feel like a great test. Isn't signing a test zone with exactly the processes, protocols and software that will be used in real life and validating it with real deployed validating resolvers actually a better test? Who is this mechanism for? Joe
- [DNSOP] Does DNSSEC need a dry run? Joe Abley
- [DNSOP] Re: Does DNSSEC need a dry run? Yorgos Thessalonikefs