Return-Path: <jabley@strandkip.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by ietfa.amsl.com (Postfix) with ESMTP id C1F33C14F5E5
	for <dnsop@ietfa.amsl.com>; Sat, 20 Jul 2024 17:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level: 
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
	MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H3=0.001,
	RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001,
	SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01,
	URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001]
	autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
	header.d=strandkip.nl
Received: from mail.ietf.org ([50.223.129.194])
	by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 0Yzr-JWfQLjt for <dnsop@ietfa.amsl.com>;
	Sat, 20 Jul 2024 17:16:03 -0700 (PDT)
Received: from pv50p00im-ztdg10021201.me.com (pv50p00im-ztdg10021201.me.com
 [17.58.6.45])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ietfa.amsl.com (Postfix) with ESMTPS id 17120C14F68C
	for <dnsop@ietf.org>; Sat, 20 Jul 2024 17:16:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=strandkip.nl;
	s=sig1; t=1721520962;
	bh=HWU8nm8zAoTDSdAOYTqyVl2l0h0adJTeaPGs8NxeEho=;
	h=Content-Type:From:Mime-Version:Subject:Message-Id:Date:To;
	b=OGmOLMaUYoBpLzjH3vUSaA9CCHHso/BRbiTrTUh/ETGGpgrQRvLEGGAwkt3nv52Dv
	 SqzQu+/95gXOvrjSb1kuUbIjm+iwdeKqvBZeYunGpbXGZ/3rfpTjVoeFsZr3Uj0qZC
	 vBIHq7SqBpkEI/7NdTFShVy9fHYRYS7RbLZltnBO8rL4xzdEdzyFOSe4XBOweesclJ
	 owZqgstPX/NFwgZOQuX08lrrGNlQu/IMux1vdt26uvlBzukG3y0HK6M/CKmwALZkc7
	 0noHtp8SdAASuwY3jBGRnBVVYnA1ScwmXleuv9AVMRBTgi6x8DPecVWp8zTqRH+UJQ
	 BfP75/RbfLZvA==
Received: from smtpclient.apple (pv50p00im-dlb-asmtp-mailmevip.me.com
 [17.56.9.10])
	by pv50p00im-ztdg10021201.me.com (Postfix) with ESMTPSA id 59549680128;
	Sun, 21 Jul 2024 00:16:01 +0000 (UTC)
Content-Type: multipart/alternative;
 boundary=Apple-Mail-487BBCCF-D749-4E51-93E2-271535812AD0
Content-Transfer-Encoding: 7bit
From: Joe Abley <jabley@strandkip.nl>
Mime-Version: 1.0 (1.0)
Message-Id: <0198BFEA-EF0B-48D7-BC44-8563DA68CE62@strandkip.nl>
Date: Sat, 20 Jul 2024 17:15:47 -0700
To: yorgos@nlnetlabs.nl
X-Mailer: iPhone Mail (21F90)
X-Proofpoint-GUID: fc5YmxtXT-gnLMN-UF_VIsV9Fq4c6jgd
X-Proofpoint-ORIG-GUID: fc5YmxtXT-gnLMN-UF_VIsV9Fq4c6jgd
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-07-20_22,2024-07-18_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0
 mlxscore=0 malwarescore=0
 spamscore=0 phishscore=0 suspectscore=0 adultscore=0 mlxlogscore=523
 clxscore=1030 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2308100000 definitions=main-2407210000
Message-ID-Hash: OAWXVJKVXFZOSUSICD7EXTKPA7YBP5GD
X-Message-ID-Hash: OAWXVJKVXFZOSUSICD7EXTKPA7YBP5GD
X-MailFrom: jabley@strandkip.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: =?utf-8?q?=5BDNSOP=5D_Does_DNSSEC_need_a_dry_run=3F?=
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/dnsop/6bKd1e2af5A4ufoDWfBsKzHV_kg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


--Apple-Mail-487BBCCF-D749-4E51-93E2-271535812AD0
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Hi Yorgos,

I've lost the original new version announcement to reply to so apologies for=
 the thread crime, but I have a more fundamental question about this draft.=20=


You say:

DNSSEC was introduced to provide DNS with data origin authentication and dat=
a integrity. This brought quite an amount of complexity and fragility to the=
 DNS which in turn still hinders general adoption. When an operator decides t=
o publish a newly signed zone there is no way to realistically check that DN=
S resolution will not break for the zone.

I think I understand the spirit of what you are saying but I am a little unc=
onvinced about the demand for this kind of testing.

Even after you have tested with a dry run mechanism, you need to make materi=
al changes to your zone to progress to actually signing in a way that you ex=
pect people to validate, and you can only get useful test results from valid=
ators that have implemented the test mechanism. So the thing you tested is n=
ot actually the same thing as what you deploy, and the test coverage might w=
ell ve limited. =20
This doesn't make it feel like a great test.=20

Isn't signing a test zone with exactly the processes, protocols and software=
 that will be used in real life and validating it with real deployed validat=
ing resolvers actually a better test?

Who is this mechanism for?


Joe=

--Apple-Mail-487BBCCF-D749-4E51-93E2-271535812AD0
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div dir=3D"ltr"><meta http-equiv=3D"conten=
t-type" content=3D"text/html; charset=3Dutf-8"><div dir=3D"ltr"><meta http-e=
quiv=3D"content-type" content=3D"text/html; charset=3Dutf-8"><div dir=3D"ltr=
"><meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf-8">H=
i Yorgos,<div dir=3D"ltr"></div></div><div dir=3D"ltr"><br></div><div dir=3D=
"ltr">I've lost the original new version announcement to reply to so apologi=
es for the thread crime, but I have a more fundamental question about this d=
raft.&nbsp;</div><div dir=3D"ltr"><br></div><div dir=3D"ltr">You say:</div><=
div dir=3D"ltr"><br></div><div dir=3D"ltr"><p id=3D"section-1-1" style=3D"bo=
x-sizing: border-box; margin-top: var(--line); margin-bottom: var(--line); m=
argin-right: 0px; margin-left: 3ch; overflow-wrap: break-word; caret-color: r=
gb(33, 37, 41); color: rgb(33, 37, 41); font-family: &quot;Noto Sans Mono&qu=
ot;, SFMono-Regular, Menlo, Monaco, Consolas, &quot;Liberation Mono&quot;, &=
quot;Courier New&quot;, monospace; font-size: 8.646px; -webkit-tap-highlight=
-color: rgba(0, 0, 0, 0); -webkit-text-size-adjust: 100%;">DNSSEC was introd=
uced to provide DNS with data origin authentication and data integrity. This=
 brought quite an amount of complexity and fragility to the DNS which in tur=
n still hinders general adoption. When an operator decides to publish a newl=
y signed zone there is no way to realistically check that DNS resolution wil=
l not break for the zone.</p></div><div dir=3D"ltr"><br></div><div dir=3D"lt=
r">I think I understand the spirit of what you are saying but I am a little u=
nconvinced about the demand for this kind of testing.</div><div dir=3D"ltr">=
<br></div><div dir=3D"ltr">Even after you have tested with a dry run mechani=
sm, you need to make material changes to your zone to progress to actually s=
igning in a way that you expect people to validate, and you can only get use=
ful test results from validators that have implemented the test mechanism. S=
o the thing you tested is not actually the same thing as what you deploy, an=
d the test coverage might well ve limited. &nbsp;</div><div dir=3D"ltr">This=
 doesn't make it feel like a great test.&nbsp;</div><div dir=3D"ltr"><br></d=
iv><div dir=3D"ltr">Isn't signing a test zone with exactly the processes, pr=
otocols and software that will be used in real life and validating it with r=
eal deployed validating resolvers actually a better test?</div><div dir=3D"l=
tr"><br></div><div dir=3D"ltr">Who is this mechanism for?</div><div dir=3D"l=
tr"><br></div><div dir=3D"ltr"><br></div><div dir=3D"ltr">Joe</div></div></d=
iv></body></html>=

--Apple-Mail-487BBCCF-D749-4E51-93E2-271535812AD0--