Re: [DNSOP] New draft on delegation revalidation
Daniel Migault <mglt.ietf@gmail.com> Wed, 29 April 2020 15:57 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0F1C3A132C for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 08:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.098
X-Spam-Level:
X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8kWprgDNba7 for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 08:57:05 -0700 (PDT)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64D663A132A for <DNSOP@ietf.org>; Wed, 29 Apr 2020 08:57:05 -0700 (PDT)
Received: by mail-ua1-x930.google.com with SMTP id c24so1094061uap.13 for <DNSOP@ietf.org>; Wed, 29 Apr 2020 08:57:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/c2i80Bl6SUtyH3Nbu4w3PGVJlYC4lyccWbTWWdqwYk=; b=Rkhgybe01TY9tx9R27j6BB8U/oHYsRJ8mwAk36Wz7Z49aiByHsGN4Wv9exa1laQTiT BP4IAy5ODTS2k2Evcm9PcCn0Vc3PeYOXloKNQQscZda20FvCybPZ2EKV37mZsLT12ESw G8kxKA12hO1xvhY4tN7lXMQ1rm+/WDy7UDffnOUucLM14p6Ah3XXe5ow8/lp3JBwbQcO cPvURbp9Ri+PCWyKw8bAs8ylcFfJVmziSAm8Nz9o2TD4+3ecIr6FbxVIFmIcflbJ6FUn BsJcXKBkxakuYG6dXtt5m81Ij7OXL44ZqTfE+4cMkUgzhadPG4OZFoT2sqbRM3Umjp73 PZEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/c2i80Bl6SUtyH3Nbu4w3PGVJlYC4lyccWbTWWdqwYk=; b=AwsSLZVfbAJXOLSr4vw/IbVVHaLaKe93RaNMjCzCrehlnbJX588FRWobLLVW6nQYdl Y2DmNQjSKyGWiHMk0ZYczX2POc55POQPn/Rr7yHELzl9FbEsds8rBZcbEoPb6kCRAVZ/ +QPRFgyndHBsFNmuPEVBj38/WKVyIK4S3MwPNoLkGpSm2OdQaEQQRBswpcloEjNbIXI3 4yvW2UUKJbvkE91J7MLUo8gjjLKFfF0bQZ1YEYjCFuls1D6+mzaxlMuysvL7Pjpo8rLM hBCel21L3zTegM4CY6WPpUZl4EI7WJwbAp11Z5re1/dH/nz527ssh2IrqjtGPD6AL1WZ hvhw==
X-Gm-Message-State: AGi0PuYYlpU4V8166JlOYgaD10DcCfGUN2xSZOG0WDT0RN8fMQqYfs2D wUqr2uYAOtOjXikmWlUzEVEtkBPCUH9IXWUAHWM=
X-Google-Smtp-Source: APiQypLrKqA/rPvOzqBKKVU1P9BZNc4XQMXPIw/ndVx030Tk018q4tGKaLl/LFukzyg+gcH76LNHZXcJJDrzcMIscUk=
X-Received: by 2002:ab0:2544:: with SMTP id l4mr25099462uan.66.1588175823460; Wed, 29 Apr 2020 08:57:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <4feca627-79d6-374e-402d-f50d49e03469@sidn.nl> <CAHPuVdVkTbV6o5sVCZzOcE4y0yEFUa3rmtcsWooxQK0nO_eMvw@mail.gmail.com> <058d760a-7400-e407-4d12-c744d949538e@sidn.nl> <CAHPuVdWR6MTsWK0xBBnRj3JkgncORUWptt=VYZW+R-cDO4G1ig@mail.gmail.com>
In-Reply-To: <CAHPuVdWR6MTsWK0xBBnRj3JkgncORUWptt=VYZW+R-cDO4G1ig@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 29 Apr 2020 11:56:51 -0400
Message-ID: <CADZyTkm2t9-bL478dtMShkQQKW-Y1_H8nh0xmAwQHOZEnREcnQ@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: "Giovane C. M. Moura" <giovane.moura=40sidn.nl@dmarc.ietf.org>, IETF DNSOP WG <DNSOP@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cc5e3c05a46fff0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7PpQx64vMkGG2abFp1MjLeGvbSA>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 15:57:07 -0000
Hi, I discovered this draft during the interim meeting. We had similar thoughts in our "Recommendations for DNSSEC Resolvers Operators". Our motivation for supporting this work are that it 1) improves the reliability of the resolution as well as 2) removes the temptation to (inadvertently) break resolution by fixing in appearance a misconfiguration. In other words it eases the operation. Yours, Daniel On Tue, Apr 28, 2020 at 9:23 PM Shumon Huque <shuque@gmail.com> wrote: > On Tue, Apr 28, 2020 at 5:43 AM Giovane C.. M. Moura <giovane.moura= > 40sidn.nl@dmarc.ietf.org> wrote: > >> Hi Shumon, >> >> > Do you plan to maintain the parent/child disjoint NS >> > domain (marigliano.xyz <http://marigliano.xyz>) going forward? And what >> > about the test >> > domains for other types of misconfigurations? >> >> Great idea. Let me look into this, will get back to with that. >> > > Thanks! > > >> > Did you look at the potential problem of members of the child (or >> > parent) NS sets emitting different information? I suspect that case >> > also happens. >> >> Yes, section 4 covers this (NSSet parent != NSSet child). >> >> We have 4 scenarios, and we always query for the A record of >> $probeid-$timestamp.marigliano.xyz >> >> The trick was to configure different NSes to return different A answers, >> so we knew which NS answer which query. >> >> Is that what you refer? >> > > I meant servers within the child (or parent) NS set had different NS > sets configured in them, i.e. yet another level of mismatch. Maybe > that's not worth investigating, but I'm pretty sure I've come across > such misconfigurations in the past. > > > Do you have any plans to look at the behavior of the large public >> > resolvers? >> >> That's a good idea, to answer this one, we need to configure the >> scenarios again. Let me get back to you once I manage to get this setup >> for other folks to test this too >> > > Cool, thanks! > > Shumon. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- Daniel Migault Ericsson
- Re: [DNSOP] New draft on delegation revalidation Mark Andrews
- [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Tim Wicinski
- Re: [DNSOP] New draft on delegation revalidation Brian Dickson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John Levine
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Puneet Sood
- Re: [DNSOP] New draft on delegation revalidation Ólafur Guðmundsson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John R Levine
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Vladimír Čunát
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Vladimír Čunát
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Masataka Ohta
- Re: [DNSOP] Privacy and DNSSEC Vittorio Bertola
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- [DNSOP] Client Validation - filtering validation? Brian Dickson
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Mark Andrews
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] Client Validation - filtering validat… Vittorio Bertola
- Re: [DNSOP] Client Validation - filtering validat… Paul Wouters
- Re: [DNSOP] Client Validation - filtering validat… S Moonesamy
- Re: [DNSOP] Client Validation - filtering validat… John Levine
- Re: [DNSOP] Client Validation - filtering validat… Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Wouters
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie