Re: [DNSOP] New draft on delegation revalidation

Daniel Migault <mglt.ietf@gmail.com> Wed, 29 April 2020 15:57 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0F1C3A132C for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 08:57:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.098
X-Spam-Level:
X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8kWprgDNba7 for <dnsop@ietfa.amsl.com>; Wed, 29 Apr 2020 08:57:05 -0700 (PDT)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64D663A132A for <DNSOP@ietf.org>; Wed, 29 Apr 2020 08:57:05 -0700 (PDT)
Received: by mail-ua1-x930.google.com with SMTP id c24so1094061uap.13 for <DNSOP@ietf.org>; Wed, 29 Apr 2020 08:57:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/c2i80Bl6SUtyH3Nbu4w3PGVJlYC4lyccWbTWWdqwYk=; b=Rkhgybe01TY9tx9R27j6BB8U/oHYsRJ8mwAk36Wz7Z49aiByHsGN4Wv9exa1laQTiT BP4IAy5ODTS2k2Evcm9PcCn0Vc3PeYOXloKNQQscZda20FvCybPZ2EKV37mZsLT12ESw G8kxKA12hO1xvhY4tN7lXMQ1rm+/WDy7UDffnOUucLM14p6Ah3XXe5ow8/lp3JBwbQcO cPvURbp9Ri+PCWyKw8bAs8ylcFfJVmziSAm8Nz9o2TD4+3ecIr6FbxVIFmIcflbJ6FUn BsJcXKBkxakuYG6dXtt5m81Ij7OXL44ZqTfE+4cMkUgzhadPG4OZFoT2sqbRM3Umjp73 PZEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/c2i80Bl6SUtyH3Nbu4w3PGVJlYC4lyccWbTWWdqwYk=; b=AwsSLZVfbAJXOLSr4vw/IbVVHaLaKe93RaNMjCzCrehlnbJX588FRWobLLVW6nQYdl Y2DmNQjSKyGWiHMk0ZYczX2POc55POQPn/Rr7yHELzl9FbEsds8rBZcbEoPb6kCRAVZ/ +QPRFgyndHBsFNmuPEVBj38/WKVyIK4S3MwPNoLkGpSm2OdQaEQQRBswpcloEjNbIXI3 4yvW2UUKJbvkE91J7MLUo8gjjLKFfF0bQZ1YEYjCFuls1D6+mzaxlMuysvL7Pjpo8rLM hBCel21L3zTegM4CY6WPpUZl4EI7WJwbAp11Z5re1/dH/nz527ssh2IrqjtGPD6AL1WZ hvhw==
X-Gm-Message-State: AGi0PuYYlpU4V8166JlOYgaD10DcCfGUN2xSZOG0WDT0RN8fMQqYfs2D wUqr2uYAOtOjXikmWlUzEVEtkBPCUH9IXWUAHWM=
X-Google-Smtp-Source: APiQypLrKqA/rPvOzqBKKVU1P9BZNc4XQMXPIw/ndVx030Tk018q4tGKaLl/LFukzyg+gcH76LNHZXcJJDrzcMIscUk=
X-Received: by 2002:ab0:2544:: with SMTP id l4mr25099462uan.66.1588175823460; Wed, 29 Apr 2020 08:57:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <4feca627-79d6-374e-402d-f50d49e03469@sidn.nl> <CAHPuVdVkTbV6o5sVCZzOcE4y0yEFUa3rmtcsWooxQK0nO_eMvw@mail.gmail.com> <058d760a-7400-e407-4d12-c744d949538e@sidn.nl> <CAHPuVdWR6MTsWK0xBBnRj3JkgncORUWptt=VYZW+R-cDO4G1ig@mail.gmail.com>
In-Reply-To: <CAHPuVdWR6MTsWK0xBBnRj3JkgncORUWptt=VYZW+R-cDO4G1ig@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 29 Apr 2020 11:56:51 -0400
Message-ID: <CADZyTkm2t9-bL478dtMShkQQKW-Y1_H8nh0xmAwQHOZEnREcnQ@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: "Giovane C. M. Moura" <giovane.moura=40sidn.nl@dmarc.ietf.org>, IETF DNSOP WG <DNSOP@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cc5e3c05a46fff0f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7PpQx64vMkGG2abFp1MjLeGvbSA>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 15:57:07 -0000

Hi,

I discovered this draft during the interim meeting. We had similar thoughts
in our "Recommendations for DNSSEC Resolvers Operators". Our motivation for
supporting this work are that it  1) improves the reliability of the
resolution as well as 2) removes the temptation to (inadvertently) break
resolution by fixing in appearance a misconfiguration. In other words it
eases the operation.

Yours,
Daniel

On Tue, Apr 28, 2020 at 9:23 PM Shumon Huque <shuque@gmail.com> wrote:

> On Tue, Apr 28, 2020 at 5:43 AM Giovane C.. M. Moura <giovane.moura=
> 40sidn.nl@dmarc.ietf.org> wrote:
>
>> Hi Shumon,
>>
>> >  Do you plan to maintain the parent/child disjoint NS
>> > domain (marigliano.xyz <http://marigliano.xyz>) going forward? And what
>> > about the test
>> > domains for other types of misconfigurations?
>>
>> Great idea. Let me look into this, will get back to with that.
>>
>
> Thanks!
>
>
>> > Did you look at the potential problem of members of the child (or
>> > parent) NS sets emitting different information? I suspect that case
>> > also happens.
>>
>> Yes, section 4 covers this (NSSet parent != NSSet child).
>>
>> We have 4 scenarios, and we always query for the A record of
>> $probeid-$timestamp.marigliano.xyz
>>
>> The trick was to configure different NSes to return different A answers,
>> so we knew which NS answer which query.
>>
>> Is that what you refer?
>>
>
> I meant servers within the child (or parent) NS set had different NS
> sets configured in them, i.e. yet another level of mismatch. Maybe
> that's not worth investigating, but I'm pretty sure I've come across
> such misconfigurations in the past.
>
> > Do you have any plans to look at the behavior of the large public
>> > resolvers?
>>
>> That's a good idea, to answer this one, we need to configure the
>> scenarios again. Let me get back to you once I manage to get this setup
>> for other folks to test this too
>>
>
> Cool, thanks!
>
> Shumon.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


-- 
Daniel Migault
Ericsson