Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

Shumon Huque <> Thu, 07 May 2020 12:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 335073A05E2; Thu, 7 May 2020 05:50:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2nBEKouMli6Y; Thu, 7 May 2020 05:50:34 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 843573A053F; Thu, 7 May 2020 05:50:34 -0700 (PDT)
Received: by with SMTP id k22so5262095eds.6; Thu, 07 May 2020 05:50:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CBhiLZVYwKeV/gc6sh07LG24XpNZq+drUK+zGmqND2k=; b=eDInlgI4sAjoW1EM0/U1C4iZYPMX94/oaD7DWDYIUoRhNuJMSGBCvLD+6j2oxpZrdJ QdTpHE8Jdn0vCh2rXIhALo0vM0nVsNa0Lcf7Bi+cOsGVcwj1IPIwtl3aq2E0P1T2+LXz zAI0GEYhUn1WDTE+Wi6TlHXLdIKJAkv74jAwwmLFAKbDxQCcmxRbAvEC9UeSM3QasMDv zlz8HZ38UdrkHpsGUKDIZ/WMnlndJMFgDNLcta7IWbFiQxQQOZrk86vCKJ0EHVRZOMmR /num/xD2SMeAsWC2FUcnNRaaZUck+6AUHIbZIFyKBONk3Rcv5PxxkHl3/2UAaRM4hBe5 76ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CBhiLZVYwKeV/gc6sh07LG24XpNZq+drUK+zGmqND2k=; b=H3t6Lk6dN4dYQg4AKzQiGWvfiTWqnSfQleijnLQPXopRPOg88t6fjgGmN9Brj5AmaL DP75h96Ud9L1vScaiGrSbNETlumkcdExyF/V0FXkhC3MmyefcLMfh1YtL0tDHMPPQVga kfFJbKEvD+LE+9YuFC146i/zrdFz2gyQw9aHcnEgynFU589PsMcbzw2x5pR77CkkLkfk G0q2eHoUrwhocy3mnyQ8p/d8eaNPk0AnEy+2uJ2n72iKd5W9ysWaLkQejmj6qKyDo4QF HJgVt6IhcAsI+NP1iydvwe2wOpXm7E5g+dEIDwVnnqleLKBDFBLqlFZ/MFrIVc2DrZQ3 vmTg==
X-Gm-Message-State: AGi0PuaIKBDT0RvPZfOar56gvjmOYT/BMkA3gxcMpjN/NtxLIIjwMczK tGMyDRh0oAXuXUTnYpS1E6/gLisSoH9bG0VwWZU=
X-Google-Smtp-Source: APiQypIsbP9zui0U5dv95yygiEy4MINYYE/8jscAvu0gqPjIZJKPbLBPASHoED/wN46AktAbMSFI7wIDJIEfCYU/A0s=
X-Received: by 2002:a05:6402:129a:: with SMTP id w26mr11194354edv.254.1588855832987; Thu, 07 May 2020 05:50:32 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Shumon Huque <>
Date: Thu, 07 May 2020 08:50:21 -0400
Message-ID: <>
To: Stephane Bortzmeyer <>
Cc: Tim Wicinski <>, dnsop <>, dnsop-chairs <>
Content-Type: multipart/alternative; boundary="000000000000864b8f05a50e53e3"
Archived-At: <>
Subject: Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 May 2020 12:50:36 -0000

On Thu, May 7, 2020 at 8:34 AM Shumon Huque <> wrote:

> On Wed, May 6, 2020 at 4:49 AM Stephane Bortzmeyer <>
> wrote:
> The draft apparently do not mention advices on expiration slack (such
>> as val-sig-skew-min and val-sig-skew-max in Unbound). Is there a
>> consensus on (I quote Unbound documentation) "The signature inception
>> and expiration dates are allowed to be off by 10% of the signature
>> lifetime"?
> RFC 6781 Section 4.4.2 (Signature Validity Periods) does mention having
> a reasonable signature inception offset, but recommends no value. It does
> not mention a signature expiration skew. It would be good to treat this
> subject in the document. Personally, I would prefer a fixed value (~ 5 to
> 10 minutes) rather than a percentage. Otherwise, the validator may be using
> a possibly unacceptably small or large skew values depending on the
> validity
> interval.

Just to quickly follow-up on my own post (sorry!), I realize this draft is
about  validator requirements, but RFC6781 describers signer

Still, the skew issue has come up for me recently in signer implementations
too. One commercial DNSSEC implementation we were using was generating
on-the-fly signatures with _no_ inception offset - which means if the
clock was off even slightly, and supported no skew, it would fail. It
some vigorous arguing with this vendor to get them to use an inception
So, the skew issue ideally needs to be addressed on both sides (and it might
be reasonable to mention that in this draft).