Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements
Shumon Huque <shuque@gmail.com> Thu, 07 May 2020 12:50 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 335073A05E2; Thu, 7 May 2020 05:50:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2nBEKouMli6Y; Thu, 7 May 2020 05:50:34 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 843573A053F; Thu, 7 May 2020 05:50:34 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id k22so5262095eds.6; Thu, 07 May 2020 05:50:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CBhiLZVYwKeV/gc6sh07LG24XpNZq+drUK+zGmqND2k=; b=eDInlgI4sAjoW1EM0/U1C4iZYPMX94/oaD7DWDYIUoRhNuJMSGBCvLD+6j2oxpZrdJ QdTpHE8Jdn0vCh2rXIhALo0vM0nVsNa0Lcf7Bi+cOsGVcwj1IPIwtl3aq2E0P1T2+LXz zAI0GEYhUn1WDTE+Wi6TlHXLdIKJAkv74jAwwmLFAKbDxQCcmxRbAvEC9UeSM3QasMDv zlz8HZ38UdrkHpsGUKDIZ/WMnlndJMFgDNLcta7IWbFiQxQQOZrk86vCKJ0EHVRZOMmR /num/xD2SMeAsWC2FUcnNRaaZUck+6AUHIbZIFyKBONk3Rcv5PxxkHl3/2UAaRM4hBe5 76ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CBhiLZVYwKeV/gc6sh07LG24XpNZq+drUK+zGmqND2k=; b=H3t6Lk6dN4dYQg4AKzQiGWvfiTWqnSfQleijnLQPXopRPOg88t6fjgGmN9Brj5AmaL DP75h96Ud9L1vScaiGrSbNETlumkcdExyF/V0FXkhC3MmyefcLMfh1YtL0tDHMPPQVga kfFJbKEvD+LE+9YuFC146i/zrdFz2gyQw9aHcnEgynFU589PsMcbzw2x5pR77CkkLkfk G0q2eHoUrwhocy3mnyQ8p/d8eaNPk0AnEy+2uJ2n72iKd5W9ysWaLkQejmj6qKyDo4QF HJgVt6IhcAsI+NP1iydvwe2wOpXm7E5g+dEIDwVnnqleLKBDFBLqlFZ/MFrIVc2DrZQ3 vmTg==
X-Gm-Message-State: AGi0PuaIKBDT0RvPZfOar56gvjmOYT/BMkA3gxcMpjN/NtxLIIjwMczK tGMyDRh0oAXuXUTnYpS1E6/gLisSoH9bG0VwWZU=
X-Google-Smtp-Source: APiQypIsbP9zui0U5dv95yygiEy4MINYYE/8jscAvu0gqPjIZJKPbLBPASHoED/wN46AktAbMSFI7wIDJIEfCYU/A0s=
X-Received: by 2002:a05:6402:129a:: with SMTP id w26mr11194354edv.254.1588855832987; Thu, 07 May 2020 05:50:32 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+HTU92FYYFvogsur9jSZ+qj03PWPVNbiWSe4g_zCn=5wg@mail.gmail.com> <20200506084836.GA14813@nic.fr> <CAHPuVdULY19T3KD1u5xng_gSA54fY1wAB4xKV+PimAZyhZnh4g@mail.gmail.com>
In-Reply-To: <CAHPuVdULY19T3KD1u5xng_gSA54fY1wAB4xKV+PimAZyhZnh4g@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 07 May 2020 08:50:21 -0400
Message-ID: <CAHPuVdVOUPhY7dGzFOypr8qF4TNr41wq1N7nmvpfr9Exrt83gw@mail.gmail.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000864b8f05a50e53e3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7VwXTjlrSuRksg19JN7heRAgtq4>
Subject: Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 12:50:36 -0000
On Thu, May 7, 2020 at 8:34 AM Shumon Huque <shuque@gmail.com> wrote: > On Wed, May 6, 2020 at 4:49 AM Stephane Bortzmeyer <bortzmeyer@nic.fr> > wrote: > > The draft apparently do not mention advices on expiration slack (such >> as val-sig-skew-min and val-sig-skew-max in Unbound). Is there a >> consensus on (I quote Unbound documentation) "The signature inception >> and expiration dates are allowed to be off by 10% of the signature >> lifetime"? >> > > RFC 6781 Section 4.4.2 (Signature Validity Periods) does mention having > a reasonable signature inception offset, but recommends no value. It does > not mention a signature expiration skew. It would be good to treat this > subject in the document. Personally, I would prefer a fixed value (~ 5 to > 10 minutes) rather than a percentage. Otherwise, the validator may be using > a possibly unacceptably small or large skew values depending on the > validity > interval. > Just to quickly follow-up on my own post (sorry!), I realize this draft is only about validator requirements, but RFC6781 describers signer recommendations. Still, the skew issue has come up for me recently in signer implementations too. One commercial DNSSEC implementation we were using was generating on-the-fly signatures with _no_ inception offset - which means if the validator's clock was off even slightly, and supported no skew, it would fail. It required some vigorous arguing with this vendor to get them to use an inception offset. So, the skew issue ideally needs to be addressed on both sides (and it might be reasonable to mention that in this draft). Shumon.
- [DNSOP] Call for Adoption: draft-mglt-dnsop-dnsse… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Stephane Bortzmeyer
- Re: [DNSOP] [EXT] Re: Call for Adoption: draft-mg… Jacques Latour
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] [EXT] Re: Call for Adoption: draft-mg… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Shumon Huque
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Shumon Huque
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Bob Harold
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Brian Dickson
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… sanjay.mishra
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Ralf Weber
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Loganaden Velvindron
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Tim Wicinski