Re: [DNSOP] Asking TLD's to perform checks.
Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 07 November 2015 19:11 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65C7E1B2E71 for <dnsop@ietfa.amsl.com>; Sat, 7 Nov 2015 11:11:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_62=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FVk0en-9b_1Q for <dnsop@ietfa.amsl.com>; Sat, 7 Nov 2015 11:11:07 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E514D1B2E68 for <dnsop@ietf.org>; Sat, 7 Nov 2015 11:11:06 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 8CA93284DF5; Sat, 7 Nov 2015 19:11:05 +0000 (UTC)
Date: Sat, 07 Nov 2015 19:11:05 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <20151107191105.GA5194@mournblade.imrryr.org>
References: <20151105235402.39FFC3BF2F29@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20151105235402.39FFC3BF2F29@rock.dv.isc.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/8Hnn4YO1i3KdlzlIpRI3NZvCBj4>
Subject: Re: [DNSOP] Asking TLD's to perform checks.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dnsop@ietf.org
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Nov 2015 19:11:09 -0000
On Fri, Nov 06, 2015 at 10:54:02AM +1100, Mark Andrews wrote: > I keep getting told the IETF can't tell people what to do > but that is *exactly* what we do do when we issue a BCP. > We tell people what best current practice is and ask them > to follow it. > > Today we have TLDs that do perform all sorts of checks on > servers they delegate zones to and some do inform the > operators of those zones that they have errors. Those > checks cover in part tests described in > draft-andrews-dns-no-response-issue. > > So do we adopt this or do we continue to lie to ourselves > about what BCP actually do? If this is about: https://datatracker.ietf.org/doc/draft-andrews-dns-no-response-issue/ then I for one strongly support its adoption. I've been doing DANE SMTP adoption surveys for over a year now, and have run into quite a few nameserver operators with a number of DNSSEC issues. I've found especially the SIDN (.nl) registry very helpful in interfacing with DNS hosting providers to address the reported issues, but have also had some help from .cz, .se and .gov. Today I reached out to norid.no, they'll likely be helpful too. It would be great if I did not have to nag each operator or hosting provider I happened to find, and instead registries would make periodic efforts to validate the correctness of all delegations. Recommending this as a best practice seems quite reasonable. As to what makes a delegation valid, it is not too difficult to construct a sensible list of tests. The dnsviz.net site seems to have no trouble testing for a reasonably comphensive set of warnings and errors. In addition to all the obvious tests of the consistency of delegation records with data at the zone apex, no lame delegations, DS records having matching DNSKEY records, ... Based in part on: https://datatracker.ietf.org/doc/draft-andrews-dns-no-response-issue/ I'd also check for: * Not dropping queries for unexpected RRtypes (which are misguidedly droppped as a "security feature" by some systems). Especially TLSA RRs, which are starting to get used with SMTP. * Correct processing of denial of existence in signed zones: ; Check for valid NXDOMAIN or NODATA (if wildcard applies) ; made-up-label2.made-up-label1.<zone-apex>. IN A ? made-up-label2.made-up-label1.<zone-apex>. IN AAAA ? made-up-label2.made-up-label1.<zone-apex>. IN TLSA ? ; Check for valid NXDOMAIN or NODATA (if wildcard applies) ; if in bailiwick known names exist below the zone apex. ; Names of MX hosts are often a good source of such names. ; made-up-label2.made-up-label1.known-name.<zone-apex>. IN A ? made-up-label2.made-up-label1.known-name.<zone-apex>. IN AAAA ? made-up-label2.made-up-label1.known-name.<zone-apex>. IN TLSA ? For example, papaki.gr returns NSEC RRsets with no RRSIG for multiple domains: @dns1.papaki.gr ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24618 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;_25._tcp.mail.3814.eu. IN TLSA 3814.eu. SOA dns1.papaki.gr. hostmaster.papaki.gr. 2015101800 10800 3600 1209600 3600 3814.eu. RRSIG SOA 5 2 86400 20160218062849 20151018062849 12273 3814.eu. mail.3814.eu. NSEC webmail.3814.eu. A RRSIG NSEC 3814.eu. NSEC mail.3814.eu. A NS SOA MX RRSIG NSEC DNSKEY I notified them, whether action will be take is not yet clear. -- Viktor.
- Re: [DNSOP] Asking TLD's to perform checks. Jim Reid
- Re: [DNSOP] Asking TLD's to perform checks. Paul Hoffman
- [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. marius
- Re: [DNSOP] Asking TLD's to perform checks. Antoin Verschuren
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Antoin Verschuren
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Daniel Stirnimann
- Re: [DNSOP] Asking TLD's to perform checks. Shane Kerr
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] [ccnso-techwg] Re: Asking TLD's to pe… Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] Asking TLD's to perform checks. Paul Vixie
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Havard Eidnes
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Tony Finch
- Re: [DNSOP] Asking TLD's to perform checks. Stephane Bortzmeyer
- Re: [DNSOP] Asking TLD's to perform checks. Havard Eidnes
- Re: [DNSOP] Asking TLD's to perform checks. Stephane Bortzmeyer
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Lawrence Conroy
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLDs to perform checks. Joe Abley
- Re: [DNSOP] Asking TLD's to perform checks. Frederico A C Neves
- Re: [DNSOP] Asking TLD's to perform checks. Tim Wicinski
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] Asking TLD's to perform checks. Jelte Jansen