[DNSOP] Re: Fwd: New Version Notification for draft-ietf-dnsop-ns-revalidation-07.txt

"Giovane C. M. Moura" <giovane.moura@sidn.nl> Mon, 08 July 2024 10:55 UTC

Return-Path: <giovane.moura@sidn.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44181C1DFD39 for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2024 03:55:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sidn.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K5dXIS-jsSxB for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2024 03:55:51 -0700 (PDT)
Received: from EUR02-VI1-obe.outbound.protection.outlook.com (mail-vi1eur02on2134.outbound.protection.outlook.com [40.107.241.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3023C09E1C8 for <dnsop@ietf.org>; Mon, 8 Jul 2024 03:55:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h909lIk7AgdoNgMm5St8ka9boRNs0goWbbhuRUUr9eVal4TlVkU1V2jqM50C0pRKB8ifAv0dxSr0vO8fZDNT+KV7IiVaIu5TtrERilE9HNQ2ziBNOr9EGez12sdhl2PqmTBWQSWxRqrRRyHu2QBobm/sJ2uhsEVchEXICCOWi74xkySaB8Lz8/+80iCr1tRgnfWBz6qIeMiKomPac53oKCyHlPjN1nndg7hH8QyRb+Du8hnWU1QmuWd6VBocW05JWB84U1nOhcExbK+vaS9ffzZNiCXzPUX0FdjDM60r9O+msu6FXT5LHYUwD7EpXMGJqRcKcDswy6gnpfNsAvEilw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=cDxZJaGbNc06w88hchwd77RA57IDCPx7qHlUfrZzA9g=; b=eFkkSOiWbaprL/C+mEGXG0C3Qj2xGlsxraPAUe6B6L4vA/WhtT4DbMZZ/C1azawJo3x/zxdBy0dG+ubmE5sqUuW6jGyEyw7eThJu3p7SD12zPlrxxjJR8Obr3e6j9X0u5QqudVYLckHsDHeBDjQ0wpRArE9PORp8glhpJoPNtY9TiUy2N7GQRbPUeEXTagrWW+reGWYXFk5aVuUagFPojqePCbc7sEAKX9OZH3WxYb1gxTSESFt6cwOwc2FsDrDE2LYyhFOD3DHW+C+mbFDAuEei0qEq55z5Z4XhjtilMWkkQAguwhUy6MDoCdQeFvL3uAm7Lux5rYpKRTkdxZR+aw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sidn.nl; dmarc=pass action=none header.from=sidn.nl; dkim=pass header.d=sidn.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sidn.nl; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cDxZJaGbNc06w88hchwd77RA57IDCPx7qHlUfrZzA9g=; b=XLcfv1ow6+/tlFw6sZD7WSIAVKtA8R2R+ztGGmICjPf6+FV8YFBRZzbn+jkLNFYIRGLfNU4FdIIRYrZIYIBvQSo9tA7g+edwXCt3+12jrinHB7XZAwovAIxwWxsZ/Op6IybZzftLiVspXZdAyixtevUMOPpbjij2gvPG55Mt3rw=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=sidn.nl;
Received: from AS2P194MB1960.EURP194.PROD.OUTLOOK.COM (2603:10a6:20b:553::20) by AM8P194MB1577.EURP194.PROD.OUTLOOK.COM (2603:10a6:20b:36c::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7741.31; Mon, 8 Jul 2024 10:55:38 +0000
Received: from AS2P194MB1960.EURP194.PROD.OUTLOOK.COM ([fe80::15be:b241:bcb5:2a73]) by AS2P194MB1960.EURP194.PROD.OUTLOOK.COM ([fe80::15be:b241:bcb5:2a73%7]) with mapi id 15.20.7741.033; Mon, 8 Jul 2024 10:55:38 +0000
Message-ID: <798d96eb-a3ee-440a-ba84-e63d97af7745@sidn.nl>
Date: Mon, 08 Jul 2024 12:55:37 +0200
User-Agent: Mozilla Thunderbird
To: DNSOP Working Group <dnsop@ietf.org>
References: <172042831212.349738.5714650255824043061@dt-datatracker-5f88556585-j5r2h> <ecdecfc7-a695-4355-b30a-7cfaf7eac709@nlnetlabs.nl>
Content-Language: en-US
From: "Giovane C. M. Moura" <giovane.moura@sidn.nl>
In-Reply-To: <ecdecfc7-a695-4355-b30a-7cfaf7eac709@nlnetlabs.nl>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: AM0PR03CA0053.eurprd03.prod.outlook.com (2603:10a6:208::30) To AS2P194MB1960.EURP194.PROD.OUTLOOK.COM (2603:10a6:20b:553::20)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AS2P194MB1960:EE_|AM8P194MB1577:EE_
X-MS-Office365-Filtering-Correlation-Id: ca0986ab-39c0-489e-9f41-08dc9f3c809d
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024;
X-Microsoft-Antispam-Message-Info: M2JuIsRl0L5ZRxBq6VroYYz83/Tp1FXHshMzDRVW8E5b5y2Mqh/aRq/ADWVA9S5BwHK2vZZ5o9vYyf/07BwLQ7QsMHbCvgKVf+olXHAlrtOi91X5r8M31U7vjb2CB5N+ekgF4543vHQoDg+Nsmmw2JNCTs1bt1Qht2sZsDf0JBuDuodKibFXpImRMqys8uqYwgmjbBGQ5lTeciKqlmfQZ2BkKz4A2T+mlaRJHMdWuJViefbZ9t7iBbhvpmXftweNSfJx32PJLyyYFMl8I63552S0Q2iRTVkArO4M0ReGdq1e0U39zIKWd5bKeLe5TFanQEX8Kd9ozwdTIV1zBl2BExOb+7I3JUt0Q0nrVTRRV4PLU91bR8MJOTFH00n5Mum1rNbVtValsCJPjpE4iN5iNEDPSBFOw6HljTbljd6s8mbsz4px+7v9Cmplm8xcDsGp75QbUHIjejLZI1jvxwAISFVY5e9pY/rxoKxPaJzyoYGsJJ6eCSrNBWYXTT06w41DUEsQak072FxSOh6VBVU6APav19KIqUMl1jCT66Qc93XT5u552oawEF7Ulxi25rqLsh3PwplKHU5KbVNJO5HokweSbvcGuu4mrlMIjLtU12JDETkd9B/ybz9YdjM/31iu21mXDs4OJUA1d1KogJLh17vwJ+vBg5F3Kvt++pDQd52xtXurhyhUFl+9E+nzVZdEy+lICcn6X3sxsKi3ZQWXzvlfCsDoCCawcd052GrC6KxWpqJ1tl5kAZSLKOcgheBOVL6PziKAlKl1E4UwLdW7AbTvdkgC079lRq6Mq9z5GhhnZeeEOQKYdhesAtI6WYqbV9kov5a2u6mTE/cVRL4341O33k9SatHFi5Vz0OQjSqwRPezKKKuA8PoQdwgtG6PGnB4Fk+OrcfGMEx+XrKo2ILDALF6Zr89UdQ3hvoIKuZ9wfh/c3ci5IiI92NZa+h7XKcW+HGbtpgYKUeovH97YqoLkwL2AQyCGlV4Sblj2u/2X8FTkQ33nMf4yVZRebEbwCxQJiKbwNvc2cZdl42XeqCKAjOsH5QZIDkk0EI7TipI5UZapKsrSXpzNdSh2cbU3wcSiIauWcoHfoDR5GKIfkZvnbJ8TLHnGvWMgLtZZQ3vwqw+MmS4hE2ceM30gPLH/CVTPlBwLmOzv+ZQw5Kn6jMRL/90CJq4jvLmaHvWtvW5kbeni3/okQgpZDz8xg+GuWu/hn3fSjh7OvGe+KRGUO4mywEsOfTx2YJZAEvA8Wis6eCdkLVTqtMkZaaNSJRYWx4vzLJdOoa0I0n9rNDi+DLduvcGMLb509wiNNr6oUUjwWDONjmQKexKepWWBuFfvDJzstZrvYSureq1OSaBFaQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS2P194MB1960.EURP194.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: /4zb4ecnRwNibYdExop0lWxJik1+mvzD04wyQ1eYTMYu745aO/O6xaHzirZCkmIY2SnRO68kiNhScZOGBcPp6pWaslyLD51VK+gD+ipJjE6Rb/VFV3TJ4u+6CwYOFJkioUzFwWroI5i604dGtbZZ0wRppl3wKEPhFLP3jkrvgWYWX20s/YrSOyaO3onvkxiV7gDnHAdqbSmzBt4zf8JGyXBxewbsbRX3fRcURAfL/Gz7JnJJvl324l2nHG20kx9MR8CNAPsGnxiUPDzQvT0yNNlMcKAldsPg62FOHAovsTrbpEIxNDOuVJXvFOEpo9bLWCPHA42iEYkI5vFXkbdyeUoo8j5Au9NQFyAb1YSh+XCzpw2XKXOkbccEb7llFoM1HjK/EVRlfvs95OpjnQysOQCdWeXdc1ziIMZPSc/SkO24iqMd5dmO8L43LJslW3URZIxJQxewI91y2/U2pJnz+78nbzBXPHoIsUHNIeb4w8XZw6am81tB7MKpuvAGKABbh3nqhznmXXwJhqbe+MivHl0oTPUYLJ7TCcXpRYglWbH1abjZ3gAybrB6kohVBbt56CadnWpctkApIYKUV0nssnRqkEG7eqzFPB0cmhxqTU4UVAjo/XHJJNcJG5PU1SfrXVZ1HoOtUFv6oZSKP9fDB2tmDxPo51t28Jy6YYPNeefzgQVKMBt+FduZVDrFH7QidF5Md3OQ/QcVA/be/EYrAJ+IiRWLNierWh/oGqf0FRB9NQovTELa92r71SstvX/0lI5/iGuy1CRWDeynK43FxTAhxvm5iDao08g/oC4k4RhscWBOMIzoEuhaEWQqtAiU8lP9xQ2Q/PEAFDjaaffj0h160mw/J8oAbbFY+uTG92Wjlbdq9iHctH8QDECWQl473Qu/G9xsnQAdXx6VwqrI7ohEBk37GoiVi0Ib9fgsicCTOTCm1QDQhOHAlcwyiXktoRcdc8lZ5vxcSAkg69Smk+KL2BzMjMXTFI1PExOFb8Lfj/1VvUvgAk/ccz+BeHu4LSCRmEMU9VsKK2e33BPGaS261dFiThckfbipbmy/xbyd9e7L2dO42yIxDhzah8JCa2rvruWas7EBtyAwAeXG4UwjgcQq2SoxWTs1RFVO0P3PUK6gNhayi4T6EqvdIyOAyIz7GrhBnnD5zYgACLI58+H14taES/Rf+PE6Al4eo69ETUAiHJ7V/6Pn2rGjs3tH2cjHiA1Pu7zBdc6Hg0Yhw+jFJARtIpw5gYaCHrXokeHKP2mPwBgPDJfZLrnxj94HfLM5NUWwQYnTN2h+m59paqifyAJCMw98VmHla+/dg74wmv1RSc/5QKi9MnBz5dXmeRk0xv/IRSbeHQv0MWbP/eeSLrAGzXo6UQbvA7TsMGjCTFB7tFeWmKcZGef1kQWg/S8wiRpGLFqbszClUWf/68d1yPwsyYzEpqnjUIe2m/eFgVf/Ubi6N3nKnyC2akPVZiq2CuJNOM8XERHmA49kBJezJpHykItX8rm1mFMWz8TASjDrWfLi/S/eXQ9FsB4ixK1gkBDJqp2SirW08aRQiomjt+nuJO08d8Mrk2GxxZgI3A1F/M5/4leXcWMnxzAm
X-OriginatorOrg: sidn.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: ca0986ab-39c0-489e-9f41-08dc9f3c809d
X-MS-Exchange-CrossTenant-AuthSource: AS2P194MB1960.EURP194.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Jul 2024 10:55:38.5466 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: ab4d3626-c1c5-4a75-ab85-427f1a644a7d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: ShdKdmv1wJQ1wL0HeUAxlr6voCfQ22vMXeyycH03Q5TvZXRrLezkZ+AOlRiVFM7rtJ2gIaGxGO8OSrxQNQckYA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8P194MB1577
Message-ID-Hash: SNF7DQPT6JF3YL43TGBVVHW73YMYDUNL
X-Message-ID-Hash: SNF7DQPT6JF3YL43TGBVVHW73YMYDUNL
X-MailFrom: giovane.moura@sidn.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification for draft-ietf-dnsop-ns-revalidation-07.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8gJC75AWizppC7Lb29sYr8vSdJU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Willem,


We've got a peer-reviewed reference[0]  that can help back up some of 
the claims in the draft.



```
2.  Motivation

    There is wide variability in the behavior of deployed DNS resolvers
    today with respect to how they process delegation records.  Some of
    them prefer the parent NS set, some prefer the child, and for others,
    what they preferentially cache depends on the dynamic state of
    queries and responses they have processed.

```

Section 4 in [0] covers a bunch of such cases with Ripe Atlas, and we 
see just that, and section 5 evaluate some resolver software 
individually. In short: it backs up what you say

```
The delegation NS RRset at the bottom of the parent zone and the apex
    NS RRset in the child zone are unsynchronized in the DNS protocol.
    Section 4.2.2 of [RFC1034] says "The administrators of both zones
    should insure that the NS and glue RRs which mark both sides of the
    cut are consistent and remain so.
```

We found 13M of domains having parent/child NSSet inconsistency, from 
.com, .org, and .net, which amounts to 8% of the total.


thanks,

/giovane