IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Wed, 21 December 2022 11:34 UTC

Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A59DFC14CF04 for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2022 03:34:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cDlQQcQJGO_o for <dnsop@ietfa.amsl.com>; Wed, 21 Dec 2022 03:34:52 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B79EEC14E514 for <dnsop@ietf.org>; Wed, 21 Dec 2022 03:34:52 -0800 (PST)
Received: from [IPV6:2001:1488:fffe:6:8957:ea2f:8801:8159] (unknown [IPv6:2001:1488:fffe:6:8957:ea2f:8801:8159]) by mail.nic.cz (Postfix) with ESMTPSA id CF3D71C17E3; Wed, 21 Dec 2022 12:34:49 +0100 (CET)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=vladimir.cunat@nic.cz smtp.mailfrom=vladimir.cunat+ietf@nic.cz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1671622489; bh=jSc2FRleAN3eqrDeTWiAXU/+w7usGnKj+wG76gRTp+k=; h=Date:Subject:To:References:From:In-Reply-To:From:Reply-To:Subject: To:Cc; b=ihNsAlxMc16MZNxy+YX0/KXhUxE2gGOrEA/UclC9Lx2jFAx9Vfv0HoD6xLb6grMzM qph+bgc97Y8hCaUFmA1XZnul4QB3656KEt+tSmS8NST1DxrCYF6PZJg6kSFLlfi3rK 6k7sZfag2o4wEAVoSgIKYvOYX9PWnMzX1mgX1a14=
Content-Type: multipart/alternative; boundary="------------Bz9zKldww0YCqKJok2mXjZm8"
Message-ID: <2f1ef8b5-0376-462d-933a-7f90b8374033@nic.cz>
Date: Wed, 21 Dec 2022 12:34:49 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.1
Content-Language: cs, en-US
To: Daniel Migault <mglt.ietf@gmail.com>, dnsop@ietf.org
References: <CADyWQ+FwRaSdpSWXBDqCG9ZPNPiG4pGUx37PVtExbqVPr5ZfmA@mail.gmail.com> <65d26b98-e0d6-e69b-10d4-17632451cab6@nic.cz> <CADZyTk=wUydEv4X8KgHe3Mj0cZTmiaR3mjn_Z2n73U-eST-HPA@mail.gmail.com> <f397b7d4-fe4f-6000-5ce5-f2faa7b27b3e@nic.cz> <CADZyTkkdn__VhRRqwKDbNx3ymTR0KJmxoTN9aKMcox-JS=pW_A@mail.gmail.com> <26cd83b9-1bd0-2925-07f7-6a5c2248d479@nic.cz> <CADZyTk=nDgOgabbB8aMvdo-XiTQehgVmZ77k6KB7ZKMcgmRCSA@mail.gmail.com>
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
In-Reply-To: <CADZyTk=nDgOgabbB8aMvdo-XiTQehgVmZ77k6KB7ZKMcgmRCSA@mail.gmail.com>
X-Virus-Scanned: clamav-milter 0.103.7 at mail
X-Virus-Status: Clean
X-Rspamd-Action: no action
X-Rspamd-Pre-Result: action=no action; module=multimap; Matched map: WHITELISTED_IP
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: CF3D71C17E3
X-Spamd-Bar: /
X-Spamd-Result: default: False [0.90 / 20.00]; R_MIXED_CHARSET(1.00)[subject]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:25192, ipnet:2001:1488::/32, country:CZ]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TAGGED_FROM(0.00)[ietf]; TAGGED_RCPT(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; FREEMAIL_TO(0.00)[gmail.com,ietf.org]; WHITELISTED_IP(0.00)[2001:1488:fffe:6:8957:ea2f:8801:8159]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9Z-oPA8RBHHnsCNmKrZlGu346jg>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2022 11:34:57 -0000

On 15/12/2022 23.36, Daniel Migault wrote:
>
>     I don't see the part about extended errors as problematic (RFC
>     8914).  It really seems to be getting into (open-source)
>     implementations and it can help with debugging in some cases,
>     though deploying it is probably not very important either.
>
> So I think what you're suggesting is that  8914 will be implemented, 
> without even the choice being left to the operator. If that the case, 
> would you like the text instead of SHOULD say something like MAY if 
> not supported by default by the implementation ?

For Knot Resolver we implemented EDE in responses and so far there's 
been no motivation to offer opt-out.  (It's just a few bytes, and 
unknown EDNS should be ignored.)

I don't have strong feelings about the text; "SHOULD implement RFC 8914" 
sounds OK.  It's certainly nice to implement at least some basic 
distinction, e.g. signalling that SERVFAIL comes from a DNSSEC error.  
Further details could help with debugging various issues.


>>     Oh! sure for the TA. My understanding of the text is that it
>>     recommends 5011 for running instances, but that new instances are
>>     configured with up-to-date TA that in most cases are updated by
>>     software update. So yes I agree and will check this appears clearly.
>
>     I don't think 5011 is worth doing at all.  Maybe in some
>     exceptional use cases.  Well, I haven't heard much about
>     deployment experience with non-root TAs, so perhaps I just don't
>     know those well.
>
> I need to take the time to reconsider that. I am a bit overloaded but 
> expect to come back to this point more specifically. I got your point 
> in any case and the scenario we have  is a zone that does not want to 
> rely on the parent zones in case something goes wrong in these parent 
> zones. The other aspect is also that we did ot want to give the 
> impression DNSSEC only works with the root KSK as a TA. But as ai 
> mentioned I will come back with that.

OK.  In my opinion you depend on parent's health a lot anyway 
(unavoidably), though yes - DNSSEC can be the most fragile part.

--Vladimir

v2.23.0 | Report a Bug | By Email