[DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-ns-revalidation "Delegation Revalidation by DNS Resolvers"
Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Tue, 18 March 2025 14:36 UTC
Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8CEA4DF72D4 for <dnsop@mail2.ietf.org>; Tue, 18 Mar 2025 07:36:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -7.1
X-Spam-Level:
X-Spam-Status: No, score=-7.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EqyxJGYatbMS for <dnsop@mail2.ietf.org>; Tue, 18 Mar 2025 07:36:53 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 535D3DF72CD for <dnsop@ietf.org>; Tue, 18 Mar 2025 07:36:53 -0700 (PDT)
Received: from [IPV6:2a02:768:2d1c:226:b13b:d67e:b499:40f5] (unknown [IPv6:2a02:768:2d1c:226:b13b:d67e:b499:40f5]) by mail.nic.cz (Postfix) with ESMTPSA id A0A921C12ED; Tue, 18 Mar 2025 15:36:51 +0100 (CET)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=vladimir.cunat@nic.cz smtp.mailfrom=vladimir.cunat+ietf@nic.cz
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1742308611; bh=B/9pRrkD8tZnlRmArLoxcKWm+58wO4cAitL5+loIMVE=; h=Date:Subject:To:References:From:In-Reply-To:From:Reply-To:Subject: To:Cc; b=ks41T8KumEVLNSbJHjhVvOn4RyIxim0nPverzomSe1HP3s+1zWb6ugLHYeG11EvrA 0kPIBLNZBiOfxV/NwuQXjoPWHA7DT2io1izclCcQEcUl2soL2CykLw/Prf9YZKSsHD MHsv32mBQuRXIr39oRWdIGUfr9e2GBJZ8HB0UWC8=
Content-Type: multipart/alternative; boundary="------------EWBcGDiQOPXS00qDvX1qIbq5"
Message-ID: <ffd3e2ec-4075-4cbc-9f34-e34b9710e24f@nic.cz>
Date: Tue, 18 Mar 2025 15:36:49 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Philip Homburg <pch-dnsop-6@u-1.phicoh.com>, dnsop@ietf.org
References: <CADyWQ+GHwYS3T=M+7655Ps5f-mJ7H3FfstDGvHsR_D=eHXf43g@mail.gmail.com> <551bb4a8-f787-4caf-8615-c284203d7b7e@nic.cz> <CAHPuVdWwFGKE7QRHXP1Ru9geQdV+VY4-Z-AYgkhac7dQuB9cZw@mail.gmail.com> <6fa27e23-ec6d-4989-8068-aafb4925d1dd@nic.cz> <CAHPuVdUy1s9gaQyJ=GiqdxAPZwUc2-4HvQBCb77c-Zh5feAjvg@mail.gmail.com> <C5ABE18F-AB8B-4654-BF93-D660D4240446@fl1ger.de> <2a6088fb-3275-464d-bca1-92a4cbaa78aa@nlnetlabs.nl> <2b862da9-e428-47f3-9ecc-c55a4e589bac@desec.io> <a23915b8-3a28-417c-a709-ef3123c4a74d@nlnetlabs.nl> <bc9d2dba-9a9c-4fe5-a484-ace272836007@desec.io> <94da4d77-2904-43ba-9bcd-27e22e6a4604@nlnetlabs.nl> <CAHPuVdUgisVwUm+67x54RnkypAR+=mC9D8uFB_nkRkq_0+2pPg@mail.gmail.com> <13acb74f-c109-42b4-bc74-0cc10e7ad5c4@isc.org> <m1tuT8u-0000N4C@stereo.hq.phicoh.net> <d987e221-b96b-4651-8cc9-700935404198@nic.cz> <m1tuWCF-0000MkC@stereo.hq.phicoh.net> <2b7c7027-2007-4561-9fed-014b06c8832d@nic.cz> <m1tuWuO-0000NOC@stereo.hq.phicoh.net>
Content-Language: cs, en-US
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
In-Reply-To: <m1tuWuO-0000NOC@stereo.hq.phicoh.net>
X-Rspamd-Action: no action
X-Spamd-Bar: /
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: A0A921C12ED
X-Spamd-Result: default: False [0.61 / 16.00]; R_MIXED_CHARSET(0.71)[subject]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; ARC_NA(0.00)[]; ASN(0.00)[asn:44489, ipnet:2a02:768::/32, country:CZ]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM(-0.00)[-0.812]; TAGGED_FROM(0.00)[ietf]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_SOME(0.00)[]
Message-ID-Hash: D4HPL6S4BRH6WDL5FL7AZFUZDLNAEGJF
X-Message-ID-Hash: D4HPL6S4BRH6WDL5FL7AZFUZDLNAEGJF
X-MailFrom: vladimir.cunat+ietf@nic.cz
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-ns-revalidation "Delegation Revalidation by DNS Resolvers"
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/A7Qdz48nyQLSPwocRHYaLCRe_3o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On 18/03/2025 14.23, Philip Homburg wrote: > Unbound contains a significant amount of processing to try to protect > unsigned zones. We also have lots of such code. And still we're hearing people wanting more and more. I personally think we have enough at this point already, and for people wanting more there's DNSSEC. (Not just revalidation, but security research papers quite regularly try to misuse cache poisoning and propose some more patches to the inherently insecure things.) As noted, these measures we have also help mitigate that privacy risk uncovered by DNSSEC - where successful attacks can be used to redirect DNS traffic and extend that into the whole subtree, basically an off-path attacker making themselves on-path for DNS.
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- [DNSOP] Re: Working Group Last Call for draft-iet… Ben Schwartz
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Ralf Weber
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Ondřej Surý
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Shreyas Zare
- [DNSOP] Re: Working Group Last Call for draft-iet… Ralf Weber
- [DNSOP] Re: Working Group Last Call for draft-iet… Ondřej Surý
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Shreyas Zare
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Philip Homburg
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Philip Homburg
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Philip Homburg
- [DNSOP] Re: Working Group Last Call for draft-iet… Peter Thomassen
- [DNSOP] Re: Working Group Last Call for draft-iet… Vladimír Čunát
- [DNSOP] Re: Working Group Last Call for draft-iet… Philip Homburg
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Ben Schwartz
- [DNSOP] Re: fujiwara-dnsop-resolver-update Ondřej Surý
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Ralf Weber
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: fujiwara-dnsop-resolver-update Kazunori Fujiwara
- [DNSOP] Re: fujiwara-dnsop-resolver-update Shumon Huque
- [DNSOP] Re: fujiwara-dnsop-resolver-update Ondřej Surý
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Petr Špaček
- [DNSOP] Re: Working Group Last Call for draft-iet… Willem Toorop
- [DNSOP] Re: Working Group Last Call for draft-iet… Shumon Huque
- [DNSOP] Re: Working Group Last Call for draft-iet… Benno Overeinder