[DNSOP] Re: [Ext] Dnsdir last call review of draft-ietf-dnsop-rfc7958bis-03
Petr Špaček <pspacek@isc.org> Thu, 01 August 2024 13:37 UTC
Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A276CC1D4A9B; Thu, 1 Aug 2024 06:37:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="o9qU7glm"; dkim=pass (1024-bit key) header.d=isc.org header.b="W7x7NkGE"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mp5fkBiQLgkR; Thu, 1 Aug 2024 06:37:18 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDE5FC1D4A92; Thu, 1 Aug 2024 06:37:17 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 2F3DF3AB284; Thu, 01 Aug 2024 13:37:17 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 2F3DF3AB284
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1722519437; cv=none; b=O4vcmQ+RN8hmvceqlc0HMrZVAfwvrGYzsoVrXwh8XwO03bd5rsbi/CTzTuEHgj1IZ10wFjx7Uq+RIrf7HZMVA/+HZgQ5v4oyp5xBfdCjnq35uL6o3Hgw/PDi6qCqXdAnkl2rCGpKmKtq7wRLWMCjyWl5TZ8Q0j6wlaDLiKmWOQg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1722519437; c=relaxed/relaxed; bh=4H2qk7bagYPzoRBXhqpD/KiGSwbj+S9NiZ2UNr1+mtA=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version: Subject:To:From; b=a9UjLiPrk2h73DMdRCy/yG8d+/PUm9xp+oN6/WiKqpzmMVYMvmy5MzI8dfa6Ma14f+DMf1TVqi4Xz7HbXcW26cEUGpyCc3KqtjWKhTiexj7M4KKSW45k1X1CGIm5/OWYW6cvsCRIOuyN0HPZMpl4H3Aj0oFYZry0zklSVKyU3Nk=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 2F3DF3AB284
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1722519437; bh=5pL0wsMyyhXQIyMNiJQLpry3DL4yB0dg4uls/E/tXCc=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=o9qU7glmALDRVnpsGK4AgT9U2bT25PzjwHhdOlolxR/Ta1p2h3LEYvAOFIQyteiNP /tmx7S3ilTthNd4/CwzKS7p956/lCX19GHXL1CH5VV7ffdXa6fgdtmuaRVmYfqVPbf 4oov9kweVR3opxE/bXBQtsp+3houpqL3iLV47Fzw=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 296F5B00001; Thu, 1 Aug 2024 13:37:17 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 01063B00185; Thu, 1 Aug 2024 13:37:17 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 01063B00185
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1722519437; bh=4H2qk7bagYPzoRBXhqpD/KiGSwbj+S9NiZ2UNr1+mtA=; h=Message-ID:Date:MIME-Version:To:From; b=W7x7NkGEYWOAmFIH5+1NossFX9ps8CYfTXuV++7OFp/Ihngdj9msMwZWH+MI7pvm9 SQf4p4bba2hzvuAkUJ00uMuMb3SINZrXY/Re83z0U1O4vMoX7HonP7rdPVeVcqy6q2 wQkibxAwy/fyNNPh6DJmCyFVjwgNQm7D21bEMcJE=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id G5Eu6RfJI4_n; Thu, 1 Aug 2024 13:37:16 +0000 (UTC)
Received: from [192.168.0.131] (94-143-239-125.chrudim.cz [94.143.239.125]) by zimbrang.isc.org (Postfix) with ESMTPSA id E057FB00001; Thu, 1 Aug 2024 13:37:15 +0000 (UTC)
Message-ID: <a8c98c83-9af9-4c0b-baef-199e57abf96b@isc.org>
Date: Thu, 01 Aug 2024 15:37:00 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Paul Hoffman <paul.hoffman@icann.org>
References: <172242543510.2137530.14005988379230936314@dt-datatracker-659f84ff76-9wqgv> <C5054E75-79B2-4BDF-BA77-60CEB6479AC2@icann.org>
From: Petr Špaček <pspacek@isc.org>
Content-Language: en-US
Autocrypt: addr=pspacek@isc.org; keydata= xsFNBF/OJ/4BEAC0jP/EShRZtcI9KmzVK4IoD/GEDtcaNEEQzPt05G8xtC0P4uteXUwW8jaB CdcKIKR4eUJw3wdXXScLNlyh0i+gm5mIvKPrBYNAMOGGnkbAmMQOt9Q+TyGeTSSGiAjfvd/N nYg7L/KjVbG0sp6pAWVORMpR0oChHflzKSjvJITCGdpwagxSffU2HeWrLN7ePES6gPbtZ8HY KHUqjWZQsXLkMFw4yj8ZXuGarLwdBMB7V/9YHVkatJPjTsP8ZE723rV18iLiMvBqh4XtReEP 0vGQgiHnLnKs+reDiFy0cSOG0lpUWVGI50znu/gBuZRtTAE0LfMa0oAYaq997Y4k+na6JvHK hhaZMy82cD4YUa/xNnUPMXJjkJOBV4ghz/58GiT32lj4rdccjQO4zlvtjltjp9MTOFbRNI+I FCf9bykANotR+2BzttYKuCcred+Q7+wSDp9FQDdpUOiGnzT8oQukOuqiEh3J8hinHPGhtovH V22D0cU6T/u9mzvYoULhExPvXZglCLEuM0dACtjVsoyDkFVnTTupaPVuORgoW7nyNl0wDrII ILBqUBwzCdhQpYnyARSjx0gWSG1AQBKkk5SHQBqi1RAYC38M59SkpH0IKj+SaZbUJnuqshXh UIbY1GMHbW/GDhz7pNQFFYm2S4OPUBcmh/0O0Osma151/HjF7wARAQABzR9QZXRyIMWgcGHE jWVrIDxwc3BhY2VrQGlzYy5vcmc+wsGXBBMBCABBAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B AheAAhkBFiEEEVO2++xeDVoSYmDzq9WHzfBlga4FAmWT+REFCQelsxMACgkQq9WHzfBlga7y 2Q//Ug58UI9mlnD/guf9mHqpJIMrBs/vX8HlzylsDcZUBTp2TJpzNh/CygPWrHY+IvA9I9+t Ygp0sB+Z9OtVZgW3bpWJ0iWe6N89Q0kwOuhJ75LsfR1V73L5C826M6bLQjYTj6HiwS9Nf+N0 jADhEV/p1KtCuZfwBkYJ4ZM+Na0zWerGPkGw9T9O0gfs0ePehzJ5V0OK0nCqMuC1h8o/rhCb vRCmxdAbNjrOrgKa7HN5DadP/tKstJMM09aXlT5q96fRIyCQyqXQoCrijCWvgAxgjABdh1TB /XsYvBC8+4wy5ZBtTcnxXGrMhrSxU2/vIK6RjDju7OIRClMNepEzvt0gNzxwwxIXVOzl5ioC i/Okovk1rZneFFxbVvaMyIJgY/hShJV7Ei+5S9UZUv6UUmRQ6zukeiSVZrtXs6fWLVlUnBDl Cv/fXi25hrymqNfPSBSB0tyc6YepR1Rq9omTni6DYmEHQuhPMHJ2fuiNNyBaH+9EI7go5e0J LvXVLJGXkMdTcmYHja1pDjmQ1K71gewfPWGFmn0JTa92GuZJaR/4MVePvoV0NTpCP0HiKIg5 0+AOdpvkJReFKTQOX08SwkUkgvy9h9WjBMpD5ymMs4gjJwXtcT1+aVtj9Xcw6tQde9Yyjxde a6UZ3TUfys8qZ8ZKmMKTaCUFukKzWDJMZ91V1b/OwU0EX84n/gEQANARNXihDNc1fLNFZK5s O14Yg2TouK9eo9gGh4yLSrmZ3pjtnuJSpTWmGD4g0EYzhwWA/T+CqjUnrhsvzLQ1ECYVqLpM VqK2OJ9PhLRbx1ITd4SKO/0xvXFkUqDTIF6a5mUCXH5DzTQGSmJwcjoRv3ye+Z1lDzOKJ+Qr gDHM2WLGlSZAVGcUeD1S2Mp/FroNOjGzrFXsUhOBNMo8PSC4ap0ZgYeVBq5aiMaQex0r+uM4 45S1z5N2nkNRYlUARkfKirqQxJ4mtj5XPC/jtdaUiMzvnwcMmLAwPlDNYiU0kO5IqJFBdzmJ yjzomVk1zK9AYS/woeIxETs+s6o7qXtMGGIoMWr6pirpHk4Wgp4TS02BSTSmNzParrFxLpEU dFKq3M0IsBCVGvfNgWL2pKKQVq34fwuBhJFQAigR9B3O9mfaeejrqt73Crp0ng0+Q74+Llzj EIJLOHYTMISTJyxYzhMCQlgPkKoj+TSVkRzBZoYFkUt4OXvlFj73wkeqeF8Z1YWoOCIjwXH9 0u2lPEq0cRHHyK+KSeH1zQJ4xgj0QDGPmkvi81D13sRaaNu3uSfXEDrdYYc+TSZd2bVh2VCr xrcfzQ1uz9fsdC9NPdNd7/mHvcAaNc5e9IhNh67L54aMBkzlJi18d0sWXOOHkyLSvbHnC/OP wv7qCf69PUJmtoeHABEBAAHCwXwEGAEIACYCGwwWIQQRU7b77F4NWhJiYPOr1YfN8GWBrgUC ZZP5UgUJB6WzVAAKCRCr1YfN8GWBrgxpD/949Tz7EtrE9e2yJ4np+y7uW8EDusVM3QsBdkYk yaQTupITew8WWQtNF/QK/MKRi+e/382t78nBq+T7G9PrRi7E4WS9dXdgJiFz25h3mC4TABJZ b6MLcEreLWTaqnR/D6F3AnNXh7GJFY4E6PAwC60W0R9G6R0E+2XeZX011NEGiBMvgZnqzzjU L9h8Gz7a/EsQync4cvLbruPt/UaOV0khKTefsOFj3q3wLY6qN2qw7HfgFRBCh6ME2XRvnwAd iv0pF4HRbXoFalkAsNEYkWQ6mkJjdYCHOWm3TWqXhalgGKqIOrQyMpH2mJpZllKBQiBiQMUz qz0cO9OqBk3xvNLplI3VNcC0WeQ8LEqyYKth2T78hVaIw8K0IcVmZQwXVxL03gojaJ5bK2O+ 2FfqKMcIiU+bqaTXntx+FYRQKblsUBYD77uU9sPVyKWIiHvukLTx7GY1ttn6gZDSIek/tTR7 oaei+xLh5JUgZpMZ4JHnirDWHbrJzYN95e8HWA/+qAOTsa+igZGsc6yA1oJIAnCwkclcLAgc x3GVVeEL+/b9CugZ+1OfbxlRK7gAeu0kyKiEXrUvCQPnPByIIfj4I4IvZO4552cmmnbn31f9 X/9nw+M4qAqOK7bRg65ucv71TayUehNJrfJSYx6P1tXIwzu19tIgtdWTcsszNWALfaUFtg==
In-Reply-To: <C5054E75-79B2-4BDF-BA77-60CEB6479AC2@icann.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: LBO4JFSKEBI2NOLCTEJCCGM2PBVQBHTW
X-Message-ID-Hash: LBO4JFSKEBI2NOLCTEJCCGM2PBVQBHTW
X-MailFrom: pspacek@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsdir@ietf.org" <dnsdir@ietf.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, "draft-ietf-dnsop-rfc7958bis.all@ietf.org" <draft-ietf-dnsop-rfc7958bis.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Dnsdir last call review of draft-ietf-dnsop-rfc7958bis-03
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/B36sAt16StvgikyvTGviCPQTN20>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
>>> snip <<< I removed the parts where we understood each other. On 01. 08. 24 2:28, Paul Hoffman wrote: >>> 2.4. Converting from XML to DNSKEY Records >>> The published trust anchor does not provide values for DNSKEY protocol or >>> flags. For the purpose of this mechanism, clients can assume valid trust >>> anchors will be have the ZONE and SEP flag bits set to 1. >> I think it is extremely bad idea to ignore fields, especially Flags. There are >> various proposals for new DNSKEY flag usage in the DD WG. >> >> Even if we say that DD WG will go down in flames before it produces anything I >> think it's_extremely_ bad idea to omit pieces of information and assume that >> client can reliably fill in missing pieces with constants. I would say that the >> missing DNSKEY fields really really must be represented explicitly. (E.g. I >> don't want to go down the rabbit hole of all REVOKE flag corner cases.) > I don't understand how the quoted text suggests that users of the zone file ignore fields or flags. Can you suggest text to fix your concern? Specifically: > clients can assume valid trust anchors will be have the ZONE and SEP flag bits set to 1. This text ignores all non-{ZONE,SEP} flags. Readers have no instruction about the _other_ flags, and in a hypothetical future, TA can conceivably have one or more of these extra flags set. E.g. a new flag for DELEG downgrade resistance which is under discussion in the DD WG. Will we need update the format again? (I think that would be wrong.) I think absence of explicit Flags field is unnecessary shortcut which will just bite us down the road (or force document & software update). My proposal is to do one of: a) get rid of PublicKey element completely (see below) b) include explicit XML element with Flags - and when we are at it we can add Protocol element as well for completeness. >> On high level I also find confusing that the new element is optional - that >> makes it unreliable for consumers because there are no rules for when it might >> or might not be present. > It is optional because some signing mechanisms don't automatically generate DNSKEY values. For example, the current trust anchor file only has the DS of KSK-2024 because IANA needs to make a software change to get the DNSKEY (which it will do in a few months). Other HSMs might be similar. A DS has always been sufficient; a DNSKEY would be an upgrade, but is not necessary. A trust anchor with nonexistent DNSKEY representation is not usable in DNSSEC because nobody can validate signatures made with it, is that correct? If so, why such keys need to be represented in this format? An alternative angle: Why is the new PublicKey element even needed? There's no guarantee it will be ever present which makes it unusable - no software can _rely_ on it's presence. I.e. it does not seem useful while it introduces new nasty corner cases. Or yet another wording of the same problem: Under what conditions software reading file in this format _needs_ the PublicKey element and cannot do with the mandatory fields? I find > It can be useful when IANA has a trust anchor that has not yet been published in the DNS root. too vague to justify that we need the _optional_ PublicKey element which might or might not be present, with and all the trouble it adds. >> Also there are no rules for what to do when reconstructed DS and DNSKEY don't >> match - which can totally happen given the half-representation we have in the >> current version. > Fully agree; we will add words to say in such a case the specific key should not be trusted. > >> Is there implementation experience with the new format? What was the >> implementer feedback? > We have heard informally that some implementers have added the new features with no problems, but they obviously can't test it until there is a new trust anchor file from IANA, and that's waiting on the standard to be published. Surely it can be tested with mock keys. Is there some feedback about PublicKey field usage? Under what conditions it is needed? aka "RFC 1925 Truth (12)". >> TL;DR there are issues which can be addressed with smallish amendments. > Thanks! Please see above for requests for additional wording in places where I don't understand the concern. The other bits will be added after the IETF Last Call is finished. I've tried to clarify above. Does that help to understand the trouble with PublicKey element as proposed? -- Petr Špaček Internet Systems Consortium
- [DNSOP] Dnsdir last call review of draft-ietf-dns… Petr Špaček via Datatracker
- [DNSOP] Re: [Ext] Dnsdir last call review of draf… Paul Hoffman
- [DNSOP] Re: [Ext] Dnsdir last call review of draf… Joe Abley
- [DNSOP] Re: [Ext] Dnsdir last call review of draf… Petr Špaček
- [DNSOP] Re: [Ext] Dnsdir last call review of draf… Paul Hoffman
- [DNSOP] Re: [Ext] Dnsdir last call review of draf… Paul Hoffman
- [DNSOP] Re: [Ext] Dnsdir last call review of draf… Joe Abley
- [DNSOP] Re: [Ext] Dnsdir last call review of draf… Petr Špaček
- [DNSOP] Re: [Ext] Dnsdir last call review of draf… Paul Hoffman
- [DNSOP] Re: [Ext] Dnsdir last call review of draf… Petr Špaček