Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 28 April 2018 05:28 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97149126FDC for <dnsop@ietfa.amsl.com>; Fri, 27 Apr 2018 22:28:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xl4j-L8bbCim for <dnsop@ietfa.amsl.com>; Fri, 27 Apr 2018 22:28:19 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB9471200F1 for <dnsop@ietf.org>; Fri, 27 Apr 2018 22:28:18 -0700 (PDT)
Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 63D757A3309 for <dnsop@ietf.org>; Sat, 28 Apr 2018 05:28:17 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Sat, 28 Apr 2018 01:28:16 -0400
References: <72D91139-BD51-43A9-8AEA-177753A29F90@dukhovni.org> <CAAiTEH_iXs33YdWrRmn6_iQYH2ba-WxqbYbp27Q2gpzBL7=q5g@mail.gmail.com> <24D5D313-4F02-4A99-9E64-44B35331608E@dukhovni.org> <CAAiTEH9J_VWkQBF=Ytv0Von+YFG1EhxHDpP5Aj=iuXTDsFU0ZA@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <CAAiTEH9J_VWkQBF=Ytv0Von+YFG1EhxHDpP5Aj=iuXTDsFU0ZA@mail.gmail.com>
Message-Id: <8930E547-6327-45B5-89AB-37282D2C245D@dukhovni.org>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BA6W3ZKEawuWP6aTAlqw9zeU5SA>
Subject: Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Apr 2018 05:28:20 -0000


> On Apr 27, 2018, at 3:23 PM, Matthew Pounsett <matt@conundrum.com> wrote:
> 
>> If the registry operator is going to automatically upgrade previously insecure delegations to DNSSEC, then due diligence to make sure that this is not going to cause outages is advisable.  Once a domain is signed, TLSA and CAA lookups must succeed, or the domain may no longer receive email from DANE-enabled sending MTAs, or be able to obtain certificates from their CA, ...
>> 
>> So I rather strongly feel that appropriate quality checks should be in place, to protect both the registrant and the registry (dealing with fallout from outages is best avoided).
> 
> Except that those are standard DNSSEC operations best practices, not even limited to CDS use, let alone a REST protocol designed for signalling that CDS should be scanned.  Perhaps others can speak up about the applicability here, but I feel rather strongly that general operations best practices shouldn't be defined in a document limited to one corner case.  That risks the advice case either not being applied elsewhere, because it's not in a general operations document and therefore not seen, or worse contradicting what goes into a general operations document.
> 
> The security checks in this draft are there to help ensure that the parent can trust the update request.  I believe going further than that is out of scope.

So at this point I think we understand each other, and the issue comes down to whether it is appropriate for the registry to automatically turn on DS records for the first time for a domain which is substantively operationally deficient at the time its CDS records are encountered.

I think that garbage-in/garbage-out is not only a disservice to the domain's owner, but more importantly it poisons the ecosystem for everyone else.

If turning on DNSSEC validation in your resolver stops email delivery to a bunch of domains, or breaks all access to the domain's data, whom exactly is the registry helping by enabling DNSSEC for a substantially broken domain.

Think of this as anti-pollution environmental regulation.

-- 
	Viktor.