Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

Viktor Dukhovni <> Sat, 28 April 2018 05:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 97149126FDC for <>; Fri, 27 Apr 2018 22:28:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Xl4j-L8bbCim for <>; Fri, 27 Apr 2018 22:28:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BB9471200F1 for <>; Fri, 27 Apr 2018 22:28:18 -0700 (PDT)
Received: from [] ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 63D757A3309 for <>; Sat, 28 Apr 2018 05:28:17 +0000 (UTC) (envelope-from
From: Viktor Dukhovni <>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Sat, 28 Apr 2018 01:28:16 -0400
References: <> <> <> <>
To: dnsop <>
In-Reply-To: <>
Message-Id: <>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <>
Subject: Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 28 Apr 2018 05:28:20 -0000

> On Apr 27, 2018, at 3:23 PM, Matthew Pounsett <> wrote:
>> If the registry operator is going to automatically upgrade previously insecure delegations to DNSSEC, then due diligence to make sure that this is not going to cause outages is advisable.  Once a domain is signed, TLSA and CAA lookups must succeed, or the domain may no longer receive email from DANE-enabled sending MTAs, or be able to obtain certificates from their CA, ...
>> So I rather strongly feel that appropriate quality checks should be in place, to protect both the registrant and the registry (dealing with fallout from outages is best avoided).
> Except that those are standard DNSSEC operations best practices, not even limited to CDS use, let alone a REST protocol designed for signalling that CDS should be scanned.  Perhaps others can speak up about the applicability here, but I feel rather strongly that general operations best practices shouldn't be defined in a document limited to one corner case.  That risks the advice case either not being applied elsewhere, because it's not in a general operations document and therefore not seen, or worse contradicting what goes into a general operations document.
> The security checks in this draft are there to help ensure that the parent can trust the update request.  I believe going further than that is out of scope.

So at this point I think we understand each other, and the issue comes down to whether it is appropriate for the registry to automatically turn on DS records for the first time for a domain which is substantively operationally deficient at the time its CDS records are encountered.

I think that garbage-in/garbage-out is not only a disservice to the domain's owner, but more importantly it poisons the ecosystem for everyone else.

If turning on DNSSEC validation in your resolver stops email delivery to a bunch of domains, or breaks all access to the domain's data, whom exactly is the registry helping by enabling DNSSEC for a substantially broken domain.

Think of this as anti-pollution environmental regulation.