IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones

Wes Hardaker <wjhns1@hardakers.net> Wed, 15 January 2020 00:50 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F25E120058 for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2020 16:50:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CaDsEus6goEG for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2020 16:50:14 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC6F2120046 for <dnsop@ietf.org>; Tue, 14 Jan 2020 16:50:13 -0800 (PST)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id 7420E22E8B; Tue, 14 Jan 2020 16:50:13 -0800 (PST)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Michael StJohns <msj@nthpermutation.com>
Cc: John R Levine <johnl@taugh.com>, dnsop@ietf.org
References: <20200107023630.628251208AAF@ary.qy> <ce52989c-f6cc-f4e5-0c49-d528d366e350@nthpermutation.com> <alpine.OSX.2.21.99999.374.2001081359350.85317@ary.qy> <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com>
Date: Tue, 14 Jan 2020 16:50:13 -0800
In-Reply-To: <923cb7d7-be70-37e9-ca8b-248e95db9aa1@nthpermutation.com> (Michael StJohns's message of "Wed, 8 Jan 2020 14:56:21 -0500")
Message-ID: <yblk15tfsqi.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BsdPpfzmXDN6jWMWJcDJ8CGti-c>
Subject: Re: [DNSOP] Working Group Last Call for: Message Digest for DNS Zones
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 00:50:16 -0000

<none of my hats; disclaimer: co-author>

Recognizing that this thread has mostly wound down without agreement,
I'll at least add a data point.  I agree that different applications may
behave differently depending on their specific situation and needs.  I
do agree with Mike that automation is needed in the software, but what
to do is not up to the standard but rather the implementation.

I hope to make use of ZONEMD within localroot, which falls into the
scenario you outline:

Michael StJohns <msj@nthpermutation.com> writes:

> Then let me try a "real world" example and give you a few different choices:
> 
> I'm running a private copy of the root zone for my organization. I
> (automated) check the SOA every so often, and arrange for a download
> of the zone when it changes.    I (automated) get a copy of the zone
> data, including an ZONEMD RR, everything validates DNSSEC wise, but
> the ZONEMD RR is invalid (hashes don't match). I do:
> 
> a) Discard the download, keep retrying until I get a valid ZONEMD RR,
> ignoring any changes in the DNSSEC validated data
> 
> b) Install what I've been able to validate DNSSEC wise, and delete
> anything not DNSSEC validated.  E.g. basically ignore the ZONEMD RR
> and install any validated changes.  Log the error. Schedule a download
> for next SOA change.
> 
> c) Yell for a human to make a decision.
> 
> d) (b) plus turn off ZONEMD RR processing in the future
> 
> e) anecdotal author's choice.

This situation would certainly be annoying, and it would tell me that
there is likely either a problem with the ZONEMD record (as you state)
or the glue records because of some tom-foolery (of any nature).

So, if my localroot/7706 resolver checks the data and finds all the
DNSSEC correct but not the ZONEMD, then I'll probably discard the
result, try again, and if that fails: yell/log, and wait for the next
SOA because that should be safe for the root zone.

I could imagine, however, a different implementation of 7706 doing an
entirely different thing: using the new root zone and it's data when
trying to contact sub-zones, but falling back to the old zone when none
of the "new" glue were working (aka, DoSed by changes).  I could also
see someone else make the opposite change.  I could see some
implementations deciding to stop service (it sure makes users notice
faster).

These are all engineering and deployment decisions, not protocol decisions.
BCPs come later.

-- 
Wes Hardaker
USC/ISI

v2.23.0 | Report a Bug | By Email