IETF Logo Mail Archive

[DNSOP] Re: WG Last Call: draft-ietf-dnsop-ns-revalidation-11 (Ends 2025-11-16)

Petr Špaček <pspacek@isc.org> Thu, 13 November 2025 13:51 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4BD3A88BCF35; Thu, 13 Nov 2025 05:51:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="n+zfVESn"; dkim=pass (1024-bit key) header.d=isc.org header.b="a2W+5x5j"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tSup0M5xeq1P; Thu, 13 Nov 2025 05:51:31 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5226988BCF28; Thu, 13 Nov 2025 05:51:31 -0800 (PST)
Received: from zimbra10.isc.org (zimbra10.isc.org [149.20.2.90]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 6A8DE4E40D8; Thu, 13 Nov 2025 13:51:30 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 6A8DE4E40D8
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.90
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1763041890; cv=none; b=i3EhU2cAA88ahMQGKvKePM6v741/mqjioUnv/MOooGEnLiFB5hL8BrsloikSxdiVQCe5emgLN8kjssT2sCJO+RK/O3JRmynfP7+fOTIdCCwJMqtRuzB3aCTI3s5F6Yb0xwyN57j4TO67RsiFGb651eckoJhXGFGXikwqy29eCQc=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1763041890; c=relaxed/relaxed; bh=gj4cuE9ckGzbMYLrzVb0qpe0Y/nU8qloLzciT8cLcGA=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version: Subject:To:From; b=Npw5N3S1A9wvy4gDzOTKv2RgN2ZV18UJ0bFur+XN5FNZGTUEnhOaJQtaLQBWJfQ2CIUjdh+a8PXnQCDUyF9Bnc3NhMSYXIZq8pwiXPKIWYc9mHbRRQD5U8AlmSYStHShpHGzmAtHjzD7RDY16gx83muul3nwQ2gi9qudCQZ/xco=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 6A8DE4E40D8
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1763041890; bh=nYqe5j2TTi2PTERm7KvETGVIz34iH6Q4frt0BQ8mMbw=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=n+zfVESnaTPvgb0qFkrN3oHiDuJXZ3q2Pqq6ubfmwfGr08m8QCJnScefIm86mOOT/ +hqTaj8yJ2zoQbdUqVQVwrTrk9cZy3sLdzTBdW8OUevpOQrawe9hfI1N328Nwc9Vbq /jFtc9EV4InzuMq59pDOxEC/G9N4s5eZqfdwMhAU=
Received: from zimbra10.isc.org (localhost [127.0.0.1]) by zimbra10.isc.org (Postfix) with ESMTPS id 651BE2E60235; Thu, 13 Nov 2025 13:51:30 +0000 (UTC)
Received: from zimbra10.isc.org (localhost [127.0.0.1]) by zimbra10.isc.org (Postfix) with ESMTPS id 6069B2E6024E; Thu, 13 Nov 2025 13:51:30 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbra10.isc.org 6069B2E6024E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1763041890; bh=gj4cuE9ckGzbMYLrzVb0qpe0Y/nU8qloLzciT8cLcGA=; h=Message-ID:Date:MIME-Version:To:From; b=a2W+5x5jkZLnmBklTmrnu33DNwnBVed0kf4RUYqSjVs5Ak4sE2tBxnNXRzbXinl8z b052/GTUX/6BrvpELxU1siAXguLbYBQiFjdsXoIEWkgdCWi1pzAUkObQzyz6PZ7Trv CDOcnBrzDrtOfN4Jm4XMUoCvke2aGZWta+VF1HyA=
Received: from [192.168.35.197] (ip-86-49-241-95.bb.vodafone.cz [86.49.241.95]) by zimbra10.isc.org (Postfix) with ESMTPSA id 572D02E60235; Thu, 13 Nov 2025 13:51:29 +0000 (UTC)
Message-ID: <7b646699-bf46-4d6a-904e-2b3e3c693b8d@isc.org>
Date: Thu, 13 Nov 2025 14:51:26 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Paul Wouters <paul=40nohats.ca@dmarc.ietf.org>, Benno Overeinder <benno@NLnetLabs.nl>
References: <176214625995.297524.7638543153263762044@dt-datatracker-5df8666cb-7l4w5> <a262edd4-e811-a1fc-f7b5-b505b2b1193c@nohats.ca>
From: Petr Špaček <pspacek@isc.org>
Content-Language: en-US
Autocrypt: addr=pspacek@isc.org; keydata= xsFNBF/OJ/4BEAC0jP/EShRZtcI9KmzVK4IoD/GEDtcaNEEQzPt05G8xtC0P4uteXUwW8jaB CdcKIKR4eUJw3wdXXScLNlyh0i+gm5mIvKPrBYNAMOGGnkbAmMQOt9Q+TyGeTSSGiAjfvd/N nYg7L/KjVbG0sp6pAWVORMpR0oChHflzKSjvJITCGdpwagxSffU2HeWrLN7ePES6gPbtZ8HY KHUqjWZQsXLkMFw4yj8ZXuGarLwdBMB7V/9YHVkatJPjTsP8ZE723rV18iLiMvBqh4XtReEP 0vGQgiHnLnKs+reDiFy0cSOG0lpUWVGI50znu/gBuZRtTAE0LfMa0oAYaq997Y4k+na6JvHK hhaZMy82cD4YUa/xNnUPMXJjkJOBV4ghz/58GiT32lj4rdccjQO4zlvtjltjp9MTOFbRNI+I FCf9bykANotR+2BzttYKuCcred+Q7+wSDp9FQDdpUOiGnzT8oQukOuqiEh3J8hinHPGhtovH V22D0cU6T/u9mzvYoULhExPvXZglCLEuM0dACtjVsoyDkFVnTTupaPVuORgoW7nyNl0wDrII ILBqUBwzCdhQpYnyARSjx0gWSG1AQBKkk5SHQBqi1RAYC38M59SkpH0IKj+SaZbUJnuqshXh UIbY1GMHbW/GDhz7pNQFFYm2S4OPUBcmh/0O0Osma151/HjF7wARAQABzR9QZXRyIMWgcGHE jWVrIDxwc3BhY2VrQGlzYy5vcmc+wsGXBBMBCABBAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B AheAAhkBFiEEEVO2++xeDVoSYmDzq9WHzfBlga4FAmd7vqsFCQmG4S0ACgkQq9WHzfBlga5H dA//SNIJAXyYxpoIrQwtTSOded93J+CIYHd2ArxCsS+ZXzeaSkHcqp2QfneLY2yyiQwjeivu MfqEBIASNZ94T+4OjhEHAFaAUJQtYMY7qmH69Q5h1PQMk/HZX4QNEDB6dihjz4wunB2mRcac GnRziAQUAnlHSSZDU2EtTddmRYTCaeX9rU8O5ja0+qPBJket7PjS0yT8DQJF+aKRsQz17ywT 3rNR7NBgeKrkBud4/zE7VRoxSRCPkWkgixEog+AotZt22psgQTv+kWx89+7cTiFZaLMmtV6v Ws8QTpDRDM3hCJBCI6qk61k8SLuQ+5VuVWBM/ozoN1ON2J9anxVTrxhNsFM3RLHV/Qh9p/0y T4our7JxB6dsos3HtlRR2npXS1PMrrXt7ZnnfYao+9zbOrZHC7NRY3feaLhieLx1pKmdDRHT CAbqaGnqX22hYYemtYFzSAv7stCdqdncAEkZJy4HByjQwFVGn8A6rp7H1xV2LmlkNAMEoWrT GJ+wH8A+VA3qbZF9Ab8Ht2GRj3mQQ4h8NnRYjKyqecCQOI5Xmn4S61nQ9y+wOBUSTlAQ6a5n LmMpCVe2/D4pWFxpUxc1z8Hq+uEN95sPgbihiSdgBR50DRdqW57ulFHA9LKJ0AEnBtQfvVth qAkvG8iBYl+UpoX1xW+dbX2g6nI5Rbx8u+EojKXOwU0EX84n/gEQANARNXihDNc1fLNFZK5s O14Yg2TouK9eo9gGh4yLSrmZ3pjtnuJSpTWmGD4g0EYzhwWA/T+CqjUnrhsvzLQ1ECYVqLpM VqK2OJ9PhLRbx1ITd4SKO/0xvXFkUqDTIF6a5mUCXH5DzTQGSmJwcjoRv3ye+Z1lDzOKJ+Qr gDHM2WLGlSZAVGcUeD1S2Mp/FroNOjGzrFXsUhOBNMo8PSC4ap0ZgYeVBq5aiMaQex0r+uM4 45S1z5N2nkNRYlUARkfKirqQxJ4mtj5XPC/jtdaUiMzvnwcMmLAwPlDNYiU0kO5IqJFBdzmJ yjzomVk1zK9AYS/woeIxETs+s6o7qXtMGGIoMWr6pirpHk4Wgp4TS02BSTSmNzParrFxLpEU dFKq3M0IsBCVGvfNgWL2pKKQVq34fwuBhJFQAigR9B3O9mfaeejrqt73Crp0ng0+Q74+Llzj EIJLOHYTMISTJyxYzhMCQlgPkKoj+TSVkRzBZoYFkUt4OXvlFj73wkeqeF8Z1YWoOCIjwXH9 0u2lPEq0cRHHyK+KSeH1zQJ4xgj0QDGPmkvi81D13sRaaNu3uSfXEDrdYYc+TSZd2bVh2VCr xrcfzQ1uz9fsdC9NPdNd7/mHvcAaNc5e9IhNh67L54aMBkzlJi18d0sWXOOHkyLSvbHnC/OP wv7qCf69PUJmtoeHABEBAAHCwXwEGAEIACYCGwwWIQQRU7b77F4NWhJiYPOr1YfN8GWBrgUC Z3u+zwUJCYbhUQAKCRCr1YfN8GWBrmljD/45mvtqiWzATkikxkJjTlxfhJBGUFXUoPXqvo8l 8zACTTnn6/K7v1TcFmtSHtLqQiTGwwq1vGQSjEG+UFzdXohex9MTv+7JHr+fcQfxFtxYeVGn k9fSkRkIdtpUzuCnBC27VYbq5S+nk4+ophmjm7rFVWd4tz+XTFZkuHTRImWxbaF9EZ/fuWmm XaICw+lzGan9BteM1ZSLIjzSPd7LoG55SuoVtAV91J5oLPo6KDOzgPEffalm2LJo7+ZaAeW6 diQUXxQpvAAROR/l1D1DIIQ0OJOqv0QRFyHt/zBbKgWmGaTQqF5aNab4ukVAt0LMsCkCjA11 HhcUnUwrixHR4V8G3UlHTQsWReiXfPerv/BewTsPHSzIfmufNlrBDfS/uIYdwquZfhOSsK9Z DUJFkaHudJC6tRVQ5LBVFqjgtZDllpAj1cOG7WmlTwHblj/r2+LMpOVHApByNkehEOA2c4Bn tcQ/8qSeorJCyd1/5A5+bUFIfIAJbRz4Ja21JgH107oCMX3hsGEzMnuwplYTf9NP4Dq0FQhK vkXzdnDhhXef8nUqF7l32hj9x1BCLFZ4FFe6iuKD7Q9p83Ca1HDdxauIrsrXTsEr1bjg2o/A JXI4A3sUunmiIf/tu+3riXUhA10P1IG11yEQ4y9ogE6knvOraRBwZ8gvFT7J2YLXJrF5mQ==
In-Reply-To: <a262edd4-e811-a1fc-f7b5-b505b2b1193c@nohats.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 2LQUF3LCZKNE6S3T3MGIW42PRUZOQT4C
X-Message-ID-Hash: 2LQUF3LCZKNE6S3T3MGIW42PRUZOQT4C
X-MailFrom: pspacek@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop-chairs@ietf.org, dnsop <dnsop@ietf.org>, draft-ietf-dnsop-ns-revalidation@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: WG Last Call: draft-ietf-dnsop-ns-revalidation-11 (Ends 2025-11-16)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/CemAgas9e4vOBMj9VgjHzcY5sJ0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On 06. 11. 25 21:27, Paul Wouters wrote:
> On Sun, 2 Nov 2025, Benno Overeinder via Datatracker wrote:
> 
>> Subject: WG Last Call: draft-ietf-dnsop-ns-revalidation-11 (Ends 
>> 2025-11-16)
> 
>> Please review and indicate your support or objection to proceed with the
> 
> I support this document. I checked and for Fedora, RHEL and CentOS, this
> feature was enabled 15 years ago:
> 
> paul@thinkpad:~/fedora/unbound $ git blame unbound.conf |grep harden- 
> referral-path
> 24585b98 (Paul Wouters 2009-01-14 14:57:11 +0000  525) harden-referral- 
> path: yes
> 
> I have not heard about any problems with it during this time.

My TL;DR summary: Not ready for Standards Track.


Argument 'this is on for 15 years now' does is not factually correct, 
and this was already debunked on the mailing list:
https://mailarchive.ietf.org/arch/msg/dnsop/NXBpvJhru3VjDSJXKr7WslXQLpA/

The primary reason it did not cause issues is that implementation in 
Unbound (at the time of testing) was so permissive that none of the 
promised security features actually stopped attacks.


For version -11, is it meant as Standards Track?

What's implementation status?

Did anyone implement and test all the recommendations form the draft _at 
once_?

If not, which parts were implemented and with what results?


ISC has implemented (partially) NS name revalidation (with DNSSEC 
validation turned on) into development version of BIND 9.21 and so far 
it is endless source of problems.

Development version of BIND 9.21 is able to resolve _less_ domains than 
BIND 9.20 can resolve. Contributing factor is that re-validating all the 
NS names massively increases number of queries required for any 
resolution to happen, and with all the recent anti-DoS CVE fixes in 
place many domains are hitting resolution limits.

You can read more about issues we encountered with BIND 9.21 here:
https://lists.isc.org/pipermail/bind-users/2025-November/110261.html


With that experience in mind, I suggest to modify Abstract and replace
s/should/can/. The current Abstract starts with 'describes an optional 
algorithm' and then goes on with 'should' do this and that.


Given the *already known* problems, I think this should be Informational 
at best. If Standards track is what authors want, then I think it really 
needs more implementation and operational experience.

Given the dependence on NS set quality in the child zone, perhaps 
operational considerations in the style of draft-opsarea-rfc5706bis-03 
might be good idea as well. Right now the draft handwaves the problem 
with "yeah there might be problem", but it does not say what exactly 
happens when there _is_ a problem, how implementations are supposed to 
detect it and recover from it.




Nitpicks - I've noticed couple typos:

 > seeveral

 > credibility.. An

-- 
Petr Špaček

v2.46.0 | Report a Bug | By Email | System Status