IETF Logo Mail Archive

Re: [DNSOP] signalling mandatory DNSSEC in the parent zone

Ulrich Wisser <ulrich@wisser.se> Tue, 02 March 2021 15:55 UTC

Return-Path: <ulrich@wisser.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76CE93A29AE for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 07:55:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wisser.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y71BKxyY9U8G for <dnsop@ietfa.amsl.com>; Tue, 2 Mar 2021 07:55:35 -0800 (PST)
Received: from mout-p-103.mailbox.org (mout-p-103.mailbox.org [IPv6:2001:67c:2050::465:103]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C8DD3A2983 for <DNSOP@ietf.org>; Tue, 2 Mar 2021 07:55:33 -0800 (PST)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:105:465:1:2:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4DqhYF6tf2zQkQh; Tue, 2 Mar 2021 16:55:29 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisser.se; s=MBO0001; t=1614700527; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=0SqSGD2FruPVbgz+NbiDP6+cNdxfCdDDlqiCT9rLETA=; b=iOyM8pO0wuBZyu7AgstxJGNhwtZl8GlpMlgoLehWFWQfPFManhS7qE6bsIOYhKCHXOmwhR 0eQHjaNocMsyKQOFznInJwZw5J6gCIhIM6tk1JklDOdijYroRr8VexcuMAc16VzwX2LE7l qtyEWfSY8Zi+hXu3IObkoLvXV6W6//cN+T+BqJZE11JqgJNzh3aoDO0oDETYi1SGElRrzq B2StkPJIhI/fOqeF2wduyvufoDFeiL85Ge0UrVkD5ZZ6zqehlxFWRtS3YTj8yL1FbGvufr tpq4ef0d3s6+M37dxMftGFOEW34iiuNsHdsy8Z0DyiutNOwBUuaMTJc46HL6cg==
Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter05.heinlein-hosting.de (spamfilter05.heinlein-hosting.de [80.241.56.123]) (amavisd-new, port 10030) with ESMTP id utb7TFp7lM7f; Tue, 2 Mar 2021 16:55:26 +0100 (CET)
From: Ulrich Wisser <ulrich@wisser.se>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0
Date: Tue, 02 Mar 2021 16:55:23 +0100
References: <9A903D5A-7F39-4C29-AA66-973E4EC8BB6D@wisser.se> <A2E7F47E-6FB7-4F64-BC68-1E5723FE1D33@hopcount.ca>
To: Joe Abley <jabley@hopcount.ca>, dnsop <DNSOP@ietf.org>
In-Reply-To: <A2E7F47E-6FB7-4F64-BC68-1E5723FE1D33@hopcount.ca>
Message-Id: <A7B00CDB-59E3-4371-8D27-306BD9DB13D9@wisser.se>
X-MBO-SPAM-Probability: **
X-Rspamd-Score: 2.05 / 15.00 / 15.00
X-Rspamd-Queue-Id: 4BDE117E2
X-Rspamd-UID: 8dad06
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Cln6_XQEhILJKgSqHdNwZXKKwVs>
Subject: Re: [DNSOP] signalling mandatory DNSSEC in the parent zone
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 15:55:42 -0000


> On 2 Mar 2021, at 14:32, Joe Abley <jabley@hopcount.ca> wrote:
> 
> On Mar 2, 2021, at 08:16, Ulrich Wisser <ulrich=40wisser.se@dmarc.ietf.org> wrote:
> 
>>> It leads to bogus in a server that *only* support algorithm 8 because THERE IS NOT AN RRSIG OF WITH ALGORITHM 8 
>> 
>> I understand that RRSIGs are missing, but what does “bogus in a server” mean? 
> 
> I think Mark's point that a validator that only supports algorithm 8 will consider the response bogus.
> 

Yes, of course. But as long as the validator supports both algorithms and uses lax-validation, it should work.
It is at least something, not a perfect solution, but it solves some of the use cases.



> 
> Joe

v2.23.0 | Report a Bug | By Email