IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-03.txt

Paul Vixie <paul@redbarn.org> Tue, 13 September 2022 14:36 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06718C14CF1E for <dnsop@ietfa.amsl.com>; Tue, 13 Sep 2022 07:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id znclnGEBGcF1 for <dnsop@ietfa.amsl.com>; Tue, 13 Sep 2022 07:36:09 -0700 (PDT)
Received: from util.redbarn.org (util.redbarn.org [IPv6:2001:559:8000:cd::222]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 637D8C157B51 for <dnsop@ietf.org>; Tue, 13 Sep 2022 07:36:09 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by util.redbarn.org (Postfix) with ESMTPS id 573A0167CDA; Tue, 13 Sep 2022 14:36:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1663079767; bh=Tnpc66BmQaTEhyDDeoSRZ6ZQ7yG+NhNToMJ/uz2Kg0E=; h=Date:From:To:Subject:References:In-Reply-To; b=TRhnMJADPGpch3g1IgUWVAucNI8x2PKStupzMWGCS3LncUfK4hh117HYhlrlm+3Mg CeMq61QE5ZKVoxHl/JzbaQWRnmmTKjqLlhHtY2b0nU6//vXJLCtrZlOwPDSGdFH7q2 PxK8oRCoCNlND813886GGj2+2FExgElOxbiEkrQE=
Received: from localhost (localhost [IPv6:::1]) by family.redbarn.org (Postfix) with ESMTP id 35F21C40B7; Tue, 13 Sep 2022 14:36:07 +0000 (UTC)
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 13 Sep 2022 14:36:07 +0000
Message-Id: <CMVCKPS3DCYU.LB4M9FVM1B9Q@family.redbarn.org>
From: Paul Vixie <paul@redbarn.org>
To: Petr Špaček <pspacek@isc.org>, dnsop@ietf.org
X-Mailer: aerc 0.12.0
References: <166251411453.51793.7893145834491865444@ietfa.amsl.com> <a8b7e07e-c11e-f8a7-7552-f61edc83adda@isc.org>
In-Reply-To: <a8b7e07e-c11e-f8a7-7552-f61edc83adda@isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DaU7lEStlBdozKTbeilNhBs0IEU>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2022 14:36:13 -0000

On Tue Sep 13, 2022 at 11:17 AM UTC, Petr Špaček wrote:
> On 07. 09. 22 3:28, internet-drafts@ietf.org wrote:
> > https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/
>
> I wonder about this Datatracker line:
>
> 	Intended RFC status 		(None)
>
> What do authors plan, or WG leans to?

it was originally part of resimprove which at the time was intended to be
non-modifying for the protocol. the important part NOW is that this behaviour
should not be undercut by subsequent protocol changes. for any implementation
it would be treated as an optional feature, and for any operator is should
be something they can turn on or off according to their local policy.

> Speaking with my BIND hat on, I would prefer Informational.
>
> Protocol in this draft is pretty complex, and so far the sky did not 
> fall despite resolvers not implementing it.

i think the sky cannot fall in the way you imply, and that it has in fact
fallen regularly in the eyes of the security community. i am aware of at
least one "public dns" system with a semi-unpublished API allowing cache
invalidation, because by default DNS caching works too well. it is very
much necessary that the system as a whole offer standardized signalling
for system-wide "rm -rf $zone", because private API's and pairwise trust
relationships have not scaled and their existence puts pressure against
independent (non-"public") recursive dns implementation and operation.

> Based on this observation I think it should not be mandatory, and also 
> that parent-centric DNS resolver implementations should not be 
> "outlawed" by this (to-be) RFC.

i don't object to either non-mandatory or non-conflict. however, as i wrote
above, i'd like this document to cement the system level capability of this
feature. for example if i find a zone authority server who will not give a
delegation response when queried at a delegation point because its
implementor or operator believes that NS RRs are not necessary for correct
system operation, i don't want to have to work around it by asking for a
random subdomain name under the delegation point. rather, i want to be able
to report it to the dns-violations github site.

hopefully this overlaps with your world view.

vixie

v2.23.0 | Report a Bug | By Email