Re: [DNSOP] Paul Wouters' Yes on draft-ietf-dnsop-caching-resolution-failures-07: (with COMMENT)
"Wessels, Duane" <dwessels@verisign.com> Wed, 20 September 2023 23:47 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C6E5C14CE54; Wed, 20 Sep 2023 16:47:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qzhqQpioIl0j; Wed, 20 Sep 2023 16:47:07 -0700 (PDT)
Received: from mail4.verisign.com (mail4.verisign.com [69.58.187.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B1A2C14CE4C; Wed, 20 Sep 2023 16:47:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=1151; q=dns/txt; s=VRSN; t=1695253628; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=YVArwXDzziedvzcbM/0/EtAyxqz1ldgan8e3BxF/A4Y=; b=QzRuqMwyw+xVbaoyqugdUJrVcgxzGYZMOvudFCaD519Ti3m8K7iY4xOv HaWqK5OwkQy1ziQbt+UKVYniz3pv1GQKbRivLEaK5+jK9GGekUA+TA7JG mUsqWz0FXgueMNwnQRD7y7ELT5nwq9NMYeemUjCQ/FDWYo25SAmmrCMXp YUNDPC2Sc5Yc3yipGOfhDv8VdWFIdjGtpUmG0HnhLf1pzzHccNo8oUfkx xOzJ0zlKqtRCVj0Xw8pGsl6+CUxQB6rtvILOg9F3W2x4MSIQiFYDH2jPt +tIfDuEHgm5ykSf8+cRsLSdJRbKbn/diqc5sipocOC3WmNrO6g0uh7DQB Q==;
IronPort-Data: A9a23:6SRSQasAcWAsMgHFf678hxCuh+fnVLpfMUV32f8akzHdYApBsoF/q tZmKTuEbveDMWf1c4wib9y/8BtVvsSEyIQ2SgY//39kEi4W9ZOVVN+UEBz9bniYRiHhoOCLz O1FM4Wdc5pkJpP4jk3wWlQ0hSAkjclkfpKlVKiefHoZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqqUzAnf8s9JPGjxSs/nrRC9H5qyo42tJ5ARmOZingXeF/5UrJMNHTU2OByagKmVkNrbSb /rOyri/4lTY838FYj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnVaPpIACRYpQRw/ZwOhxIktl YoX5fRcfi9yVkHEsLx1vxBwTXkibfUekFPNCSDXXce7lyUqf5ZwqhnH4Y5f0YAwo45K7W9yG fMwBg8EdTKfoMKP/qOYUMgxl/07LNX1I9ZK0p1g5Wmx4fcOa6rlGprsyO8AhnEujcdUBbDXa 4wHcyFpKh/HZnWjOH9OUNRnw7zu3ySkNWEJwL6WjfNfD2z7wBN8y6PgNMH9ZNGQRN5UkUDer WXDl4j8KktGaILHmGDdmp6qru3RuAbyBbgcL5qT6/Qpmm+d7VIMJDRDADNXptH80CZSQel3M 0UJ/gIoqqg76FftRdCVdwWxvXrCoRkBR9dKCMUz6R+AzOzV5G6xB2UfQRZAZcAo8sgsSlQC2 kWAkc+sBDFzvviZT2ma7vKfpDiyOC4aaHUPfigAUBcE5N+mrogyig/VQ81LEaOpgJvyAz6Y6 zyMty8mwr4ThM8RzI268EzJxTW2qfDhQggu4R3/X2+54EV+foHNT4Wu5ULW8t5MIZ6ZUh+Ku 31spiSFxOoUC8iSkiGdGL9IB6+zofOEK3jWhhhlBZ94sSq34HjldodViN1jGHpU3g8/UWeBS CfuVcl5vfe/4FPCgXdLXr+M
IronPort-HdrOrdr: A9a23:QrZdjK5z+5e+TgrkeQPXwBjXdLJyesId70hD6qkoc20wTiSZ// rDoByCvSWE9Qr5K0tQ/uxoX5PwPU80lKQFm7X5Uo3DYOCLggGVxcRZnO7fKl7balLDH4xmpM RdmsFFYbWaMbE5t7eZ3ODSKbkdKay8kZxA8t2x854Cd2xXgupbnmFE406gYzRLrJkvP+tAKH Oz3Ls9mwad
X-Talos-CUID: 9a23:qrFGRm+FOiRGuOrDChyVv2ArE9sHblr99UnBAFWZVHdQUL2JV0DFrQ==
X-Talos-MUID: 9a23:jUJ7tgtPbIfX8fM6fc2nhi9HEc412aqVL2sQm9YcicevCzNcEmLI
X-IronPort-AV: E=Sophos;i="6.03,162,1694750400"; d="scan'208";a="24460920"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.31; Wed, 20 Sep 2023 19:47:05 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) by BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) with mapi id 15.01.2507.031; Wed, 20 Sep 2023 19:47:05 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Paul Wouters <paul@nohats.ca>
CC: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>, "draft-ietf-dnsop-caching-resolution-failures@ietf.org" <draft-ietf-dnsop-caching-resolution-failures@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "andrew@depht.com" <andrew@depht.com>
Thread-Topic: [EXTERNAL] [DNSOP] Paul Wouters' Yes on draft-ietf-dnsop-caching-resolution-failures-07: (with COMMENT)
Thread-Index: AQHZ7BzCSShoRbyoeEWaZcxijJG/6w==
Date: Wed, 20 Sep 2023 23:47:05 +0000
Message-ID: <D3F7DE18-02C1-401B-9F60-309524D7819B@verisign.com>
References: <169405896629.52551.4213112915591331764@ietfa.amsl.com> <F26581D3-C14E-4676-8CDB-93E1F4F54DEE@verisign.com> <63d92dd7-c4ca-d2a6-5dbd-87679bb5e093@nohats.ca>
In-Reply-To: <63d92dd7-c4ca-d2a6-5dbd-87679bb5e093@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3731.700.6)
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <6BA10E4E561CDE4DB0AD95FA7A49F5A8@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EViwN3s3Uy70uLMPIFgYnzQpJTs>
Subject: Re: [DNSOP] Paul Wouters' Yes on draft-ietf-dnsop-caching-resolution-failures-07: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 23:47:11 -0000
> On Sep 20, 2023, at 2:23 PM, Paul Wouters <paul@nohats.ca> wrote: > > >>> To prevent such unnecessary DNS traffic, security-aware resolvers >>> MUST cache DNSSEC validation failures, with some restrictions. >>> >>> What are these "some restrictions" ? >> >> Here our intention is to update this statement from RFC 4035 so that MAY >> becomes MUST and "invalid signatures" becomes "validation failures while >> leaving the "some restrictions" in place. AFAICT the restrictions that 4035 >> talks about are using short TTLs (as above) and (I think) to have some >> query threshold for caching validation failures. i.e., retry before >> caching. > > Should some of this make it into the document so the reader understands > the "some restrictions" ? > Sure, how about this: One of the restrictions mentioned in [RFC4035] is to use a small TTL when caching data that fails DNSSEC validation. This is, in part, because the provided TTL cannot be trusted. The advice from Section 3.2 herein can be used as guidance on TTLs for caching DNSSEC validation failures. DW
- [DNSOP] Paul Wouters' Yes on draft-ietf-dnsop-cac… Paul Wouters via Datatracker
- Re: [DNSOP] Paul Wouters' Yes on draft-ietf-dnsop… Mark Andrews
- Re: [DNSOP] Paul Wouters' Yes on draft-ietf-dnsop… Paul Wouters
- Re: [DNSOP] Paul Wouters' Yes on draft-ietf-dnsop… Wessels, Duane
- Re: [DNSOP] Paul Wouters' Yes on draft-ietf-dnsop… Paul Wouters
- Re: [DNSOP] Paul Wouters' Yes on draft-ietf-dnsop… Wessels, Duane
- Re: [DNSOP] Paul Wouters' Yes on draft-ietf-dnsop… Paul Wouters