Re: [DNSOP] New draft on delegation revalidation

"Giovane C. M. Moura" <giovane.moura@sidn.nl> Tue, 28 April 2020 09:42 UTC

References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <4feca627-79d6-374e-402d-f50d49e03469@sidn.nl> <CAHPuVdVkTbV6o5sVCZzOcE4y0yEFUa3rmtcsWooxQK0nO_eMvw@mail.gmail.com>
From: "Giovane C. M. Moura" <giovane.moura@sidn.nl>
Autocrypt: addr=giovane.moura@sidn.nl; keydata= mQINBF14qwEBEAC7A6IGvwbFinLND4AFjFycPiM5Y3qudODE0kiYBPy5d4NIT4uAthSm2FPp 3kUNxMtlZI5NR0Ie/kI2NLdpS6MLpkKtO30D2GIQjaQ58emUnWAxkH94RDB5cJ69mmVxIUnv cpZEOrCvBcJU3SIhnXTfga8AFEct5Sb6XRYy8kblGXcH/6W1XTckcb4g/SejszC2oiiV3cZH HS3UCJvMfY1/6ojq6Cot6jgs/3M56PZI9odsYATu84JNaKqFv1rbD1lf7hYOM5sri6OqrPad qBOCT5DWbdxHvi6JzLNhuxxag/BtJPfLxMFDm+C6P0FKSjY78EzY6Ne2MKlLSDGQWyAHXZae X9RO/0t64LEWBLXmVS1KtIAPt0TgGodhr5d7jXP2maFmgO2+rWhGBBEeC9y9oRRJuBGFzl8w 0wMp1RDNipomtjWPZIIsuWiNKAF/iaPcTr6ZjaNOhnX+Kuqh3X7rr546RYtDDCVWVDpLKZmn 1scrRGKnhvPQsBiuICp5Up6sHNxh30c0n2PJeUZYlhLiZTuzG3rUSg7TLx7d39V4/XyjNr1p ordddIzM2zcGCNP0IgyjdMzjFljL01liMhENXmSagwDLQsOuExcZfawWviPEB2Rzz39obuxi L08RPrtnptcjkx0n6JFtkQUBOLGodtWWLs9cVF4Lic7aJswg6wARAQABtCtHaW92YW5lIEMu IE0uIE1vdXJhIDxnaW92YW5lLm1vdXJhQHNpZG4ubmw+iQJOBBMBCAA4FiEEkUlxD1iA/bYW 8LYoeMuqlaSXxY4FAl14qwECGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeMuqlaSX xY7A/w/9FSp5N5rGcWe9bK8+k06e5dcxYRphMMHpC6hnrvyfgZgvepkhx9jK8HOevF1xk/Xa 8MR53fP0wo+2ZXSPJNgkzITFFypHfM2LLxh1/Lm2KnwR58OuX/E1juvOx5FseDrVjcmOL1s/ vtm0s4nlbzCSwrvBfnpsSXmQvseQHcm82Oto78p7YxgUNoxjPkaUkmekDMm8TWwctTummYfM vHzKgKSVCCBNJayRRR6+pw+UG5mnlvUgv96AwK7CUF2pjlwIFKx6cVDDD3M17ZUP6zsPQ+HB 8m0DtQFtAu1mU/OXeNk54jKm4b2A1gXwNnh11e7uPzS5hrjz9znwyTLLw1fJPySYUVMDhuu4 EI+L2Goi1DrhLunQ72YRIKHF3jVjDd6eHenk9Qq44WfuYOE1PSdIKjhS0DfOZgy/C4DWkot/ XfZ40dlaV1eLb/fjWw1/GY3FYZIxxPvFV5tg+Fjn4pqiqy2XvCBrIzMYG0X4u3A4Kvjnblh0 9G/bD8lzx6mUymDvZ/PHk8+mhp9obA+LcmLHt+lkNyR73vT1ZTrQWqrzMTlXN7guFWSOrCOm toWgVu63L9LsFKiUllkctXGhFzaERQT85h6ugovq7Bk0Qf0NBvHcwxgBdUa/uqp9Frcm4gT3 pZFepXY4Q63nL/y3Ay65rouurVPsSUTghuzgRaZ1ePq5Ag0EXXirAQEQANJeW4E1yFJ8RIdH /LUp7ZjLSQZjxLi0J6Jz8q60ZCFOEBh++i0nmYljEHG1HHqvMzv7x7EEg2ZaQmk6l8ZF4CuG oy8xjKLyM1v7k3i/GPwHEmWAKR6VxwBflE4ISL0bwecOuBubemSsQYaHBvydTg/sSkCz2YcF inec4o4Ertu4HCo0c+LlzcWWcb1/O6vUaOGCH0LBXT2btbDMzOgSBTeRCHP/aLIClkjNmvRc mQIszCCriuqlapNWTzIm8WVfD5Ho/ZyrtgeSbqk5I4by9eyAJNDKi05NgR1vY85tQ/hNIN90 8RcVK7OvGrQ9NgJpk3oFeaCkAXbhq5HfAI2tWnj3lrPLa7FP//YoYVY/Teqb+Ehp1CiVkeHf F2yGRsSWa+99Ii3nM3E8CpJu+SS/M1zbQlBgvGT+liXMfvJ/7wzAivTdIsy94uiWbLvrmF6V g6Iwq6d9O+/3j8gvcl0OXvUzNO9Qjb3+dL9hoKZ4GPUN9nYP34KcGLgdeyi0/DeKTLDODbXA scoQ+V96JmJzMW+UXkIyfq27MVyZLnJMtwD9On2/vSaNjXD2imfUbtHU0+7FvET8qzzJUBII IYz0dA5UmQx2/PKqDLh5DWdaWZa1cf6RqQ+FE10ePot+RjTU3ojiYqbzJ9Nm8WazV2ibAMg9 gozAb/oRmp7vzZURc21PABEBAAGJAjYEGAEIACAWIQSRSXEPWID9thbwtih4y6qVpJfFjgUC XXirAQIbDAAKCRB4y6qVpJfFjo9sD/9iqHO8MMaMBhefBJs5imU+TMarHto+OLfsnGTQarqH GfyvCB6LmY0ZP92jXtMe9hx0dt8SrlGOtwsFoqcvSk5L5yaFde1aG2o3a21mlcyMRhljzME9 RgnN61pB/rfg8yjbxNbhBgKjQCO/2fyJIcp9Er2qKmJYGV7UkP3Fl5SHMs6Z9IiDhRQjhpKZ iXRpQUofHggErvV7//j8ALLEReVjfEg049EZ1U5VQosroXzkbSPfpAHjW4d+MdCM38WYC3Ap fk7qY1vZV3YTj/eD7j4b772xMMlUdPm6Vl83sAY/OP5ZFCe/f8HUwaRYm6zwhnRug8tI2g05 N3/yBVbmc047gtXTFuW0ZhHkN26rSl6e+gtfhoh0CigfixHRFI6TWrtF5APVxW+WJ1N990w1 RXXHCn8ZGVJ9u8sglWPSWwK8vVhhbZQVtPUkUegN0Zj7nqHz+5nHtqsF6ddIN65akf+CqArU /iVwvA5gsvid2vyunM88MlUplJBmAXtMEyCpvTyfDTT7jYY15ZpaO3jlHyiagwVhVrxgsw+B N0RmT/zoqKN33zuhSmrxw0+vU+gq2BZLjpjZRnnjeoFwKo3qNWKx7BRTxzOG5eMoGzrvO7dF Xt5QjjOQ4cFtq4ryW8qDfmDd4mLYyMcRO/hOPPq30pW9emtiXFABb8JvwfEusod+mQ==
To: IETF DNSOP WG <DNSOP@ietf.org>
Message-ID: <058d760a-7400-e407-4d12-c744d949538e@sidn.nl>
Date: Tue, 28 Apr 2020 11:42:35 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
In-Reply-To: <CAHPuVdVkTbV6o5sVCZzOcE4y0yEFUa3rmtcsWooxQK0nO_eMvw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.172] (31.21.111.111) by AM6PR01CA0065.eurprd01.prod.exchangelabs.com (2603:10a6:20b:e0::42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13 via Frontend Transport; Tue, 28 Apr 2020 09:42:36 +0000
X-Originating-IP: [31.21.111.111]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 1e30cf51-dd7d-4b00-48ba-08d7eb587c08
X-MS-TrafficTypeDiagnostic: AM0P194MB0690:
X-Microsoft-Antispam-PRVS: <AM0P194MB0690D74F08B40275E7346F10F1AC0@AM0P194MB0690.EURP194.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-Forefront-PRVS: 0387D64A71
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P194MB0257.EURP194.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(346002)(366004)(376002)(136003)(39840400004)(66946007)(66476007)(478600001)(66556008)(2906002)(186003)(316002)(6916009)(16576012)(16526019)(81156014)(8936002)(8676002)(31696002)(52116002)(26005)(6486002)(86362001)(956004)(2616005)(31686004)(36756003)(5660300002); DIR:OUT; SFP:1101;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: tbE/1P5Yq5NQjGvQfzAtyY3ZgEVydDhaFWu1+KW3yj3vVyf5/AEv3mWu6eXIsZY8Z9wBBRXW+HLPDr3lz+l1YpoT6KkLBpWj2ZVk4q4mjsRYeR1d0W+oNVTEfK20WvNzD+ANlC3LGLBLrkydfDwdxh3ubCx/aWvEP1X6r41X8yVGJRKT+f7wSt/ybWbIAlx0520fl4kh5Tnp1dWzdM9UNon5coAawtMs+FupUBVNMg2v8s64j4WSFHU73/Etc0K3D1xtR4QOORKdq+iF74dnotNv7yJpuNHUnvuUG2Byir0MsboZWdBdV9GrhTTEaUNjdtihkTIUYqH8+CVQLe/I1Wpc0YVN7LX/wMHxYHlpV1J95RBn10vZfZZUqmLPrDcIQgXC0F1tgSL8dCpsRXrlanNzwG4mYq3kdFJrSvjkFqZcTqyL3OU5qhgblbhKv/hUSKI+4AClKlboyPF7wDsYBDDO/TzvoMWGlHotax1Ow9IOJ6KUniewhy0aYDK+UlRtu+VdvNdPqvvClO7Oq6sK2w==
X-MS-Exchange-AntiSpam-MessageData: yAfhKBVWgtAO8Ic2h/LLE5eCSa/pjPIysxylPT0N56BqcihQ0+T2p/gzZGztmVHSJ7bwT+douDWvvURelNvPRYFmEtjaEMeJtb+iTo5nLwO5/ydcpXAdVqKrzcrMIEQPP3e2A9FZltUf9VilaBHlAS2lH7SKYs7H7IKqY6iucaHO+R7OEAi3+vSlBDWaI3nMZgOjGsP0rSj8/N6CrNslMFsGCxlh/Do0W9B7j05RzHOGTTFzcu8PoeAcqAyqLtMuM88yVBqIdAxg7U1k6/moyW8ldbVzvDJgN16BQZKLsGRJ5uW+NLqQggd+3fzXAyrCyMQ0s2Mlses4rR8DZ/odTXl51QQNJ2g07XvKTEMVmG8mBUlJHVLHurdeXykG13b6fckd/HBebljLFxYTN+D/4zQ4D1eoGCG5xIAtoV86GHInWaFoWgdoxZyGQd4Vhm0ewp7WDA/rI35gufT3RQXECC2+W67SAdzzi5jfNJaW2U20kcTMP+F2ZHHW8Xz/881pkd0LjHkHlw9SHB2jhwTzFmR5H04k9mirzMsrTH+nnLoKfCExFnZEBnsr/mWgt6kgrOg8CmT4L+JMucui683BadCg5oNbXXpzMZ6ImNcyE+Bys1+XhOKDc2uX/brqrV09vvhGvueUJ8ilX6uI40/uODu7bc01gHEl9XpbBDmhrwTd4osxTtuowZ/k8L2JRMQwyYzSnjUEYjWpYFy6b9FuYbhhROpWPUrV8Wp5yJ46sgXrd0vDYmSxLJ2wrSHR9GdiALBF4tDHe0RmXSDrQq2pxJWFFmF+L/Yvk/baCr5APDc=
X-OriginatorOrg: sidn.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: 1e30cf51-dd7d-4b00-48ba-08d7eb587c08
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2020 09:42:36.8580 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: ab4d3626-c1c5-4a75-ab85-427f1a644a7d
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: cbN/Y0Azz4WYybdRL3vTti5EpkFaRuBE9Lu+shA9bmpWvApIYX3IJ2wfhMJTem0IFR/m4SC4v0NZlxiRw/2bvw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0P194MB0690
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FT02IdpJSnZEMtX9BrWfWn1gr8Q>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 09:42:43 -0000

Hi Shumon,

>  Do you plan to maintain the parent/child disjoint NS 
> domain (marigliano.xyz <http://marigliano.xyz>) going forward? And what
> about the test
> domains for other types of misconfigurations?

Great idea. Let me look into this, will get back to with that.

> Did you look at the potential problem of members of the child (or
> parent) NS sets emitting different information? I suspect that case
> also happens.

Yes, section 4 covers this (NSSet parent != NSSet child).

We have 4 scenarios, and we always query for the A record of
$probeid-$timestamp.marigliano.xyz

The trick was to configure different NSes to return different A answers,
so we knew which NS answer which query.

Is that what you refer?

(in the wild, tab1 shows that 2.1M domains in which the A of the NS
records from parent and child don't match at all -- that's a diff angle
from you question).


> Do you have any plans to look at the behavior of the large public
> resolvers?

That's a good idea, to answer this one, we need to configure the
scenarios again. Let me get back to you once I manage to get this setup
for other folks to test this too

/giovane

Re: [DNSOP] New draft on delegation revalidation Mark Andrews
[DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Bob Harold
Re: [DNSOP] New draft on delegation revalidation Tim Wicinski
Re: [DNSOP] New draft on delegation revalidation Brian Dickson
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation John Levine
Re: [DNSOP] New draft on delegation revalidation Paul Vixie
Re: [DNSOP] New draft on delegation revalidation Paul Vixie
Re: [DNSOP] New draft on delegation revalidation Puneet Sood
Re: [DNSOP] New draft on delegation revalidation Ólafur Guðmundsson
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation John R Levine
Re: [DNSOP] New draft on delegation revalidation Bob Harold
Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Joe Abley
Re: [DNSOP] New draft on delegation revalidation Vladimír Čunát
Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] Privacy and DNSSEC Vladimír Čunát
Re: [DNSOP] Privacy and DNSSEC Paul Vixie
Re: [DNSOP] Privacy and DNSSEC Masataka Ohta
Re: [DNSOP] Privacy and DNSSEC Vittorio Bertola
Re: [DNSOP] New draft on delegation revalidation Joe Abley
Re: [DNSOP] New draft on delegation revalidation Paul Vixie
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] Privacy and DNSSEC Shumon Huque
[DNSOP] Client Validation - filtering validation? Brian Dickson
Re: [DNSOP] Privacy and DNSSEC Paul Vixie
Re: [DNSOP] Privacy and DNSSEC Mark Andrews
Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
Re: [DNSOP] Client Validation - filtering validat… Vittorio Bertola
Re: [DNSOP] Client Validation - filtering validat… Paul Wouters
Re: [DNSOP] Client Validation - filtering validat… S Moonesamy
Re: [DNSOP] Client Validation - filtering validat… John Levine
Re: [DNSOP] Client Validation - filtering validat… Paul Vixie
Re: [DNSOP] Privacy and DNSSEC Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] Privacy and DNSSEC Paul Vixie
Re: [DNSOP] Privacy and DNSSEC Shumon Huque
Re: [DNSOP] Privacy and DNSSEC Paul Wouters
Re: [DNSOP] Privacy and DNSSEC Shumon Huque
Re: [DNSOP] Privacy and DNSSEC Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Daniel Migault
Re: [DNSOP] Privacy and DNSSEC Paul Vixie
Re: [DNSOP] Privacy and DNSSEC Paul Vixie
Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Daniel Migault
Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Petr Špaček
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
Re: [DNSOP] New draft on delegation revalidation Petr Špaček
Re: [DNSOP] New draft on delegation revalidation Paul Vixie
Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
Re: [DNSOP] New draft on delegation revalidation Shumon Huque
Re: [DNSOP] New draft on delegation revalidation Paul Vixie