Re: [DNSOP] [Ext] DNSSEC Strict Mode
Ben Schwartz <bemasc@google.com> Thu, 25 February 2021 00:51 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D20B3A097D for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 16:51:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRf4RJXlAPlG for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 16:51:12 -0800 (PST)
Received: from mail-il1-x12e.google.com (mail-il1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C74E3A097B for <dnsop@ietf.org>; Wed, 24 Feb 2021 16:51:12 -0800 (PST)
Received: by mail-il1-x12e.google.com with SMTP id g9so3471659ilc.3 for <dnsop@ietf.org>; Wed, 24 Feb 2021 16:51:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wvc5aMd1qYJLdiEyj7iP5G1PhJSUOitehnAxywjL6+Y=; b=NmGrv/ss5miJMkbr7nzFI5JkDeQVG21jl+eFtlqInyQ/2sHBuf6pRH5WHbiYi/+Qc/ DgIvvWJbVZDYUgxAJzqTC1Q/ADTsEEsUeBujehmHCmD2n/BufgSDiRrG7dGIvjAxeEr4 tpChklicm8TO/xFBhZUOVcdC76DY4HttK3V6fYCkZdHnFMVaj/rewvjpJYqH1blQX9HK Hs1RKGodUTL7DIxOD8lTjud/jN8RSZlcPrRDx+7Nbes92w///4vZqBN6sVlUpzwPsnib oRpG4AtZTqe2nnlC1MoyvQ+bFYXSHd8EnAJxbRIqkFB9roE6arl4ONIui0SmQf3l5yZi 063A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wvc5aMd1qYJLdiEyj7iP5G1PhJSUOitehnAxywjL6+Y=; b=gDw0CABoZQnfQh3N0HcpCXq8UnkfLnwODBFAV7VDG08I6O+FKg/nYDLOzGyvkaI8wq +NgFFtgZBI/u69OdzAnabnuW3Km6+SDtVpQ//E01xWEESf8SQU0iOqSsof0Dwf7ensCb 89pE0OBhIf1HKUPffnX5ox34CZY9hNFkOkH948gj61+aDeXz6G6Rhhq+1AUatkUsQKCD O6a0iGeKE8IcYtsYf54z9cmObtKr0trnDJAyLo7YuKqpRRZWMVdhiYcSCUQGdyq5PQFa OIzSQvAKXLLA1yphsJ05DOWGwXfQx1UuuqFFiA67hg5MC7J13NOQ4v5kCOvJfmBT04K9 411A==
X-Gm-Message-State: AOAM532NnI+R60DsJu0voPluCeZxZQKe2/RzggZoMlQrVmRHJ7K09qbq wMqhfCCpEEWiX67EPHAEZGfn1ia+UFHj0XoWNyG33g==
X-Google-Smtp-Source: ABdhPJzVgpypWAYvbamRkQURqzFh6BKmoz9Zq4Yky+K/OmE2evC6CM429YA+rV5+0IWHrDeVjGXZEI5+Ee667tZphlM=
X-Received: by 2002:a92:da90:: with SMTP id u16mr332177iln.275.1614214271246; Wed, 24 Feb 2021 16:51:11 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <7BB07063-2CA3-4283-8866-2B19A7AAA9A0@icann.org> <45e3c45-d324-8124-5dae-98acba9dd7cb@watson.org> <CAHbrMsBsG8OnXOXwAFY5eNf-0viQ_e5nKKhp1XVpnpMkGW1L-Q@mail.gmail.com> <02CAFAF2-BD58-48D4-B9CC-DD06EB99357B@wisser.se> <57BA9FA0-C16D-4178-B4A8-C9D9B174AC82@isc.org> <CAHbrMsBjOmKXmv7vJoCB+horzmzHDkn3KYPbNxeyB3miWLV2WA@mail.gmail.com> <CAH1iCipf1gD0s_5y470gGyiSJS6+BeAEtVM_PP2okz=iaNvyig@mail.gmail.com>
In-Reply-To: <CAH1iCipf1gD0s_5y470gGyiSJS6+BeAEtVM_PP2okz=iaNvyig@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 24 Feb 2021 19:50:59 -0500
Message-ID: <CAHbrMsAcwancick4-XWL_wQgFEtyQZ5XO71aTO+gZNdXWbYsCQ@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Mark Andrews <marka@isc.org>, dnsop <dnsop@ietf.org>, Ulrich Wisser <ulrich@wisser.se>, Samuel Weiler <weiler@watson.org>, Paul Hoffman <paul.hoffman@icann.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000003feecb05bc1e8cd5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/G1ExhVZm1CSGFvyzcBxz8BL1A_E>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 00:51:14 -0000
On Wed, Feb 24, 2021 at 6:57 PM Brian Dickson <brian.peter.dickson@gmail.com> wrote: > > That's not possible. The DS records are on the parent side (TLD) and the > TTL is set by the TLD per whatever their standard policy is. Same for > RRSIGs over those DS records. > That's fine. I meant the TTLs of the ZSKs and zone contents. Switching from provider A to provider B, the sequence would be 1. Set all TTLs in the zone to zero 2. Wait 3. Copy zone to provider B 4. Add DS for B's keys to the parent 5. Wait 6. Add B's NS to the parent 7. Remove A's NS from the parent 8. Wait 9. Remove DS for A's keys from the parent 10. Set zone TTLs to > 0 >
- [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode Petr Špaček
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] DNSSEC Strict Mode Ralf Weber
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Wes Hardaker
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Bob Harold
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- [DNSOP] Fwd: [Ext] DNSSEC Strict Mode Ulrich Wisser
- [DNSOP] signalling mandatory DNSSEC in the parent… Jim Reid
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Paul Wouters
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Havard Eidnes
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser