IETF Logo Mail Archive

Re: [DNSOP] [Ext] DNSSEC Strict Mode

Ben Schwartz <bemasc@google.com> Thu, 25 February 2021 00:51 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D20B3A097D for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 16:51:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZRf4RJXlAPlG for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 16:51:12 -0800 (PST)
Received: from mail-il1-x12e.google.com (mail-il1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C74E3A097B for <dnsop@ietf.org>; Wed, 24 Feb 2021 16:51:12 -0800 (PST)
Received: by mail-il1-x12e.google.com with SMTP id g9so3471659ilc.3 for <dnsop@ietf.org>; Wed, 24 Feb 2021 16:51:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wvc5aMd1qYJLdiEyj7iP5G1PhJSUOitehnAxywjL6+Y=; b=NmGrv/ss5miJMkbr7nzFI5JkDeQVG21jl+eFtlqInyQ/2sHBuf6pRH5WHbiYi/+Qc/ DgIvvWJbVZDYUgxAJzqTC1Q/ADTsEEsUeBujehmHCmD2n/BufgSDiRrG7dGIvjAxeEr4 tpChklicm8TO/xFBhZUOVcdC76DY4HttK3V6fYCkZdHnFMVaj/rewvjpJYqH1blQX9HK Hs1RKGodUTL7DIxOD8lTjud/jN8RSZlcPrRDx+7Nbes92w///4vZqBN6sVlUpzwPsnib oRpG4AtZTqe2nnlC1MoyvQ+bFYXSHd8EnAJxbRIqkFB9roE6arl4ONIui0SmQf3l5yZi 063A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wvc5aMd1qYJLdiEyj7iP5G1PhJSUOitehnAxywjL6+Y=; b=gDw0CABoZQnfQh3N0HcpCXq8UnkfLnwODBFAV7VDG08I6O+FKg/nYDLOzGyvkaI8wq +NgFFtgZBI/u69OdzAnabnuW3Km6+SDtVpQ//E01xWEESf8SQU0iOqSsof0Dwf7ensCb 89pE0OBhIf1HKUPffnX5ox34CZY9hNFkOkH948gj61+aDeXz6G6Rhhq+1AUatkUsQKCD O6a0iGeKE8IcYtsYf54z9cmObtKr0trnDJAyLo7YuKqpRRZWMVdhiYcSCUQGdyq5PQFa OIzSQvAKXLLA1yphsJ05DOWGwXfQx1UuuqFFiA67hg5MC7J13NOQ4v5kCOvJfmBT04K9 411A==
X-Gm-Message-State: AOAM532NnI+R60DsJu0voPluCeZxZQKe2/RzggZoMlQrVmRHJ7K09qbq wMqhfCCpEEWiX67EPHAEZGfn1ia+UFHj0XoWNyG33g==
X-Google-Smtp-Source: ABdhPJzVgpypWAYvbamRkQURqzFh6BKmoz9Zq4Yky+K/OmE2evC6CM429YA+rV5+0IWHrDeVjGXZEI5+Ee667tZphlM=
X-Received: by 2002:a92:da90:: with SMTP id u16mr332177iln.275.1614214271246; Wed, 24 Feb 2021 16:51:11 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <7BB07063-2CA3-4283-8866-2B19A7AAA9A0@icann.org> <45e3c45-d324-8124-5dae-98acba9dd7cb@watson.org> <CAHbrMsBsG8OnXOXwAFY5eNf-0viQ_e5nKKhp1XVpnpMkGW1L-Q@mail.gmail.com> <02CAFAF2-BD58-48D4-B9CC-DD06EB99357B@wisser.se> <57BA9FA0-C16D-4178-B4A8-C9D9B174AC82@isc.org> <CAHbrMsBjOmKXmv7vJoCB+horzmzHDkn3KYPbNxeyB3miWLV2WA@mail.gmail.com> <CAH1iCipf1gD0s_5y470gGyiSJS6+BeAEtVM_PP2okz=iaNvyig@mail.gmail.com>
In-Reply-To: <CAH1iCipf1gD0s_5y470gGyiSJS6+BeAEtVM_PP2okz=iaNvyig@mail.gmail.com>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 24 Feb 2021 19:50:59 -0500
Message-ID: <CAHbrMsAcwancick4-XWL_wQgFEtyQZ5XO71aTO+gZNdXWbYsCQ@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Mark Andrews <marka@isc.org>, dnsop <dnsop@ietf.org>, Ulrich Wisser <ulrich@wisser.se>, Samuel Weiler <weiler@watson.org>, Paul Hoffman <paul.hoffman@icann.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000003feecb05bc1e8cd5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/G1ExhVZm1CSGFvyzcBxz8BL1A_E>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 00:51:14 -0000

On Wed, Feb 24, 2021 at 6:57 PM Brian Dickson <brian.peter.dickson@gmail.com>
wrote:

>
> That's not possible. The DS records are on the parent side (TLD) and the
> TTL is set by the TLD per whatever their standard policy is. Same for
> RRSIGs over those DS records.
>

That's fine.  I meant the TTLs of the ZSKs and zone contents.  Switching
from provider A to provider B, the sequence would be
1. Set all TTLs in the zone to zero
2. Wait
3. Copy zone to provider B
4. Add DS for B's keys to the parent
5. Wait
6. Add B's NS to the parent
7. Remove A's NS from the parent
8. Wait
9. Remove DS for A's keys from the parent
10. Set zone TTLs to > 0

>

v2.23.0 | Report a Bug | By Email