Re: [DNSOP] Delegation acceptance checks [was: Re: [Ext] WGLC rfc8499bis one week extension for lame delegation definition]
Warren Kumari <warren@kumari.net> Fri, 05 May 2023 16:17 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EF1FC13AE56 for <dnsop@ietfa.amsl.com>; Fri, 5 May 2023 09:17:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_RED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8HsHpbrwsKbe for <dnsop@ietfa.amsl.com>; Fri, 5 May 2023 09:17:10 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EC75C15199F for <dnsop@ietf.org>; Fri, 5 May 2023 09:17:10 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id d75a77b69052e-3f0b30f240eso15529221cf.3 for <dnsop@ietf.org>; Fri, 05 May 2023 09:17:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari.net; s=google; t=1683303429; x=1685895429; h=cc:to:subject:message-id:date:in-reply-to:references:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Bx4JGvI2LEAQFIxwvzhmUfjNb1swuv/Xso6viB3l2FI=; b=AIPK2rQdMIaC1pE1OB/XVX4O52fRnje31OtrJIfi8Ams2RreoOxtBnVHtY0F4lG/e9 ZT84ut9fOJ/wBA+RKbXOZubVyNKj6l9njr7ryxxTJPeMmU7Dh2QhFVJ/88rssFX4b1Im rNgG4dOBb2ca4GKDKHU2xcx73ZVzD2SB0es7Oi8fiHel44UHDZsNf4xnvLvRlovUCXkM 469/3DWrQtBBRsDrroV6ueIo8jSsG9J+4vIbrD4Iotxxw/RSseVuN3yIsCUx+Itsi/jO YxMeEafvbbkeTzO8lfWFSmjMlpD70v3/kWqvcg5lKh8NZ+D0PUU30wPKjkiX6FLn7AFc qFJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683303429; x=1685895429; h=cc:to:subject:message-id:date:in-reply-to:references:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Bx4JGvI2LEAQFIxwvzhmUfjNb1swuv/Xso6viB3l2FI=; b=mBjcUNpoTXBVzFO/uyNN6aqNwBYb9ibvkO1yOsgWYpmu3H837xwdQXgGSn6PlefdxM OfOTZk9ox7IeGPPhxP++gToVQ2j0E7s2hJwuXJ3/XHkzPJVztHznSsRAMwirE6h7xyI2 oyGUx9wljGbIUbDpZEWYeIK7CpNNn6SR7icI4mXMizQFYYY27JkGHfhOE8sBGJfrC9Ts +mXvF6BXz9hymkfnDcG6BzHngJrmhvd99lb09upOnPXVLn6WiW8es1DrMvfRXx+B99kJ zDd0owEcF4PSGrX5myiX9e/gqXZHbV7uo+dH5+hogC673VqSZjXcNQb/G8MFYVFW8IKs sedA==
X-Gm-Message-State: AC+VfDw3xawTCfov+5CUaNs9jxY7/5auOiPz2U4wBs2h2VU8QeSJWmpN 6Jdn5pcviG3t0CaPLQp4Ph8XalEqdGoL4SABoKKXbAR2sQIesaCK
X-Google-Smtp-Source: ACHHUZ7e95CHcgc5a1MXr+Wu+MHnsQ7H8YRQZW46Sy0eBPLezigGbJ2cV0NteKS3O76USfD+WsqBbm0ai+WfZqrs1c8=
X-Received: by 2002:ac8:5745:0:b0:3f0:a755:61ef with SMTP id 5-20020ac85745000000b003f0a75561efmr3520780qtx.0.1683303429014; Fri, 05 May 2023 09:17:09 -0700 (PDT)
Received: from 649336022844 named unknown by gmailapi.google.com with HTTPREST; Fri, 5 May 2023 11:17:08 -0500
Mime-Version: 1.0
X-Superhuman-ID: lhardy3e.492fd8f9-691c-450a-aa8a-ff4c73e530c5
From: Warren Kumari <warren@kumari.net>
References: <1C10367C-B890-426F-A4F8-2D68E903ED39@icann.org> <0.2.0-final-1683191254.797-0xa08e34@qmda.emu.st> <CAHw9_iLyz4dhjmXm=eeqiVqQWOjYOgs45NbCtRtvrYpTFQHz=w@mail.gmail.com> <20230504.200747.619569100111463947.he@uninett.no> <8ee0d0dd-685b-f767-e5bd-d722cc873dc8@desec.io>
X-Mailer: Superhuman Desktop (2023-05-04T22:06:06Z)
X-Superhuman-Draft-ID: draft00c94a288c9dde51
In-Reply-To: <8ee0d0dd-685b-f767-e5bd-d722cc873dc8@desec.io>
Date: Fri, 05 May 2023 11:17:08 -0500
Message-ID: <CAHw9_iJ53q15k_VH5mK0NVArd=e0g6-ouc26=XrK0fzv+EmTyQ@mail.gmail.com>
To: Peter Thomassen <peter@desec.io>
Cc: Havard Eidnes <he=40uninett.no@dmarc.ietf.org>, m9p@india.emu.st, dnsop@ietf.org, Nils Wisiol <nils@desec.io>
Content-Type: multipart/alternative; boundary="000000000000ef99e205faf49ed7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/O6cdxCSN3861_NqaNZosJw9Y4GI>
Subject: Re: [DNSOP] Delegation acceptance checks [was: Re: [Ext] WGLC rfc8499bis one week extension for lame delegation definition]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 May 2023 16:17:15 -0000
<No hats (obviously)> On Fri, May 05, 2023 at 4:39 AM, Peter Thomassen <peter@desec.io> wrote: > On 5/4/23 20:07, Havard Eidnes wrote: > > As an example, it's quite common for people to register a domain and point > the DNS at some nameservers which they don't control, and have no > relationship with. > > If this is common, I'm abhorred. > > Having the delegating party check for service for the requested zone at > time of delegation request and refuse to update / register if this check > fails > > It would be interesting to develop a consensus position on acceptance > checks for delegations. (Obviously, that's out of scope for this draft, so > renaming the subject.) > > I can see some value in such delegation checks. However, I think that very > clear guidance on what kinds of checks are acceptable would be helpful, to > avoid checks that primarily cause trouble. Examples: > > - DENIC customers have repeatedly reported to us (deSEC) DENIC's warning > on how our SOA REFRESH and RETRY values should be related. We think it's > entirely a matter of how the operator arranges their replication, and the > parent should not be concerned. What's more, the DENIC recommendations are > in contradiction to RIPE's. [1] > > - Lots of tools and some registries check reachability and other > configuration details of the SOA MNAME, although the MNAME again is an > internal matter to the operator. (Could be using a different replication > scheme; could be a split-horizon setup; ...) For example, NIC.it > <http://nic.it/> rejects nameservers whose SOA MNAME is a CNAME [2]. > Tools like MxToolbox, Zonemaster etc. trigger warnings when the SOA MNAME > has no DNS service [3]. Other tools complain when the MNAME isn't > dual-stack [4]. We receive similar complaints about the "serial date being > in the future". > > - ISNIC recently started rejecting new delegation to deSEC (and warned to > delete existing ones) because our zones allegedly don't have NS records. It > turned out that their delegation tool did not honor the extended RCODE > field (RFC 6891) which is why BADCOOKIE appeared like YXRRSET to them, and > the tool gave up. (No public reference though, and it's been fixed within a > few days.) > > While I'm not generally opposed to parents checking whether a delegation > update would break the domain's resolution (this is like the CDS acceptance > checks, and makes sense for NS, too), I do see some risk in encouraging > people to do more checks. > > I imagine that others also spend time on sorting out these entirely > unnecessary issues. If guidance were developed on delegation acceptance > checks, > Well, yes… but where? To me it feels like the IETF would be the right place to discuss and develop the guidance (personally I think that a parent should check if the name servers that are being proposed actually answer for the domain[0], and strongly suggest (but do not prevent) that that be fixed[1]. As the most common place where this occurs is (citation needed!) at a TLD, I'd think that once guidance is created, someone (SSAC?) should push for it being strongly recommended / folded into ICANN contract. it would be great to use the opportunity not only to encourage helpful > checks, but also to discourage harmful ones. > Yup. I think that these should be of the forms "SHOULD / SHOULD NOT / RECOMMENDED", and not of the form "MUST / MUST NOT" — if I want to do something silly with a domain, I should be able to (as long as it isn't harming others). W [0]: Some, including myself, would call this lame, but…. [1]: As an example, I have a-random-test-domain.net pointing to nameservers which have no idea about this domain - and I did that intentionally… </No hats> > Thanks, > Peter > > [1]: https://talk.desec.io/t/ > default-soa-does-not-match-denic-recommendations/520/2 > [2]: https://talk.desec.io/t/ > nic-it-cnamehosttest-failed-changing-nameservers/432 > [3]: https://talk.desec.io/t/invalid-soa-record/68 > [4]: https://talk.desec.io/t/reachability-of-digga-desec-io/339 > > -- > https://desec.io/ >
- [DNSOP] WGLC rfc8499bis one week extension for la… Benno Overeinder
- Re: [DNSOP] WGLC rfc8499bis one week extension fo… George Michaelson
- Re: [DNSOP] WGLC rfc8499bis one week extension fo… Joe Abley
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Paul Hoffman
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Tim Wicinski
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Wessels, Duane
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… John Kristoff
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Hollenbeck, Scott
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… libor.peltan
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Brian Dickson
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Mark Delany
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Joe Abley
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Paul Vixie
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Wes Hardaker
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Paul Vixie
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Ralf Weber
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Magnus Sandberg
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Frederico A C Neves
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Peter Thomassen
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Wes Hardaker
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Paul Wouters
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Paul Wouters
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Peter Thomassen
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Peter Thomassen
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Joe Abley
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Joe Abley
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Peter Thomassen
- Re: [DNSOP] WGLC rfc8499bis one week extension fo… John Kristoff
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Warren Kumari
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Havard Eidnes
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Havard Eidnes
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Warren Kumari
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Edward Lewis
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Edward Lewis
- Re: [DNSOP] WGLC rfc8499bis one week extension fo… Donald Eastlake
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Edward Lewis
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Havard Eidnes
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Mark Delany
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Warren Kumari
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Havard Eidnes
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Havard Eidnes
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Joe Abley
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Mark Andrews
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… George Michaelson
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Mark Andrews
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Brian Dickson
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Joe Abley
- [DNSOP] Delegation acceptance checks [was: Re: [E… Peter Thomassen
- Re: [DNSOP] Delegation acceptance checks [was: Re… Warren Kumari
- Re: [DNSOP] Delegation acceptance checks Havard Eidnes
- Re: [DNSOP] Delegation acceptance checks [was: Re… Mark Delany
- Re: [DNSOP] Delegation acceptance checks [was: Re… Joe Abley
- Re: [DNSOP] [Ext] WGLC rfc8499bis one week extens… Edward Lewis
- Re: [DNSOP] Delegation acceptance checks [was: Re… Brian Dickson
- Re: [DNSOP] Delegation acceptance checks [was: Re… John Levine
- Re: [DNSOP] Delegation acceptance checks [was: Re… Dr Eberhard W Lisse
- Re: [DNSOP] Delegation acceptance checks Dr Eberhard W Lisse
- Re: [DNSOP] WGLC rfc8499bis one week extension fo… Benno Overeinder
- Re: [DNSOP] Delegation acceptance checks Havard Eidnes
- Re: [DNSOP] Delegation acceptance checks Joe Abley
- Re: [DNSOP] Delegation acceptance checks [was: Re… John Levine
- Re: [DNSOP] Delegation acceptance checks [was: Re… Mark Andrews
- Re: [DNSOP] Delegation acceptance checks [was: Re… Peter Thomassen
- Re: [DNSOP] Delegation acceptance checks Peter Thomassen
- Re: [DNSOP] Delegation acceptance checks Mark Elkins
- Re: [DNSOP] Delegation acceptance checks [was: Re… John Levine
- Re: [DNSOP] Delegation acceptance checks [was: Re… Kim Davies
- Re: [DNSOP] Delegation acceptance checks [was: Re… Mark Andrews
- Re: [DNSOP] Delegation acceptance checks [was: Re… John Levine
- Re: [DNSOP] Delegation acceptance checks [was: Re… Mark Andrews
- Re: [DNSOP] Delegation acceptance checks [was: Re… John R Levine
- Re: [DNSOP] Delegation acceptance checks [was: Re… Mark Andrews
- Re: [DNSOP] Delegation acceptance checks [was: Re… Rubens Kuhl
- Re: [DNSOP] Delegation acceptance checks [was: Re… John R Levine
- Re: [DNSOP] Delegation acceptance checks [was: Re… Edward Lewis