[DNSOP] Fwd: New Version Notification for draft-ietf-dnsop-ns-revalidation-07.txt

Willem Toorop <willem@nlnetlabs.nl> Mon, 08 July 2024 08:56 UTC

Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5533DC14CF0C; Mon, 8 Jul 2024 01:56:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z17HHJ1Nx5n5; Mon, 8 Jul 2024 01:56:21 -0700 (PDT)
Received: from mout-b-105.mailbox.org (mout-b-105.mailbox.org [195.10.208.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00485C1D5311; Mon, 8 Jul 2024 01:56:20 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-105.mailbox.org (Postfix) with ESMTPS id 4WHdJb3bSdz9vwj; Mon, 8 Jul 2024 10:56:15 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1720428975; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=W2BVlzBZN7Rabxwks3YRaGyI6tupIuM1wCdTRj8b/z0=; b=RrdVxBdt30njv7pe3ohb+x89qs7De6iSjcTf+EkaMxCbssFf/XUu5PDTIHUka692amL7Lz T7We4RCheFYSXRTqsyFmh6iz+vhwXGyTeBGhzeZIas6ejPFTlaL99kWDeGpaK9ZQRX4vyZ XIcI7cTuEsmZOYqTzT50h/YPRCKUjELw/D4oVLc/rJqMNor0yn4rvc9t3BWNbYbWJ9L6DF Rb5jqEjArN8fCAkJcctD8MA08U6incflcvnevpBTyUg6J611MoiAKRFgScvJ2eFvWzhGzv ZDUybBLcT+WKcFRK86Dzja4rJNU3gdDO967egsnQRS0LOpfeEBsmCoE+kuqmTQ==
Message-ID: <ecdecfc7-a695-4355-b30a-7cfaf7eac709@nlnetlabs.nl>
Date: Mon, 08 Jul 2024 10:56:12 +0200
MIME-Version: 1.0
References: <172042831212.349738.5714650255824043061@dt-datatracker-5f88556585-j5r2h>
Content-Language: en-US
To: DNSOP Working Group <dnsop@ietf.org>
From: Willem Toorop <willem@nlnetlabs.nl>
Autocrypt: addr=willem@nlnetlabs.nl; keydata= xsFNBE1s81EBEACuJzGgccrmYEAzHc//vBq66gH7orM0GtKfQZHh4uR1FMxZXl07WevUYNuB ywTpinU9rpY1Q3S4w6QgNklgpsaHXmbOpyFjJ8FpllV8TRPiXiNrNxTpMnlb6InoszopX69t kBVHTP6cJkNgPx6R4BM0ARqEGQmOL8mAcoWyGVzbsamuGRaia54zs/kc3i9yiqEzRkoQmfwr 7sr49n7gOpmaqXvonOSiUvgEziep77emMcqVa/qZxR1r7KUq85qTNTqsQwl2cQdKS7WwOeuG 6ZIJmJ1bakriKzLBYF5xIHKSYJW0ZA20tNFrVKgTkEjiXvAJh4HlJEIi35tqa/IzWUJSc1ai nhBjxbwSl8BRq5aaPgwB+xXiDqY6BrQW1slvl5TF2A6Xr7JJ0rkH3EZgXxABAZ3WJ3RLwq1z 8jnNYj+UW/mSLsbOtgfOiBhFUXMZneHvVVvz6F6XAtyrejDl5sD2gnzm1VDfK6T6bvLtR7zr kWre0lpycDmgmUKgaEiXzfLvwT9RaWk8GdqU2GG+QOiwf+hT0peDieuodjMr59sUbx7GqVe/ 45rJBRSx+HCl2Jm7Th2Xr0kpStCd7ebVoEq9wpMyu+dM9wOTtibA9P3+9u4rAdimpAdQxEbh WbRNCng2EVhThbqRK3cTZLbtqKaWgAJqa/IQVpL9b5ps8Z4JVQARAQABzSNXaWxsZW0gVG9v cm9wIDx3aWxsZW1AbmxuZXRsYWJzLm5sPsLBjwQTAQIAOQIbIwYLCQgHAwIGFQgCCQoLBBYC AwECHgECF4AWIQTcNO5dskF7zBUeUQDl+PghL3ekmAUCXgm/sAAKCRDl+PghL3ekmLEOD/0W 50GFW5OfS/aZ3k7BfoBgSYEpgs3wUPxFCvkw4LsREcSLSdE9jFfIWh7sGiS1yP/kQGZr/yUn R58nAjGr9exyB90VsgEQqUlbks5nCqQZZrMcZRgHCB0IitYZqewBfl/GON/mqApTEQXgTJS7 0wi66828X7AyCA6kPgUfDl5V/zOE0GKm8ejNtKIIEnscNHUwpNpwTF/EegU6Fo6Ih4/bMvpg RytCgIi1tdmWETeyKjL7ASIGZL0kZkTfhQZV+V5NgToDnMFxPyndvv57Fip2mUSPkAAWRhgq ApL797C/KMpc1mCK43g6gD21KP01e5yz1BnSc09NJ7huLHYDFQKRBCfbUZuJe0KSibpRgmNE YaWT1sxByxqPbTmWDgvRXy4TGhkPm21wLqRACVmymd/KiFHdaB5NzWzrC5C0eWSCs2oziDuy Szf8/71sI8pNwjqBIp/8zA8ZI9AZrCkgzeuEeyKBcjW8O83iJkx2S9CC0KBrryvTi2QwitHX +WxJnGlOFNLQG4fp9/6EDuPUEKgmbqaiooCgDyU4aHYPFpUrHTc8aajahJ29wcXkWkIrm6rB mWzT/+05jyrrMl0HoSmZIqhwgtGHrWw+bnCxBZV2JOynDE0n+z4zh8N4rQ1vvCXu36CcR/62 YFTliLVKowkFtqO+om6DO8MBws/FoYnw/M7BTQRNbPNRARAApOziFbP3grro+2weP9wG0eYk InH0Gwc/x6hSN3iIFHtxaBNOC3U8YI0HMI8Yi5SJrzTx2rG7Uvw5aNCnBcMKNeoCJufSYIkx E41WzPEkqSNidkYoY6jxyDs6ZAFnIR3qqt/FV/93Acux1BMlnPP1sY7G5hUAC7Src8dbmAYV z6mnd43jurMYzESOygROP9yVrGOqKyiEbXf+GQ/o+8OgPs4504Z1BA/xvgZEEPqtn8Wowu/g LzTMOfMIfWsuk0ZCmV/VqfLTpZMCwMvh/qAQAsfrZMjE5fhTtbF668fHIpc4C4357H8y8XZr PXbhhtxYLu3V2pVbfKzbTMpp6Z6bJdIrFXpoyfgoFwkXcJ0zWgAFkPK+Iv16XtD/JDKWlkLo SXhCjBo8g4C7M50hzpy4zo9Na8ECtwpWBCFZ8myF94WZ+TGnP+FZz0rjTIKOZv6E9kivdFtd KxAi1RSQGo5Iwc2ugiBf4hpYyrd7vIwd0yqUqvSVTnaV8Ft8QKOV4H807grdIYkE/NOAu3N7 4uxbFIlChAxYq/ohLBCtbeuyZSOqBA2tIZE5fetHLw2+7Otq+zhrcWZ1SkchbDYp9jYzoCxf 0cEW5GyKaCoWNCblVupcDs20ckKcDVG+peWD+InnD4MSUeizHCMdL5Rt6MMaZVD4hOqWHf33 Wiw+NmrUjLUAEQEAAcLBdgQYAQIAIAIbDBYhBNw07l2yQXvMFR5RAOX4+CEvd6SYBQJeCb+w AAoJEOX4+CEvd6SYnQwQAKUN8F1N3G5rRgdyorRjX9+NEvZSn6sFAZZsngkO1fWny3z9PoGS 9n3OrKdqO2U9NdwvdWELyuFIv+3spd6Mn6DSYLSfqjg9i+YGC3AiQNoRR+VX1FWQ/TatFLpq +o1Lby04sWABhKic6pCxeCPXY2CzE7DSfUtMwBsPheK4JhpQNt6U4+7x24QIHbxcivpTq59V 7fZB8JpUgoN1k7DEAes9MEd1iOKM6ZucKgx1Q3elaS8DjRW7nJl+U9eaufa3BVt3+J3eL3Lr Q6ep4IDNEkQJoOwJytBzVQJcGkE0pdkSjO4jEocsNcQRVTahOazuYVUyYezqHDxUltAJqBux jnyyR2zZayDCoX82+UI0jtubwz1rFMqCdzID8n3PPn0AlmcHAsSNnCv4mIhI+tofc6bndNcu tJZMjoYA1MmEhgx1TStQptAQP/ZRNwV2TZFR20gwQWV1p/5R/GTlP3olNdC9Ojy0AmFMBLZb x7PI75HVJ2wtF8aq7vo2iltEM1k1zhl0Su5Ov/TEBq6JhqD5UzpqJPV6tTz76EEXfx58AxFh fVkytieLXCPI0kQTWfenexd9DUANCoa/TfYIEOi7YHJGYx/DpjfSPfThDxTGfWt0WaMILpOq +YTFA468fQW5xgeVvJlBNry4dT1XXgVbe/H+CN7q7C0Y1Ng11VOfO65X
In-Reply-To: <172042831212.349738.5714650255824043061@dt-datatracker-5f88556585-j5r2h>
X-Forwarded-Message-Id: <172042831212.349738.5714650255824043061@dt-datatracker-5f88556585-j5r2h>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------0Bhhqi2mtJBvxoqpsmY1m3Vt"
Message-ID-Hash: 5RAJ6SHXWTKLAVFYJG6342EEVJYVR3T7
X-Message-ID-Hash: 5RAJ6SHXWTKLAVFYJG6342EEVJYVR3T7
X-MailFrom: willem@nlnetlabs.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: internet-drafts@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Fwd: New Version Notification for draft-ietf-dnsop-ns-revalidation-07.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ow4BZ29FOJrbjHnYt-Ez6IjX3KU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Dear all,

This latest version 07 of draft-ietf-dnsop-ns-revalidation has all 
feedback from DNS Directorate early review, the mailing list, the room 
and hallways, since it was presented at the last IETF119 in Brisbane, 
processed. The authors believe the draft is ready for working group last 
call.

Changes in response to DNS Directorate review:

  * Section 3 is now formatted as paragraphs.
  * RFC 2119 keywords are used throughout the document
  * Explain what to do with auth answer with NS in authority section

 From feedback from the list:

  * Corrected error in security section

 From feedback from the room and hallways:

  * Send DNS Error report on NS set mismatch is detected
  * ZONEMD also adds DNSSEC protection to infrastructure data
  * A paragraph on parent only resolvers, how they are less vulnerable
    to some cache poisoning attacks, but also do not benefit from DNSSEC
    protection against query redirection
  * A paragraph on implementations wishing to consider to limited
    revalidation to the parts of the domain name space where it counts
    the most.
  * Added an Implementation status section


-------- Doorgestuurd bericht --------
Onderwerp: 	New Version Notification for 
draft-ietf-dnsop-ns-revalidation-07.txt
Datum: 	Mon, 08 Jul 2024 01:45:12 -0700
Van: 	internet-drafts@ietf.org
Aan: 	Paul Vixie <paul@redbarn.org>, Shumon Huque <shuque@gmail.com>, 
Willem Toorop <willem@nlnetlabs.nl>



A new version of Internet-Draft draft-ietf-dnsop-ns-revalidation-07.txt has
been successfully submitted by Willem Toorop and posted to the
IETF repository.

Name: draft-ietf-dnsop-ns-revalidation
Revision: 07
Title: Delegation Revalidation by DNS Resolvers
Date: 2024-07-08
Group: dnsop
Pages: 13
URL: https://www.ietf.org/archive/id/draft-ietf-dnsop-ns-revalidation-07.txt
Status: https://datatracker.ietf.org/doc/draft-ietf-dnsop-ns-revalidation/
HTMLized: 
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-ns-revalidation
Diff: 
https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-ns-revalidation-07

Abstract:

This document recommends improved DNS [RFC1034] [RFC1035] resolver
behavior with respect to the processing of Name Server (NS) resource
record (RR) sets (RRsets) during iterative resolution. When
following a referral response from an authoritative server to a child
zone, DNS resolvers should explicitly query the authoritative NS
RRset at the apex of the child zone and cache this in preference to
the NS RRset on the parent side of the zone cut. The (A and AAAA)
address RRsets in the additional section from referral responses and
authoritative NS answers for the names of the NS RRset, should
similarly be re-queried and used to replace the entries with the
lower trustworthiness ranking in cache. Resolvers should also
periodically revalidate the child delegation by re-querying the
parent zone at the expiration of the TTL of the parent side NS RRset.



The IETF Secretariat