[DNSOP] Re: Fwd: New Version Notification for draft-shetho-dnsop-ds-automation-00.txt
Peter Thomassen <peter@desec.io> Mon, 30 June 2025 16:33 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C36CF3BB252C; Mon, 30 Jun 2025 09:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ilRMRreSRVxw; Mon, 30 Jun 2025 09:33:44 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id EA10F3BB2517; Mon, 30 Jun 2025 09:33:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Cc:From: References:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=UyQf65MKEzQYv+e84JxtEAZfGPKne4aoDrJ1cyNCai4=; b=dBGO7JtVbuYFELIHzDH2J4mx5k gItwssGFbJjTU45JADN0hv2iuxeC6jvaeFjksBkHtM2fikeRA/snfFa432WmFSReDSNq6pUV1MF4U 5pSvExTh41/kYJc08vGEXXgTUB5148EybFOMK8nwINcUcr660rxtwgYYDqp+teZh4rn9mhx0lNdOc j3pfQBwDxLBOv84TMO0vOEcSIF8w0+3XRM7Nbgk1dbE2Tshpz/CTK/4xkrj9XC40APitJWiDQ+3TB suKI8GMow6P0yq+SsPEgh+SPCjnNCkxWsvu2iRqYniY4Wh+dmrbxJ9yJvjgixMqpq5xJg/3JXVqiO kdcsikTw==;
Received: from business-90-187-67-221.pool2.vodafone-ip.de ([90.187.67.221] helo=[192.168.75.127]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97) (envelope-from <peter@desec.io>) id 1uWHRr-0000000AU2c-0n5q; Mon, 30 Jun 2025 18:33:39 +0200
Message-ID: <cfc47a22-7975-4ea2-96a1-1c3b929ac7b5@desec.io>
Date: Mon, 30 Jun 2025 18:33:37 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Oli Schacher <oli.schacher=40switch.ch@dmarc.ietf.org>, dnsop@ietf.org
References: <174603697634.303.14662649970778688067@dt-datatracker-58d4498dbd-6gzjf> <97cd4586-e113-4c0e-ad30-bc9dc59cdff4@desec.io> <CAAiTEH91AHDORNgT+YB2rKavNd9G3c0s3ZLCjPyW7=OT4XEqgA@mail.gmail.com> <fab0eb4e-f20e-4909-b14a-c813a1021ce2@switch.ch>
Content-Language: en-US, de-DE
From: Peter Thomassen <peter@desec.io>
Autocrypt: addr=peter@desec.io; keydata= xsFNBFRjVn0BEADXqtra70yxQrT4MQ9DEhN0mxG6XRAOHE6nP18mqxwSlcET7D6w+z3h4ole v0tyvUU02c2wg04X8WVfjoHnAvIa1dfUcNpB1+QmfFsw0xIJlbT1ogHkMiPQqR4ChDvE3ND/ 6YCS5+HT6hY+tfU+hpLsKw4l+u1Pg2NPVLYosET1jU84b7xhFnoicnCV3kUNltLtxLKSBAfk AXtp1AWWKJbfCr3y0qKElMriicoe5DUZfLrZK2iPcWBxh+n7KMO2g7aqx3aQqwW1+S7Sq7Is l6iSurYfIcHb4AfUy4o5nPB8kKACR6BuJmkEQ5WLuTGruWA2fcxaNpICmolMinTzW1CrIjgN PoskMYCNIZ2uWxS6LN8hBiGCRL4h9aL4wuT09SvR13oAPI1HD5ph+mH6wD37/ONBXrdjcFNb 1l/uVkHU/SwwcKDJOsX18T60Ao00fciTbFHgmKtFube0xGK/vjh461TyU+xKD8Orvyeovvxy MzCwM3UVq/dkdG2Ys/7Qy/4bUC1nJEwKlLv7ZTdtSckdoU2M6JpPX6i4KDB2YCMbwtqJ842z 8A/UuE2bL9aDimh/sF8WgPIhlxqF1STNqW1JTIbDPv8HeZnM4nyJOUWStj4uRiETQhBClPLz YWtnR+EUsfbSLy81vfupbMqRasDlt6aASobgn+K7Rb1Xs/mDnwARAQABzSBQZXRlciBUaG9t YXNzZW4gPHBldGVyQGRlc2VjLmlvPsLBeAQTAQIAIgUCVGNWfQIbIwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQ79YUOj7yLS88Dg//SbHnFGrtaImEiM69wyj4GzWnuGk9/upCym/R RzdBALCYHU9FUFFHwusiO9A0pnO8qv/GEtqqTHrcL205a6FTivkdZmOsWuN4oo7r4HBc/taI FLLUDg2wd8q4m4387sYEqrc3olGfyRB6hrMtEWVJLXHJmpcrxAaI1F2QO4Bu7kcdTnyGFz/p ZD8XAof2TWHqJb2ux69DFhiAJeAZlV+h9QrxTedL84l4hq3x1VWsnOEFaCJiThDX920kTnhJ ijrDocgAbmQBCniPACpPHYhBhmCJxfVqgfMuLMNsukOmKxsGcGV6rO1zB5ZUhm3O/Ixk6ow3 6FDKALWihg6Z4P/cJYySMn0iqvHkO8ryT9oJKX//mKaYoF6henXDRLCcRjKwGxFQTEgX+6yc pjgvX3rlypjkPT5ho4yEc5ePkQ2gIIHhvZburm1Zr4nDPx6v8+3XUjpXBRTWQ8/0/h0rtLJe yOPwGJxcfKf/GutTCqiio0mS01mIY9c2i7JWcljlIuSEUit6CHotc5lBOm2GJwguRJG6cXPY SQecwBdcjH3RTzBOv/DN6xWAIV7BmbX/e7DSGAc60mBO1/M0ut+a6CkxRQK8TaE3B3zh1/QO nG0XvtZfIY8ZYdTrdEDSV1Pj5pof/fqhhegHRxN2qi4qIuVcrW0jsUsx10IgAynHR7qQKsvO wU0EVGNWfQEQAPBA8iPCS4ZRX8stW0WuW7579axSq/Luyik4MWDFalt68lzvUbV0f6faN15+ aV7VwMTw3rSa2tP0U8crYAAAZ5NrRHXlYms5BK9vsi1322dAvhyNRawdprP627SO+Ez/84tY xz1X3M9esbN7gpJtHP6mHW76zYpT447v6c2qlbldjobZTDb6kKSGFCIrPJz9M4jVfya+ovxe 2Ab7hn2R0CcyMHATV5g1Ry0XXaj5y3bWypActbG9nflRn3NjhHZynu+WEPDUJCO8kNVNYKOw HObNTeaLvgvU0ONB8pYJv35kDXMhZLwo5MJuJd5i54CXwpo9mECwLJT1RpJi7u98nBrWyyaH s2brG9LPCRKBKOhiHFu57H+cElh+kOvehuS7DFTzjqDwJlkQzP5Hq0G++hZxfdYocKdcdFoh RP3dtDAe+Lfiy9qzJicZ6ACbzoQIN58xj0VWAn1W7SuMErOjv84D/FiXHD2Kxtx09wQl8vH0 Nbh9UgyDBNupToM0ixT+8Ko8eBuYHR53RPxshQhFw4EMIhXiOaxNe1W2Z95QPnYhUGOMoy3I v4fxMQUHa4kZSF2qxsFB1Cxol/aBPGwkwoqUvzp23pLQtJ6youYXtLgvx3pR4L52Q5CUzHMa HvM67XWgW1KqtnvNBXN9PwtDz/a9fQX1YO4CegrXv8C9Ro+LABEBAAHCwV8EGAECAAkFAlRj Vn0CGwwACgkQ79YUOj7yLS8rXA/9EGX2QRfJS94JTdtseu7saTK9a3IKwk6E33GpfXyUVpMt sOqV756XQwULZSWoxInRQtWojA8pQxDUYrbA4MpX0Efr2Dx1xIsJ5F3JajOqViB1SbOD2m0f bxXbcoWKitsKoag2SlvNOd8rD9FcgDvrkacnaQZcZE8DyyGx0JU451tfoD/igu85NZpTDaWG 6fth7QRlxmdGWrGXRdXAP29jq1n0I1wIyF/bXlZ7MXjOSsfyPddzsnHFTvNMZKps0QXNF+hi ESg9chIeo/IFDDVu6pCtm6mftojx84rczTZiNk8r2T3TU4N8uwWtXn/nj9xd61pnxD0xkTPH zxJrCs59WSfYqj3aFNkWO3Lg0/HGnO9wHQKMXcGPsnKITHVzxCNBQtVHomNA7ds6Kt3/WJgS pU2ciICvrpvKgPNWQ0d/SeY3vYIRvDLZ12Svx6M3eXDrsgZOT5be7kGVr3t7dBOYKcRHkZUq kU1kCcgp0vetISVDOc5fkpdUkAtd5/13pIpz4ikVR3OM4Br4XMVShm6RvoP4pyA+ftCi1+bw 0UbRCrnHgnG+wtCf5nMDGVLc04vITnII+ESZqlF02a1IFj0Z2MuQK2Oszl2Nsx/LG60G1e/R pzKEXIIJgHfbwUCWtV1zQu6v9Ng5H8EqVeWcdaPUwSQMGcDg/sPa4s/OxhgrYBg=
In-Reply-To: <fab0eb4e-f20e-4909-b14a-c813a1021ce2@switch.ch>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: XBDURLPZGKB2J2EK5WTYIID4YHBWLLZ4
X-Message-ID-Hash: XBDURLPZGKB2J2EK5WTYIID4YHBWLLZ4
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Barbara Jantzen <barbara@desec.io>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification for draft-shetho-dnsop-ds-automation-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PIdESH3YlAg7jtkI9coYnOMf18o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Oli, On 6/25/25 09:09, Oli Schacher wrote: > I agree with Matthew’s point that these may not always be 'best practices', but rather design decisions that depend on operational context. Fair point, at least at this stage. I've changed the draft status to Informational. > For example, the recommendation to send email notifications (Sections 2.2 and 3.2) did not prove practical for us at the .ch/li. registry. Based on on feedback from CZ.NIC and our own experience we concluded that this creates more confusion than benefit: > > - The DNS operator is often not the registrant; registrants don’t understand these mails. > - Bulk DNSSEC rollouts by large operators would generate massive amounts of email — effectively spam. > - DNSSEC failure can prevent mail delivery to the registrant’s own domain. > - Registries generally don’t have reliable contact info for DNS operators (SOA RNAME is not reliable). > - The error reporting logic (thresholds, cooldowns) requires significant state tracking. > - Many DNS errors (lame delegations, APEX CNAMEs, ...) are not directly related to DS automation but could still trigger mail in this context. > > We instead opted for a pull-based status portal, which avoids these issues. Those are good observations, and indeed those things might make email-based reporting impractical. Pull-based, OTOH, does not address situations where there is an "active need" to know. Perhaps, if this gets agenda time in Madrid and/or if the draft is adopted, we can see if we can think a little harder about this problem. Maybe there are ways nobody is thinking of. > Sections 2.5 and 3.5 suggest that registries scan and compare both CDS and CDNSKEY. While I agree that DNS operators should publish both and ensure they match, I don’t think registries should be required to query both. This increases the query load and processing without providing meaningful additional validation. Or is there a scenario where a CDS/CDNSKEY mismatch could break anything that is not handled by the existing validation requirements? Of course, one can imagine all kinds of bugs. For example, in a multi-provider setup, child-side signers have to co-publish each other's CDS/CDNSKEY records (or KSKs, and then derive the C* stuff). Depending on how that's done and who publishes what, one can end up with inconsistencies across the two types of RRsets. It's then certainly clear that neither the CDS nor the CDNSKEY "half of it" represents the domain holder's intent. But I admit this is somewhat constructed, and only caters to the most conservative perspective on DS updates. But, DNSSEC reputation suffers a lot from outages caused by misconfigurations, so there's some justification for being in the conservative camp. But not sure myself. That said, the query / processing load is expected to change only insignificantly. Although in a way it "doubles", that's *only* when there is a change. This is the same as with cross-auth consistency checking: if the first query confirms the status quo, no further queries need to be made. That is, only in the "tail of rare changes" is the load increased. Thought experiment: If for 98% of the zones, the first query confirms "no change", then the other 2% percent might get 2 CDS queries (on per NS), and -- with this recommendation -- two more CDNSKEY queries. That increases the overall load of the system by less than 2%. Best, Peter -- https://desec.io/
- [DNSOP] Fwd: New Version Notification for draft-s… Peter Thomassen
- [DNSOP] Re: Fwd: New Version Notification for dra… Matthew Pounsett
- [DNSOP] Re: Fwd: New Version Notification for dra… Peter Thomassen
- [DNSOP] Re: Fwd: New Version Notification for dra… Matthijs Mekking
- [DNSOP] Re: Fwd: New Version Notification for dra… Oli Schacher
- [DNSOP] Re: Fwd: New Version Notification for dra… Peter Thomassen
- [DNSOP] Re: Fwd: New Version Notification for dra… Peter Thomassen
- [DNSOP] Re: Fwd: New Version Notification for dra… Matthijs Mekking
- [DNSOP] Re: Fwd: New Version Notification for dra… Peter Thomassen
- [DNSOP] Re: Fwd: New Version Notification for dra… Peter Thomassen
- [DNSOP] Re: Fwd: New Version Notification for dra… Peter Thomassen
- [DNSOP] Re: Fwd: New Version Notification for dra… Steve Crocker