Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements
Stephane Bortzmeyer <bortzmeyer@nic.fr> Wed, 06 May 2020 08:48 UTC
Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C74593A0061; Wed, 6 May 2020 01:48:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlm-n4i7tDBy; Wed, 6 May 2020 01:48:40 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5FF83A00DB; Wed, 6 May 2020 01:48:39 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id E962628053E; Wed, 6 May 2020 10:48:36 +0200 (CEST)
Received: by mx4.nic.fr (Postfix, from userid 500) id E284C28066E; Wed, 6 May 2020 10:48:36 +0200 (CEST)
Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id DA85F28053E; Wed, 6 May 2020 10:48:36 +0200 (CEST)
Received: from b12.nic.fr (b12.users.prive.nic.fr [10.10.86.133]) by relay01.prive.nic.fr (Postfix) with ESMTP id D39FD663E080; Wed, 6 May 2020 10:48:36 +0200 (CEST)
Received: by b12.nic.fr (Postfix, from userid 1000) id C105C3FD5F; Wed, 6 May 2020 10:48:36 +0200 (CEST)
Date: Wed, 06 May 2020 10:48:36 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Tim Wicinski <tjw.ietf@gmail.com>
Cc: dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Message-ID: <20200506084836.GA14813@nic.fr>
References: <CADyWQ+HTU92FYYFvogsur9jSZ+qj03PWPVNbiWSe4g_zCn=5wg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CADyWQ+HTU92FYYFvogsur9jSZ+qj03PWPVNbiWSe4g_zCn=5wg@mail.gmail.com>
X-Operating-System: Debian GNU/Linux 10.3
X-Kernel: Linux 4.19.0-8-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Bogosity: No, tests=bogofilter, spamicity=0.000883, version=1.2.2
X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2019.11.5.63017
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PMFQvBQ48bjQFKMBafPllxKtQwg>
Subject: Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 08:48:43 -0000
On Mon, May 04, 2020 at 03:08:20PM -0400, Tim Wicinski <tjw.ietf@gmail.com> wrote a message of 64 lines which said: > This starts a Call for Adoption for > draft-mglt-dnsop-dnssec-validator-requirements I think it is important to have such a document, because DNSSEC failures may seriously endanger the deployment of DNSSEC (which is already too low). The current draft seems a good starting point and I support its adoption. I'm willing to review. Let's start immediately with -09: draft-ietf-dnsop-extended-error (recently approved by the IESG) should be mentioned, since one of the biggest operational problem with DNSSEC is the difficulty to understand why a resolver returns a SERVFAIL to you. > More often, to date, failed validation is due to operator error and > not an attempt to forge data. It can be a bug in software, too. Specially with complicated things like NSEC3+optout+ENT+dynupdate :-{ The draft apparently do not mention advices on expiration slack (such as val-sig-skew-min and val-sig-skew-max in Unbound). Is there a consensus on (I quote Unbound documentation) "The signature inception and expiration dates are allowed to be off by 10% of the signature lifetime"? > However, a DNSSEC validator is not able to determine other than by > trying whether a signature scheme is supported by the authoritative > server. This one is unclear. First, the signer is not always an authoritative server, signature can be done offline. Second, querying the DNSKEY is enough, no? (Or querying the signatures, but I assume a zone won't publish a DNSKEY without being able to sign with this algorithm.) Section 12 "Invalid Reporting Recommendations" is questionable. Since most DNSSEC validation errors are not attacks, reporting these errors may overload the DRO with problems she can do nothing about. Monitoring is a good idea but monitoring what? "Important" (for the DRO) domains? Also, the draft has many, it seems, grammar / language problems. ("This introduces a potentially huge vector for configuration errors, but due to human intervention as well as potential misunderstanding of ongoing operations.")
- [DNSOP] Call for Adoption: draft-mglt-dnsop-dnsse… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Stephane Bortzmeyer
- Re: [DNSOP] [EXT] Re: Call for Adoption: draft-mg… Jacques Latour
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] [EXT] Re: Call for Adoption: draft-mg… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Shumon Huque
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Shumon Huque
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Bob Harold
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Brian Dickson
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… sanjay.mishra
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Ralf Weber
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Loganaden Velvindron
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Tim Wicinski