IETF Logo Mail Archive

Re: [DNSOP] [Ext] DNSSEC Strict Mode

Ben Schwartz <bemasc@google.com> Wed, 24 February 2021 21:38 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 172A13A1C09 for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 13:38:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04uoaGHaVBTS for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 13:38:18 -0800 (PST)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95E1E3A1C05 for <dnsop@ietf.org>; Wed, 24 Feb 2021 13:38:18 -0800 (PST)
Received: by mail-io1-xd2b.google.com with SMTP id p16so3652886ioj.4 for <dnsop@ietf.org>; Wed, 24 Feb 2021 13:38:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eTvUIFhP5sDg1Pm+SkPbWjpqVgXSYJ9VcDXj38aKLf4=; b=auiGXNd/DGQIvPzAUduZSR5DRdUQRDNOTTcdOgd9MZg/GOfv2WCKu06TXPlq5O74Cs H2JIlmGcZCJiodbZdLJghiINFHxXAGK3+2EXcoB4zvFyeWXBdOfC0Kl+BQrsC1B/s9F4 AkPKWeSV3x3PIyGbS4B83wqyKs1cvPDLErapAb4w52XpJQmV6GcoE1fRqiD40sWTVznG MITjz3py9l5SnVVI9/91zNSxKTyflcwMUOFWmT0ePBnpbaTBQpBW+LO3kGq1cYnxVFdK vN48SmPpgyUFsmpsItr9upSx0VWxaUuY7ja4pKo4IjYj2VkHKISOYr7DzbUKsjChBNTj Gr/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eTvUIFhP5sDg1Pm+SkPbWjpqVgXSYJ9VcDXj38aKLf4=; b=KfeFPMKl2zP5sx9C69/zvHKEeu9dmNQB4GAmG4EOxppT/+iwcEctmSiqUkkNOtbuaV 4ZWa8DchZR9Kuy1TCXpbRGKtDyvnamv2tAGLOYQygPGcswLeZBkRI+Qb5zUKuq8ddIvi V/yfJiYHYdXD1sd7Ye0ZaeUX+BDl4mIVS+aV9CKQHUIW0ZjBwyHlHhaIizqg6WTcukIz W8ogmeJJ6VAMisY3JW0c7G1GBR+KIXFlzIG3Nq3cfJ4zWcbGm8YWZz//e8Nui42Doi2z nmRyZsJYeiInsudRBwLaG84Q6mSVQzUaVr44zVCeDvfN01Uw7pNkDNWnmDROgmDndXec P8Pw==
X-Gm-Message-State: AOAM533/XKu6m6lry8dJTvZIkMiuUTt7KAmzPxL/Rnc7F6e1L04ghzjz dNkuf5wF/Z50/u5nRpzcjt6yo+q9LgOyK17CrXYnfQ==
X-Google-Smtp-Source: ABdhPJz7EovZu+mRp6hu2xnLLZ8IZmGZVLeyWKROQTg8vzWamYcATat8esK3CcycOXbsq60vsNZZa9mtDP/JRVR/6b4=
X-Received: by 2002:a5d:9d58:: with SMTP id k24mr26385482iok.125.1614202697697; Wed, 24 Feb 2021 13:38:17 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <7BB07063-2CA3-4283-8866-2B19A7AAA9A0@icann.org> <45e3c45-d324-8124-5dae-98acba9dd7cb@watson.org> <CAHbrMsBsG8OnXOXwAFY5eNf-0viQ_e5nKKhp1XVpnpMkGW1L-Q@mail.gmail.com> <CAH1iCipjp2Cixvfi4XKUoXmv94=rpB96g8v568UvMZdkJysubA@mail.gmail.com> <CAHbrMsCSSJTaV1-GZTC2AwbzDkLvCQ=YA+y1L0K2UwHi4KUe2A@mail.gmail.com> <3ed12563-8ee8-f921-b824-3f1096fe9547@nohats.ca>
In-Reply-To: <3ed12563-8ee8-f921-b824-3f1096fe9547@nohats.ca>
From: Ben Schwartz <bemasc@google.com>
Date: Wed, 24 Feb 2021 16:38:06 -0500
Message-ID: <CAHbrMsA5FQzrPs_jpiWNB2ewsMpm9dx-me7tu_Js0Etzpp1+rg@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000699f7e05bc1bda55"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SIeBs4he0B4n6Abw3Jpx4xW05NE>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 21:38:20 -0000

On Wed, Feb 24, 2021 at 11:56 AM Paul Wouters <paul@nohats.ca> wrote:
...

> The "strict mode" seems to
> be originating from a believe that having two algorithms in the zone,
> either briefly during migration, or permanently to satisfy multiple
> government requirements, is a problem.


Agreed.  At least, that's one of the reasons.

...

> > I think, at core, there's a philosophical question here.  Do we intend
> for DNSSEC to actually be used for critical security in open
> > systems?  If so, it will have to work like TLS: a 1% failure rate will
> be utterly intolerable, so servers will have to retain support
> > for the 99th percentile of awful ancient clients.
>
> No, because the failure mode of no longer trusting obsoleted DNSSEC
> algorithms is to treat them as "unsigned". So there is no failure
> rate of any percentage
>

If your system continues to function when records are unsigned, then you
are not using DNSSEC for critical security.

v2.23.0 | Report a Bug | By Email