IETF Logo Mail Archive

[DNSOP] Re: New Version Notification for draft-yorgos-dnsop-dry-run-dnssec-02.txt

Mark Andrews <marka@isc.org> Thu, 18 July 2024 23:42 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FE90C151990 for <dnsop@ietfa.amsl.com>; Thu, 18 Jul 2024 16:42:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="AYiENXBI"; dkim=pass (1024-bit key) header.d=isc.org header.b="MiOCZDnJ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mEmLK3l9BwIy for <dnsop@ietfa.amsl.com>; Thu, 18 Jul 2024 16:42:44 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90BBEC1516E2 for <dnsop@ietf.org>; Thu, 18 Jul 2024 16:42:44 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id B843D3AB26F; Thu, 18 Jul 2024 23:42:43 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org B843D3AB26F
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1721346163; cv=none; b=oBNh0U95+jT/QxuRLawNGt1OlL9UpqEWh5S2NJCZx0SUSVi/H31LjqqKxyr9EWhkGcCia4W63XBDwSROeKZ4Uxk0jDBZ5qnglceh/lp/HnrMh6Kqi+HXDXILTFuP1kuJlrbVD2Avk45hcVzE0NDbzoDRxU6xULe1FqCa4J76h+A=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1721346163; c=relaxed/relaxed; bh=nMjhyUwstQqie6yzzCEIahGZB/ExoALDx2BUzLl1a00=; h=DKIM-Signature:DKIM-Signature:From:Mime-Version:Subject:Date: Message-Id:To; b=dwJ4qQ2EyfEGcfEgvNQHFJTT7U3Tz/nbFmeHXNaLLg+3obRoSldsBVHKuVhnzLqS/rabcs9fa576UnD0kGhSQQdtvv3/IBcWlK4mQgkrovCMEEixsr3N7friGYY2e1sBLtD3WhpgNe7L7y05x1dMbx1VX5gXnmE53AvpbK99ty8=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org B843D3AB26F
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1721346163; bh=LeajzjUzxAHLs/XMXsA0hPEpzdCCbQ/iUeialWmpNv4=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=AYiENXBIUuUqpDL1wNkFswlbm4t0lB/sJlyANflGSU1ujrJmjmlXCJx+NFBPK700A WfeRXrfqrhijWS0ChjGmFoDCUqLl9yQoDEM+Z4hQwRbAQJNnC9X96fxQWWSfXzj3Jo q0CzNOX8qVzibg+XTlCS2J5DN8w5+dAEliVyGrIM=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id B32D0BCDC35; Thu, 18 Jul 2024 23:42:43 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 8B004BCDC5F; Thu, 18 Jul 2024 23:42:43 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 8B004BCDC5F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1721346163; bh=nMjhyUwstQqie6yzzCEIahGZB/ExoALDx2BUzLl1a00=; h=From:Mime-Version:Date:Message-Id:To; b=MiOCZDnJ8yL/vEiaEQv0/xrOULXWvHgTxeNMFesiLsI3VjVXjXQUmjSm9eQ3S398f BEZtsiI+wuZN/OJ37VH9aiOKFIy1ipgWl6kEh1dsFjKISm+naagTuINF4YM5dG8hxh T6UtiFrMF66/abAAeZaGBoDSevIURZRtuBlyacFM=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id QrXcBqUS-6Di; Thu, 18 Jul 2024 23:42:43 +0000 (UTC)
Received: from smtpclient.apple (unknown [120.17.122.195]) by zimbrang.isc.org (Postfix) with ESMTPSA id 3968CBCDC35; Thu, 18 Jul 2024 23:42:43 +0000 (UTC)
Content-Type: multipart/alternative; boundary="Apple-Mail-FB5D420D-3B09-48E4-B653-E99EF3476757"
Content-Transfer-Encoding: 7bit
From: Mark Andrews <marka@isc.org>
Mime-Version: 1.0 (1.0)
Date: Fri, 19 Jul 2024 09:09:20 +1000
Message-Id: <6D1D3362-2431-4033-9354-6FDDE41E006B@isc.org>
References: <e3cae602-7e78-42a5-8326-1d5aef5bdb8e@nic.cz>
In-Reply-To: <e3cae602-7e78-42a5-8326-1d5aef5bdb8e@nic.cz>
To: "libor.peltan" <libor.peltan@nic.cz>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: 7XW7L5AHKNBHWIK42M6BXUAU3AU2LC7P
X-Message-ID-Hash: 7XW7L5AHKNBHWIK42M6BXUAU3AU2LC7P
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>, dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: New Version Notification for draft-yorgos-dnsop-dry-run-dnssec-02.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TyLTZY2-KDK_oXpThLtD2hF2L3c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I really don’t see the need for dry run at all as hundreds of thousands of zones have been signed without it but if is going to exist we don’t need to half the small code point space which is the natural result of not doing something like I’m suggesting. 

One can test if the zone is properly signed by installing trust anchors in recursive servers you control and have your applications use them.   This is much less complicated than expecting validators to be updated to soft fail on this/these new algorithm(s).   They are already complicated pieces of software that have to check lots of things.  Adding more to this will make them even more complicated.  Remember answers come from multiple zones and they depend on even more zones.  DMARC is trivial compared to DNSSEC validation. 

What does it mean if a parent zone turns on dry run?  

People keep mentioning DMARC. That is trivial compared to this. 
-- 
Mark Andrews

> On 18 Jul 2024, at 18:47, libor.peltan <libor.peltan@nic.cz> wrote:
> 
> 
> My point was that
> 
> example.com. IN DS 49172 13 130 e2c8c32fb3c40586e0dabc367bfde4368b8dff52a7ffc60f619c720ec7767320
> example.com. IN DS 49172 13   2 e2c8c32fb3c40586e0dabc367bfde4368b8dff52a7ffc60f619c720ec7767320
> 
> is more equivalent (i.e. the change from the first to the second looks safer and more straightforward) than
> 
> example.com. IN DS 49172 13 7 02e2c8c32fb3c40586e0dabc367bfde4368b8dff52a7ffc60f619c720ec7767320
> example.com. IN DS 49172 13 2 e2c8c32fb3c40586e0dabc367bfde4368b8dff52a7ffc60f619c720ec7767320
> 
> /Libor
> 
> Dne 18. 07. 24 v 10:27 Mark Andrews napsal(a):
>> It would look like a regular DS. The only difference would be that the first byte of the digest would contain the sub type.   This is just internal structure of the digest.

v2.43.4 | Report a Bug | By Email | System Status