Re: [DNSOP] [Ext] DNSSEC Strict Mode
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 24 February 2021 23:57 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A2413A1DBF for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 15:57:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nw1ES6c9Y4tW for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 15:57:38 -0800 (PST)
Received: from mail-vs1-xe2c.google.com (mail-vs1-xe2c.google.com [IPv6:2607:f8b0:4864:20::e2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B118E3A1DB8 for <dnsop@ietf.org>; Wed, 24 Feb 2021 15:57:38 -0800 (PST)
Received: by mail-vs1-xe2c.google.com with SMTP id a62so2011671vsa.10 for <dnsop@ietf.org>; Wed, 24 Feb 2021 15:57:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/gCMTkzFQkSJDdO2rVd7DLS8Pzl50k8IdF913aSQpCo=; b=ISW6TATgwyiLUVqKVgd2TnC7FfYKFhbbAqmbznJEr0xc8R7Kn8Myvs2xZYHA4Db2kG bItwpqjSUiQXcbnKMT5Lmn8nHS2j2FGxAn5cL+AIqcqiQ55zw0TQA0k4IzlyUKJt8404 JVYK8hJn07lbRr/XzR5jVSa626ZrtIyzw5bwgwdzuulS8HxmfEpDJSfIOiEY8rxXOztF HaLm/He40VrMRHYQ965jxSt2mDDMmM2TsUni+JiGJhgu65zfHzwTCwEr7FOlElSzhSlF 38XjkgJbC7HM+BC5oq53ALE/fpB3/PQq8hsbzg2rTLRwbvLHSw5LTCXqNjgk0qEC+tzp gyJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/gCMTkzFQkSJDdO2rVd7DLS8Pzl50k8IdF913aSQpCo=; b=iPV3pFqHVhp9XTKIqBcRi9HH61aKteymtYc8kqdQ+r2lHCTAcd20Wzk4f4wk2xzrii 3BabbuhBC4EgHRCKdvc2KhlTBRYKU2q7eovhFEOSuKSiaV3a3PHhxurKXrJt7/rJ1+kQ M2pc+LMrqXA7Hn03HeNyQFhWeEilaOH1GLZ8zOPtbyEsJsrWwJuE7GqNVOCrpZ3vAqrX 3JtoBXOIv0MRZyZeHioxUCIVxB5lV85KUP9NrOXGLWjmJPn5jH+GARcNmZY9FtNAYF6j Kk6YCvIykYPMhizfG3k/kylSx0dI8GuWOKo77/dWln33WUeK6BVQHyw2pIQ3DFdOR3/K 7A/w==
X-Gm-Message-State: AOAM5300BECo6WdjJ1wtDw/evXAhCrh9zpX6nRJ7KF60sGRIhWFMz5gn AcohFI1wsCnNV6p/vnVF2gMRNw99Nhti9K2e1+c=
X-Google-Smtp-Source: ABdhPJzcwE9qx59e+dlN7uFYRVkPL2UG/6/CXQB8bGIGPoM8gq8j+POwfr2LTsUiN2nqyXkDUwtSJ62a9iKMJW/6kKc=
X-Received: by 2002:a67:99c6:: with SMTP id b189mr193495vse.58.1614211057695; Wed, 24 Feb 2021 15:57:37 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <7BB07063-2CA3-4283-8866-2B19A7AAA9A0@icann.org> <45e3c45-d324-8124-5dae-98acba9dd7cb@watson.org> <CAHbrMsBsG8OnXOXwAFY5eNf-0viQ_e5nKKhp1XVpnpMkGW1L-Q@mail.gmail.com> <02CAFAF2-BD58-48D4-B9CC-DD06EB99357B@wisser.se> <57BA9FA0-C16D-4178-B4A8-C9D9B174AC82@isc.org> <CAHbrMsBjOmKXmv7vJoCB+horzmzHDkn3KYPbNxeyB3miWLV2WA@mail.gmail.com>
In-Reply-To: <CAHbrMsBjOmKXmv7vJoCB+horzmzHDkn3KYPbNxeyB3miWLV2WA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 24 Feb 2021 15:57:26 -0800
Message-ID: <CAH1iCipf1gD0s_5y470gGyiSJS6+BeAEtVM_PP2okz=iaNvyig@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
Cc: Mark Andrews <marka@isc.org>, dnsop <dnsop@ietf.org>, Ulrich Wisser <ulrich@wisser.se>, Samuel Weiler <weiler@watson.org>, Paul Hoffman <paul.hoffman@icann.org>
Content-Type: multipart/alternative; boundary="000000000000afbf8505bc1dcc36"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UF7jw3AkEhXO7rAT9ByIvzJUsls>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2021 23:57:41 -0000
On Wed, Feb 24, 2021 at 2:14 PM Ben Schwartz <bemasc= 40google.com@dmarc.ietf.org> wrote: > > > On Wed, Feb 24, 2021 at 4:44 PM Mark Andrews <marka@isc.org> wrote: > >> >> >> > On 25 Feb 2021, at 02:01, Ulrich Wisser <ulrich= >> 40wisser.se@dmarc.ietf.org> wrote: >> > ... > >> > At the current state of dnssec RFC definitions it is unclear how you >> could change DNS operators securely if these operators do not sign the zone >> with the same algorithm. >> >> You can’t do that as the logic doesn’t allow it. Perform algorithm roles >> to and from mandatory to implement algorithms before and after the move if >> necessary. >> > > What if you set all TTLs to zero on both sides until the transition is > complete? > That's not possible. The DS records are on the parent side (TLD) and the TTL is set by the TLD per whatever their standard policy is. Same for RRSIGs over those DS records. Brian
- [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode Petr Špaček
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] DNSSEC Strict Mode Ralf Weber
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Wes Hardaker
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Bob Harold
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- [DNSOP] Fwd: [Ext] DNSSEC Strict Mode Ulrich Wisser
- [DNSOP] signalling mandatory DNSSEC in the parent… Jim Reid
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Paul Wouters
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Havard Eidnes
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser