Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt
Warren Kumari <warren@kumari.net> Wed, 04 March 2015 19:48 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F6EF1AC425 for <dnsop@ietfa.amsl.com>; Wed, 4 Mar 2015 11:48:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.578
X-Spam-Level:
X-Spam-Status: No, score=-0.578 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxCi-F7jIsG4 for <dnsop@ietfa.amsl.com>; Wed, 4 Mar 2015 11:48:48 -0800 (PST)
Received: from mail-we0-f172.google.com (mail-we0-f172.google.com [74.125.82.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 618901A88D0 for <dnsop@ietf.org>; Wed, 4 Mar 2015 11:48:48 -0800 (PST)
Received: by wevm14 with SMTP id m14so48580209wev.8 for <dnsop@ietf.org>; Wed, 04 Mar 2015 11:48:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hRaZ28ibtbVv7WnIUuiPWncAmLIgSkQRJa1tQmi0ewc=; b=YZf9w++1eFVfjDaCzZi9nrfhqH4Z6IiOaCDKnStHj35Bw5JkiiVimGmbJV4XRrtb4g 53uS5OiJalTalSVPN7NW98r5RTBjqIXqyErHP8qD6u+0MSxYBwbm0PMiHsHXUsNa2NYr G/vkDLJEW4GwqcCW5WAZTCf39OntB7K0FcZcmHvS/P2yNrt7IVxnGj2gZYwgL9gWn73B 593Qs8OQRawBdJIehbwO+x5bIsTREdjTwjUyPsPoabBleFZxH+miz+VcjuYEfxfaXVDa tZh2jDIqMsXwOgx9dd20VqMcO/RBgPJJkck8mVzeJTu9wIhNr6VyYMS5EvZNKnwp2QcQ X2sQ==
X-Gm-Message-State: ALoCoQlgaXA7rfmN3UxutTglNwkV2NUOGF6RxRgpZ2sP+llpuRrZGp+oEwYxjcck1MwC2ilPbXED
MIME-Version: 1.0
X-Received: by 10.180.85.70 with SMTP id f6mr4687469wiz.22.1425498526902; Wed, 04 Mar 2015 11:48:46 -0800 (PST)
Received: by 10.194.155.2 with HTTP; Wed, 4 Mar 2015 11:48:46 -0800 (PST)
In-Reply-To: <20141216175703.GA68757@isc.org>
References: <20141216011517.21875.32371.idtracker@ietfa.amsl.com> <A086A53B-5187-4498-8BE3-117CFD203DC6@nic.br> <alpine.LSU.2.00.1412161043250.26100@hermes-1.csi.cam.ac.uk> <20141216175703.GA68757@isc.org>
Date: Wed, 04 Mar 2015 14:48:46 -0500
Message-ID: <CAHw9_iLh-CRSFqhvSoDid2ZpS76NDUzmkLYdPhrLYr+2nHw5OQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Evan Hunt <each@isc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/VCTzS1HvzrBYYxquZFksJKG006s>
Cc: Tony Finch <dot@dotat.at>, dnsop <dnsop@ietf.org>, Rubens Kuhl <rubensk@nic.br>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative-trust-anchors-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2015 19:48:50 -0000
[ Apologies for delay in getting to these. The draft-cutoff is a wonderful motivator! ] On Tue, Dec 16, 2014 at 12:57 PM, Evan Hunt <each@isc.org> wrote: > On Tue, Dec 16, 2014 at 10:47:33AM +0000, Tony Finch wrote: >> That is a good point. Happily I think the draft already makes it hard for >> operators to do that, since an NTA will be automatically removed if its >> zone validates (section 10). > > Thank you for pointing this out, Tony; I'd missed it when I read the draft, > and it would have been embarrassing if I'd gone ahead and posted my planned > comment to the effect that there ought to be text like this. :) > > > I will revise my planned comments to say there ought to be MORE text > like this. Mwah, weasel words :-) DONE. > > First, some clarification of of "attempt to validate the zone" is probably > called for. A resolver can't validate the entire zone; it can only spot- > check. BIND's method, for the record, is to send a periodic query for type > SOA at the NTA node; if it gets a response that it can validate (whether > the response was an actual SOA answer or a NOERROR/NODATA with appropriate > NSEC/NSEC3 records, which would imply that the NTA was placed at a node > which was not a zone cut [1]), the NTA is presumed no longer to be necessary > and is removed. (Note that under some circumstances, this is undesirable > behavior -- for example, if www.example.com had a bad signature, but > example.com/SOA was fine -- so we also provide a "force" option to set an > NTA which is *not* subject to this periodic spot-check.) DONE. Thanks for the text, I stole much of it, while making it clear that this is one way of implementing this. > > Second, I would upgrade the recommendation from "optimally this is > automatic" to at least a SHOULD, and maybe a MUST. DONE. > > Third, it's implied in section 8, but I would add to section 10 that > NTAs MUST expire automatically when their configured lifetime ends, and > that this lifetime MUST NOT exceed a week. DONE. I did this as a SHOULD, but could be convinced to change it to a MUST. I think that the operator running the recursive server has the final say, and so am uncomfortable forcing with a MUST, but am very much on the fence here. > My biggest fear with NTAs is > that someone will configure one and then forget about it forever. There > should be an expiry date associated with every NTA, and it should be > enforced by code. DONE. Oh, ok, I've been convinced and have changed the above SHOULD to a MUST :-) > > One final comment: in appendix A.2, the "rndc nta" description is > outdated and should now read: > > nta -dump > List all negative trust anchors. > nta [-lifetime duration] [-force] domain [view] > Set a negative trust anchor, disabling DNSSEC validation > for the given domain. > Using -lifetime specifies the duration of the NTA, up > to one week. The default is one hour. > Using -force prevents the NTA from expiring before its > full lifetime, even if the domain can validate sooner. > nta -remove domain [view] > Remove a negative trust anchor, re-enabling validation > for the given domain. DONE. Excellent, thank you for the text. W > > [1] ... which we presume to be legal, but maybe ought to be clarified > in the draft. Trust anchors are always at a zone apex; negative trust > anchors don't strictly need to be. > > -- > Evan Hunt -- each@isc.org > Internet Systems Consortium, Inc. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] I-D Action: draft-ietf-dnsop-negative-tru… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Rubens Kuhl
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Warren Kumari
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Evan Hunt
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Rubens Kuhl
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-negative… Warren Kumari