Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD
Geoff Huston <gih@apnic.net> Tue, 03 April 2018 21:37 UTC
Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9978A12D880 for <dnsop@ietfa.amsl.com>; Tue, 3 Apr 2018 14:37:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2oKVoM_fBkte for <dnsop@ietfa.amsl.com>; Tue, 3 Apr 2018 14:37:19 -0700 (PDT)
Received: from JPN01-OS2-obe.outbound.protection.outlook.com (mail-os2jpn01on0048.outbound.protection.outlook.com [104.47.92.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FCEA12EABF for <dnsop@ietf.org>; Tue, 3 Apr 2018 14:37:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/vKY5NxJAHaXUCqmO6fy9FOjC3Zj4t9V8VRDPvJZfVA=; b=a6pu16LnOWzDLbPzYvcdzZ81g3Y90ndBKx9i4L8TTFOt3MEM4FiN2gks8EA3vNrgfQq6vJ+buE5HH2ERcKR8+78QNU3D/B3TXy75j/bK5lczAhQH1HpEAHjYGnjf+2cQp4dNNHnK+MqauDxefzu27R5kwt+GGoxij+aCEdEL2cA=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from 2001-44b8-1121-1a00-8d4c-677b-ce9d-cc95.static.ipv6.internode.on.net (2001:44b8:1121:1a00:8d4c:677b:ce9d:cc95) by TY1PR04MB0701.apcprd04.prod.outlook.com (2a01:111:e400:5a08::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.631.10; Tue, 3 Apr 2018 21:37:10 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <D19F6299-922A-4DCE-8E95-85CA72E63129@vpnc.org>
Date: Wed, 04 Apr 2018 07:36:55 +1000
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A4AA3F56-12A5-4951-B01A-450B493E0E4A@apnic.net>
References: <039408B0-89EE-4038-B9C9-CBCC35EC24EC@isc.org> <64816369-700A-4413-B1F0-160FB145EE6C@gmail.com> <BF3E4F4D-027C-4A2B-8026-14AF3FBA4603@isc.org> <2F103A8E-72F6-4159-900D-B7006D0AC647@gmail.com> <6D617FAC-D981-4AE1-8943-4F0D12C46397@vpnc.org> <0B0775D9-B5E6-4778-A199-FE4D09A0BE17@apnic.net> <D19F6299-922A-4DCE-8E95-85CA72E63129@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.3445.6.18)
X-Originating-IP: [2001:44b8:1121:1a00:8d4c:677b:ce9d:cc95]
X-ClientProxiedBy: SG2PR0302CA0023.apcprd03.prod.outlook.com (2603:1096:3:2::33) To TY1PR04MB0701.apcprd04.prod.outlook.com (2a01:111:e400:5a08::23)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7bfd65fa-39a2-4ed1-52e2-08d599ab0fdd
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:TY1PR04MB0701;
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0701; 3:esjuLLS9uJ3gdsAhzBzZot199M8diVh6CWFNG7aGWBCA1E3F3DyOFPbaIvk7fECxI7LpgNe7e//4UYzwhQTZmHprdY4idwiBkUwOp8KPPvpVHdeW3e933bMp8mUY4lyzwU8TaxeIy1OJZS8963j5WFfwV7ud1sY93ZqipfRdejOrB76sLHYxPtqkOnsPUGfp6IHeD6/lhOcPNCAFUDzQ8e4/qxyRjSWxN1k3ahOfeNqxThqSP1ONQYmmkX+xCpg8; 25:nHqUp4Ct6S50ZsuwH9AMJ7UjL17G9I1ZExZ/O7kL9rAzF5Abt+axqz+BUlu3OEhNldArcuUXjdU9wTZ0hT8DpYMBYzfAG8mXEd2RoViXKikoJ/1rOHqMw9ZD57FHe79md1843DpK9HZLOPvv2P3wTs5B9w88cySyye0BLCKtybnKxCebXcMEYyMSYy/YGMZc55MlVL65YCw9X4VLS0N6YeO+11LmlYxb85Qt9/EgNSMNudcD1uXIXbP5qFMx7gUY/9qNXZrv/3Wq6GT160HAMsDbyzHCfjYWFfxsffTOBI8e5VhsEW7nSgqCC16xshuW3ZgI6wKz12vMuCOQUvSS9A==; 31:cu3ec/VVZtr0YhN2QquzilP7oOVDtCI9+dvgWQm7VWVTMsbdwNA390EcVtz+qmsZWVrna2BRsaJrsajWee4C5Ox9IlCgK5OYpqqSVpfRk+3i8fKT9o5KJJg5DV6acR55lds3Z/JEmgf/q7/+PoL9/CaJgow+owzVXc+rChcBK4LqqHZV11FMalFklPxGE27lmrz90ajws3UXePbQDBtfFVV6/01dxSGQTtW7ZviKZXU=
X-MS-TrafficTypeDiagnostic: TY1PR04MB0701:
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0701; 20:uS2l0k6TyCS30EuJn4N91/vEZszkgqEzm1GJRtxOSaGkRXFUfXzii/DCMdcoT0N5aO8AHsOipMdoedo0+vdLKVIWkTiuPTPHsHORaqgxaS5XPT9mCBrY1IpRsJgTdNSXgIfMdy4zXlsfCLPgcYhfI1Bc1fHmMEzRoamE8kw/8QdfOhCGO7JR4g0TY5x5quvqQmmp5cLvbw00IHVDMNnklMg75+Inxj/TAPFi9oVLPysvunqmaGWWIXOTdF5Bgg7+; 4:UeoBTmn42N0BbILWh6WQBsJ5TUKpqEyeTCIfVM5O/+sSdD4UX4tAeGAWW+zz0FgpGR6vwIGSc2PWcLkS5PohS0a8AgX2sRZGrppU/VS6IYwM+YA0uDxBlicE6Ijcy06MplRzCTOBsXDt0w1gTdiBORfSZ2FqZnfkbFj9ygZEAbOco+l/8MpZefLzC2wL1g4RA2PueivhpXS+0cHXDOdIOCE3uMGrTRxAlgV5bTRkshhxyC6zSLEQhz1JpLnUPGf9CTg5pE4kuJadBHNxFAuhoLkJhWy4VNk68plelByBbuROoOXLHJ047SxS3UKWBIrd21TrNRZ4r42cFXSla8YOBJynGuLTr/9MKCYjwmMrPwHsQv73tcjJYiS4uQ4wUZOs
X-Microsoft-Antispam-PRVS: <TY1PR04MB0701679A2B9AC15B1B84C710B8A50@TY1PR04MB0701.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(192374486261705)(17755550239193);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231221)(944501327)(52105095)(3002001)(10201501046)(93006095)(93001095)(6041310)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:TY1PR04MB0701; BCL:0; PCL:0; RULEID:; SRVR:TY1PR04MB0701;
X-Forefront-PRVS: 0631F0BC3D
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(366004)(346002)(396003)(376002)(39380400002)(39840400004)(189003)(199004)(4326008)(46003)(2616005)(47776003)(50226002)(81166006)(8936002)(81156014)(33656002)(8676002)(5660300001)(316002)(25786009)(11346002)(6916009)(229853002)(6666003)(86362001)(486006)(8746002)(57306001)(106356001)(68736007)(476003)(446003)(6486002)(53936002)(93886005)(6506007)(59450400001)(23676004)(386003)(186003)(305945005)(6512007)(50466002)(52396003)(82746002)(478600001)(2906002)(6116002)(16526019)(36756003)(97736004)(52146003)(53546011)(2486003)(52116002)(6246003)(105586002)(76176011)(7736002)(83716003)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR04MB0701; H:2001-44b8-1121-1a00-8d4c-677b-ce9d-cc95.static.ipv6.internode.on.net; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;TY1PR04MB0701;23:WSXpC/HrbQXF0KxREc8h1sJh+7OqHTli8l+Gj7A5m5+Q52dE2UDaio2hydByrJBUuG9zCfoCqYiGALQK3/dE995SbG+d7D+X81Pj3ppYLDYdEJd62AFO5nCEA4QwWUvkNvON3x4lQnMxNuMZjqMwYc3b2PdYDIy2VH98GvN4QNj8FWy8umYMUQRrLg9SCVgyv335wXj52Xep0hhMw/UeRZArspVG8OpsqHeM2LqUCmHXBwbKZhSTDmsq1Lx4mNxqHAo7pWy2C4NZrFWS/e2capEjfkDxG8JyARqDJhjOjUTt75jSj3zyjo1qkGT1vZNEQ08U8Z24d4cElU4HgSQs1PKSukeWGj2XDV3v+AL6Aon0kRy2TysdDtvgS7JCZhYM1gr1BCf4l3dY1bif75ibi75Jsw/ZBJE75E8FWiDkkDq95Tl+p/VSeNccwGVVq63yCkYC7XKN24k0HrD7ILmsnDdydTNyAkASxl72sn6P3ehKdAn1AFTVghbsdZJw/kDnDn1I/ZW+/8J4MIFopWn+VLEeODKQiqfwiQ3DwI1mlHmDT5MLf1jlGbn3rpUIJwbOF1qREh11OWlwqd7WUIlnpTYZTwYB6w2onsSszmZ9p5CVf0rfNDXGf3Jc6rtpDZS3NN+KNJ71hI5CM1FIRUa4F4A7Z/g5W0h6pMS+EeMfFeiMvlFp6eAcLFwXodgowGaXUOJwIqEuxWIHWMJ29CekEFWilq3sxHMYrtwUokyYYnK2X2x5tO/W9k31vNEkvgIV7kK+lJMnFAEdn6Ui80MCMKi0qhZsU0sWx5a6lTu5ZuKmB+6EJw9Y+fAmAlzx++Sx69Mru+vQrTAjlZ574dhH3SUGlV/eU7cNRiHRqQO1Ynt9tCkATleKDZ3pUqdqSS35jB3tKtP6MIOdZVbMBAyiXxOGDLzzh79GqU/QwoJ86V6r2QdFtpXFjUg5Po7PeCyyUr5nXm7uz54gcJP77qPgoOQk36x35QEU4OvxrBaK22to/Fv42ZIlJQRU4RHNt0OpQ5yUQtDVT2aNP9KoHR/E8W8FC/y31XCATLCvaD312VW/cNXKHDpHWXR6ND6nta5a40J+IHIyqtj5aMiJcPoOIz44Y0hSSxG61t0Bg1PArLM0h0HZ8sOMYOzwbmNHnYCi1YY/LmZs78Y5nxG7b5MlN8ESl0iTrz5Mg2zNpsYVwXGkSLXXlgQ8MV4s1BDF1Tb2CIiWtfk0G4U1Ni+1uwTMc2NT1ScQeWfBpCAy98zhaaK6848fJBASlSYIwymMdVRvKy8wYe+uLqZT+F45cUXwns4lqc1c1WQwU1tlD61hWtkgCUUXDUqATCbY8Tlcc9/YAY+aBavUANNK6RXLl3AivVJJJS/ZeHPLrisw14Ums6w=
X-Microsoft-Antispam-Message-Info: VI4jBSNg3UsNANORi1dGpL7+9bTW0KV8u8hvKSZ+3brShfWgZoAMu6ER91ep9Z62bwgW78PQEayvD7/ZwDWZ0xrwPhCeTHuvY5HZZuUrb/bHGvje7R4gzNYDH/9p1RQYioH5uh0wt6BU+z4rOPFMSz8niQOdYeDVTOWoAiaky8dL0XCg4dnpuJf4ANRx6Wnk
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0701; 6:oq+ebyiTKFC6wAcn07GaS7cT7jmYy9nSlBk/swedi8mawBW0V7rl94dgEjWzNjYLGB1LQsbobGgeaEv227Uok6x1myhvMUx7F1qQNB3xY/1vjiyLT8Yf4YJ/KLMGH2b4Y50HwCFs7qXo4uiKOG03jVDZsyZjzoEjvHu1KHyrn4hwGI/edw7zCEpLdK5lIohgT+F9AIeg1ZF2J0yD7TgXVIz6fl/P13jh+U53HMsXS01iOfR8v0521/7LLKFR9/1aNCJ/0D/nBUbRr5XOC3MHZrBGxXRbfpFVx6jd3n9RBQ6PnugwvOg9BZ1ZSCl/Ei1/wFgopG0cuvFw46s4QbbMZGqeCvnpgeK8IfqpJN+Qwop5hV/oYTVuYMdfPm5kwvlyaB8KJiLhQufY6NHKT407DwJ7T7n0dF0Q4N5BmW7WlUfd302gzsJhfXMME6w2qOCB2xvtc5ILFjZHkUFyeNccUA==; 5:Vy/ylWFG3rstC2NbpYGVrwj3JNPiFQEOiC+7htwED5R9aOeh9XX/ZLcIpzMblM03w/ortF19EnjyAstjbmeQj3iMakU2zaqThCmimJzsPHFlN15C5blm2lsINSJMzsOUxg2MwiL9Z6ts1fU5RKS7N0Yc0IAU30HMUH0fZ0/WRE8=; 24:uWp3Az0/d4iPvZV1+s3ISsqUnshYD++cHvVpaDsx8oYQs7MaE5Ow6iufLm4SVNhNzgQYDAZM1VuOMkm53XnICnb73gPv3lQ0y0E8OElpPZg=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0701; 7:I/K5z5/e9YL+R+1oMtb8BxFqDmHE2UM4N0fG+ynOe71/LnNtDliA7j9xY96IAupT2beBdoeV3qYuuWXTd4GuAsDssKEzvy4HVjDEJHZl9ZroNygpy3rbqd+hpRfWvNkpBkhGIAuG/Z14OWunLo/wy5fXa9f+zVgHMwhAktqasdPrj1xZEvlO99awX8O2QrAv05kIEWCUb6bOd58eHcNhE5LSubNd6LBvPrMc9plQdlQw/bCopYyuvtbiA+0X5Pjt
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Apr 2018 21:37:10.1474 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7bfd65fa-39a2-4ed1-52e2-08d599ab0fdd
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR04MB0701
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XUffusjj9ydq2SsgSEVKeBcVAG0>
Subject: Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2018 21:37:27 -0000
> On 4 Apr 2018, at 7:11 am, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > > On 3 Apr 2018, at 13:45, Geoff Huston wrote: > >> Is the wording “that the resolver has to do DNSSEC validation on what it gets back from the authoritative server *regardless* of whether the originating client requests it?” a clarification that updates the validation behaviours as specified in RFC4035 and RFC6840 as to when a security aware resolver performs validation? Or merely a clarification of the precondition in the context of the sentinel behaviour but of no wider import? > > The latter. Otherwise, someone reading the document might not understand that the response must be validated no matter what. So you are saying that the document should revert to the wording: All of the following conditions must be met to trigger special processing inside resolver code: o The DNS response is DNSSEC validated, regardless of whether DNSSSEC validation was requested. o The result of validation is “Secure". o The QTYPE is either A or AAAA (Query Type value 1 or 28). o The OPCODE is QUERY. o The leftmost label of the original QNAME (the name sent in the Question Section in the original query) is either "root-key- sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”. (I’ve split the initial condition into two explicit preconditions to be consistent with the rest of the enumerated list) Any objections to this from the WG? I’ll wait for 24 hours and then post this wording as version 11 unless the WG says otherwise Thanks, Geoff
- [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Paul Hoffman
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Evan Hunt
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Evan Hunt
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Warren Kumari
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Paul Hoffman
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Petr Špaček