Re: [DNSOP] signalling mandatory DNSSEC in the parent zone
Ben Schwartz <bemasc@google.com> Mon, 01 March 2021 16:12 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E658B3A1EE6 for <dnsop@ietfa.amsl.com>; Mon, 1 Mar 2021 08:12:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 833Sy1LL-bpL for <dnsop@ietfa.amsl.com>; Mon, 1 Mar 2021 08:11:59 -0800 (PST)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EBD03A1EE4 for <DNSOP@ietf.org>; Mon, 1 Mar 2021 08:11:59 -0800 (PST)
Received: by mail-wr1-x430.google.com with SMTP id l12so16741847wry.2 for <DNSOP@ietf.org>; Mon, 01 Mar 2021 08:11:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6uZXfYhjiqYtM+jXR9UTLcBOPrkXaHRPuCLv5Gk51E0=; b=A8ATNF2xjS13Zc+Es4Mstj42z5g6NCfLinPTEqmmfiEb0/6gHtfg1f6LQjswWfzA4m J2FmU+3bDvWSKC78N8vSnGz055r4Jx1l2ARPXFiKRJLjAHmlMhTT9wZq8YewDLAWVKlA z1omWrx0a9zs9AEPt5S0ctpB+Oz/dCwWV2Wldbj3nMHf0bDVUjG+whW3ESaDSPqDxrnE VlLiZfmNPN3Vog2CvSHQSdUcqbv0TfRsx6SP5HkLhM0TdYvfbI1WyqxTNvdxuG8kMdS4 FpCkgnX2KMyaeUT4vQgQxAqCpRk3spYhtMExO//wKtm2aDTJs5/G8iaCM+nx9h2srwkY iRZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6uZXfYhjiqYtM+jXR9UTLcBOPrkXaHRPuCLv5Gk51E0=; b=DlLtSSde3i+lGbzyScE/b/DTiA8XwPwRZeDGokQNU7F7EE+3sCT9+Vd8c71afpJfPl MK2OKgr/LtLPfAMG0/0wCFXcc4YLgJJZPKV6b8bGYB7uDaA7O01LD0P4licZGcGsz8Uy MfxHoeb/PRMj2RQehmM+bb7P20LCDL3/C0klkaNHEc9JmvwDSbelGBZz1t3R0bPjRjzK PCfJvoDi/8ZfUHPtmf3yjOv2NOqMl2gei6VdJLdg3daYe+7HJVNRyezWAcvBLeZNTB24 c8LLYzN4+4R3gZxIthJWv/Mhw3BpPi0Sop1LcURFLd9aBULHYxJUl/Dgceok5vu6Ov89 AULg==
X-Gm-Message-State: AOAM533pVtUzsGS0sm7EW1aZ/5dCZN4dVIx1NxXqLLckIwUzPQl89yQd tsVvJIxDf6yAprlfuo3s3UlGHvYQaTNHV3sPGFTiiAMKG1M=
X-Google-Smtp-Source: ABdhPJyjt7h3K9429i2q3xEOU3u+Fmd+wqKduAwe61TmhqMHYQ0m6MKvfRHjs8dS3KRT7xTFFRXKcBvW6CQW67fEqnM=
X-Received: by 2002:adf:e412:: with SMTP id g18mr17879221wrm.159.1614615116110; Mon, 01 Mar 2021 08:11:56 -0800 (PST)
MIME-Version: 1.0
References: <4C3B1EF7-D37F-40D4-9C39-70FADF2B71CC@wisser.se> <789EBF89-24CC-452A-A1D0-AE5583D6A476@wisser.se> <A148F043-6DC6-47B0-B6B0-F112BF346E73@rfc1035.com> <3679416F-914B-41B5-A8D6-93993BEDA65C@wisser.se>
In-Reply-To: <3679416F-914B-41B5-A8D6-93993BEDA65C@wisser.se>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 01 Mar 2021 11:11:44 -0500
Message-ID: <CAHbrMsD_4sHSJ_1eRCpBz_+PqfkNvkGgx6Gfe8-OQNBRe5bEZg@mail.gmail.com>
To: Ulrich Wisser <ulrich=40wisser.se@dmarc.ietf.org>
Cc: Jim Reid <jim@rfc1035.com>, dnsop <DNSOP@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000077afb105bc7be083"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YJGrXUE-68kHmQAlL3jb-prNsz8>
Subject: Re: [DNSOP] signalling mandatory DNSSEC in the parent zone
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 16:12:01 -0000
Given the existence of MTI algorithms, do we need to be so concerned about operators who support non-overlapping subsets? It seems like the guidance is clear: follow the MTI! On Mon, Mar 1, 2021 at 10:46 AM Ulrich Wisser <ulrich= 40wisser.se@dmarc.ietf.org> wrote: > Hi Jim, > > I don’t want to signal this to resolvers, there is no need to. As domains > are resolved by themselves a resolvers doesn’t need to know if all other > subdomains of .se are signed too, just that the one it is interested in is > signed. > > But if .se would have that policy, how would you move a domain between > name server operators? > - If approved by the chairs Shumon and I will present our work on > automating this at the next dnsop meeting. > - if the operators do not support the same algorithm, only lax validation > can save you. (And that is how this discussion started) > > /Ulrich > > > > On 1 Mar 2021, at 15:18, Jim Reid <jim@rfc1035.com> wrote: > > > > > > > >> On 1 Mar 2021, at 13:29, Ulrich Wisser <ulrich= > 40wisser.se@dmarc.ietf.org> wrote: > >> > >> 100% signed would mean unsigned zones do not get delegated, going > insecure is no longer an option. > >> I would like the protocol to be able to handle that case. > > > > Ulrich, that seems to be a (registry-specific?) policy matter => > probably out of scope for the DNS protocol. > > > > How could a parent signal “everything below this point of the tree is > signed”? How could they guarantee that was true, given delegation means > there’s a change of control for some part of the name space? How would > resolving servers be expected to use this signalling information? If they > come across an unsigned but working delegation, should they treat that as a > validation failure or continue to resolve the query? That would seem to be > a local policy/configuration matter too. > > > > I’m not sure it matters to anyone if some parent zone has this sort of > policy or not. Could you explain the use case or problem statement? > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] DNSSEC Strict Mode Petr Špaček
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] DNSSEC Strict Mode Ralf Weber
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Wes Hardaker
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode libor.peltan
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Wouters
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Samuel Weiler
- Re: [DNSOP] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Mark Andrews
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Paul Hoffman
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Bob Harold
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ben Schwartz
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Ulrich Wisser
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Joe Abley
- [DNSOP] Fwd: [Ext] DNSSEC Strict Mode Ulrich Wisser
- [DNSOP] signalling mandatory DNSSEC in the parent… Jim Reid
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Paul Wouters
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] [Ext] DNSSEC Strict Mode Viktor Dukhovni
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Havard Eidnes
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ben Schwartz
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Brian Dickson
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Mark Andrews
- Re: [DNSOP] signalling mandatory DNSSEC in the pa… Ulrich Wisser