IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Peter Thomassen <peter@desec.io> Wed, 17 May 2023 20:27 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A66C14CE5F for <dnsop@ietfa.amsl.com>; Wed, 17 May 2023 13:27:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7_U7fvygvC02 for <dnsop@ietfa.amsl.com>; Wed, 17 May 2023 13:27:00 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18D2DC14F75F for <dnsop@ietf.org>; Wed, 17 May 2023 13:26:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From :References:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DSCzg/3wdxRmAGwkSs6czbrt7iOBQfB3JbpcOocE1u8=; b=ZmRYSUX6Wc4+Zez3KJJFDynDRP qZxPkSy97g85WwrEbheC4cfFOTGKRgjFl38ngKqt3/RU75nIxqOD5H3/NIBGeDUzkcHigGw/vhcCw tueeUlH8xYeGBSx5w01q2imGf8BrPPTQ4QkLB8xD+EmNlN5tFZj7J+E+tuwPGwW3b7/s86aX9FMe0 XSVF+V/YUQ3/1iC8MwCg2P4+Ty/vH47G9yCFKihfNv2SQKP6YKsGbx2ZYYLonK5PricnIokZ/Q3LV E422IJ4EYXrMXjPIqLzcWBQY+LqyRiKrT+5ZCm9nQ1RhahVRwaHvdKn74gqMRiYPuYdyOEVpOoks/ WrG4AzLA==;
Received: from ip5b41b091.dynamic.kabel-deutschland.de ([91.65.176.145] helo=[192.168.178.70]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1pzNjc-000eJj-QO; Wed, 17 May 2023 22:26:57 +0200
Message-ID: <70c1c218-35dc-b162-48aa-9756298849da@desec.io>
Date: Wed, 17 May 2023 22:26:56 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
Content-Language: en-US
To: Daniel Migault <mglt.ietf@gmail.com>, dnsop@ietf.org
References: <CADyWQ+FwRaSdpSWXBDqCG9ZPNPiG4pGUx37PVtExbqVPr5ZfmA@mail.gmail.com> <ZF6rFlfM7LKObUnQ@straasha.imrryr.org> <CADZyTkn21Z4weUYqmWn1B7_8RnKxd08qnRtDb57MZGgYuASgvA@mail.gmail.com>
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <CADZyTkn21Z4weUYqmWn1B7_8RnKxd08qnRtDb57MZGgYuASgvA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YWTKdxrHflphG1V2P57QOm0mlsw>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2023 20:27:04 -0000

Hi Daniel,

On 5/17/23 22:01, Daniel Migault wrote:
> I agree but as far as can see the cap of the TTL with a revalidation will not only resync the resolver and the zone more often than could be expected otherwise but does not result in the cached RRsets differing from those provided by the zone.

These two things are not the responsibility of the resolver. It is precisely the task of the TTL to set the expectation for expiry and, when changes are made, for the convergence time to eventual consistency.

> That said, it provides the opportunity to the zone admin to eventually force that refresh in case of a mistakenly long TTL value.

Triggering sudden refetches before TTL expiry is costly. I think that cases where the TTL is misconfigured are better addressed by requesting a cache flush manually from the resolver operator.

> Now one reason I think we also came to the cap, was that though we know tweaking the TTL is possible, I had in mind that adding a field like in our case the 'revalidation TTL' was much harder. Can we assume such a mechanism can realistically be implemented ?

Such a new field would be a big change.

That said, I still don't understand what it's needed for: it seems that it's just not necessary to do revalidation / refetches (= early expiry) after the minimum of TTL_RRset and all of the TTL_DNSKEY, TTL_DS in the chain; you can achieve the same output reliability by doing it when a change in the trust chain is detected and validation would otherwise fail.

The extra field also could also be misconfigured, such as having a mistakenly long value. What then?

Thanks,
Peter

-- 
https://desec.io/

v2.23.0 | Report a Bug | By Email