IETF Logo Mail Archive

Re: [DNSOP] New draft on delegation revalidation

Shumon Huque <shuque@gmail.com> Wed, 29 April 2020 01:22 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A92173A099F for <dnsop@ietfa.amsl.com>; Tue, 28 Apr 2020 18:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.098
X-Spam-Level:
X-Spam-Status: No, score=-0.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VMz-6nW9O_dl for <dnsop@ietfa.amsl.com>; Tue, 28 Apr 2020 18:22:31 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22433A0998 for <DNSOP@ietf.org>; Tue, 28 Apr 2020 18:22:30 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id k8so242849ejv.3 for <DNSOP@ietf.org>; Tue, 28 Apr 2020 18:22:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LA2rTZB7vc9417jJm0Zuv6WQvbq/K6mRS2h/UOIE+vQ=; b=Y/kdCTCWg2u3j6GNNIlsLqYh0vYqBXiM5MzoGJ6NMb4prhX3MA0DySa7ILS2U+/pv/ AsHN26QnXF7YREEe4FftbT/SM0AfWJixIpt78bN9pwqjg7pxYoiJ3rIYiva+g4Mwaqrs u2ba9o3dTYes5ykYXYEaEpfmtzi7AKuNiZz+A6A5gFvIlwhi7feb9mpdvwC7l+A/gsIB s/QdsZCTHl/wwM+Hgkd5K2AW/aYnmhVat2gNEBeHm5pNDeeNs61DldNg3O/lYKpnzoho RcNnYRZprt1Dym1g1AaLM8dgZqZMpDEmJUt0/vkGi/ibL78ly20PdrocdXJo4j6p7iEO jnqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LA2rTZB7vc9417jJm0Zuv6WQvbq/K6mRS2h/UOIE+vQ=; b=MZjD7EZDgWaNQO3cMa1d+323zqU/KquWt/c77ketoaJewR/pew9k+HQzZsxrlf53cX vpoiXDSvVS+LPYA3QyV+zKFXl/OJvwYPNrHCDQAAc5cY+4V7owkVZEvEwo45JhWC1Lx4 Bk/qZyzldZ5C5Z4lst65b2QfHYXbHbsgOWGCLKtNtjgPDTuiNOqzdHdfqYnHWeGn5BTX 2pWce6En6OETv1ukw58cHkUaoyVga9duHOxf4o1hqCx5YYZ8TO96yMKSU4sxJy9qhy1C O0OQXQ+nNYeGus6226AQR3pI/qtWRqVo2EexfSj76qOaOVqozxl1jnxjp6V2bfvf/lhf ZpbA==
X-Gm-Message-State: AGi0PuacDsfW/cGa2zd+jF/O/5l7sK2ftrljm6VLhmkiQcwWqoU1q16c iCPwrVVovC+Y9Hr2KdAmP8h6IwCpBwwXaW9fRtM=
X-Google-Smtp-Source: APiQypJ5SCD97JnnGIoN4fK+xKMsuKAnPqLyf050t+L2fEx5Gqr+iWfAnYeYl7pZZDF4FF7cda5BhgM7Wkes5eE9Kkc=
X-Received: by 2002:a17:906:9718:: with SMTP id k24mr468607ejx.229.1588123349070; Tue, 28 Apr 2020 18:22:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <4feca627-79d6-374e-402d-f50d49e03469@sidn.nl> <CAHPuVdVkTbV6o5sVCZzOcE4y0yEFUa3rmtcsWooxQK0nO_eMvw@mail.gmail.com> <058d760a-7400-e407-4d12-c744d949538e@sidn.nl>
In-Reply-To: <058d760a-7400-e407-4d12-c744d949538e@sidn.nl>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 28 Apr 2020 21:22:17 -0400
Message-ID: <CAHPuVdWR6MTsWK0xBBnRj3JkgncORUWptt=VYZW+R-cDO4G1ig@mail.gmail.com>
To: "Giovane C. M. Moura" <giovane.moura=40sidn.nl@dmarc.ietf.org>
Cc: IETF DNSOP WG <DNSOP@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014b76105a463c8eb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Z3oI2y7bhV37FhEQOUuCLcYNnsE>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 01:22:33 -0000

On Tue, Apr 28, 2020 at 5:43 AM Giovane C. M. Moura <giovane.moura=
40sidn.nl@dmarc.ietf.org> wrote:

> Hi Shumon,
>
> >  Do you plan to maintain the parent/child disjoint NS
> > domain (marigliano.xyz <http://marigliano.xyz>) going forward? And what
> > about the test
> > domains for other types of misconfigurations?
>
> Great idea. Let me look into this, will get back to with that.
>

Thanks!


> > Did you look at the potential problem of members of the child (or
> > parent) NS sets emitting different information? I suspect that case
> > also happens.
>
> Yes, section 4 covers this (NSSet parent != NSSet child).
>
> We have 4 scenarios, and we always query for the A record of
> $probeid-$timestamp.marigliano.xyz
>
> The trick was to configure different NSes to return different A answers,
> so we knew which NS answer which query.
>
> Is that what you refer?
>

I meant servers within the child (or parent) NS set had different NS
sets configured in them, i.e. yet another level of mismatch. Maybe
that's not worth investigating, but I'm pretty sure I've come across
such misconfigurations in the past.

> Do you have any plans to look at the behavior of the large public
> > resolvers?
>
> That's a good idea, to answer this one, we need to configure the
> scenarios again. Let me get back to you once I manage to get this setup
> for other folks to test this too
>

Cool, thanks!

Shumon.

v2.23.0 | Report a Bug | By Email