IETF Logo Mail Archive

Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec

Tony Finch <dot@dotat.at> Tue, 21 January 2020 17:03 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A93D3120808; Tue, 21 Jan 2020 09:03:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.196
X-Spam-Level:
X-Spam-Status: No, score=-4.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTYSlDpNaaap; Tue, 21 Jan 2020 09:03:11 -0800 (PST)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 128A5120824; Tue, 21 Jan 2020 09:03:10 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:44038) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1itwvj-000yEl-e5 (Exim 4.92.3) (return-path <dot@dotat.at>); Tue, 21 Jan 2020 17:03:07 +0000
Date: Tue, 21 Jan 2020 17:03:07 +0000
From: Tony Finch <dot@dotat.at>
To: Matthijs Mekking <matthijs@pletterpet.nl>
cc: Shumon Huque <shuque@gmail.com>, draft-ietf-dnsop-multi-provider-dnssec@ietf.org, "dnsop@ietf.org WG" <dnsop@ietf.org>
In-Reply-To: <8af57aeb-66c5-fbb8-b62f-890a82c9d94e@pletterpet.nl>
Message-ID: <alpine.DEB.2.20.2001211648180.7252@grey.csi.cam.ac.uk>
References: <CAHw9_iLFuSbdA2TFS4Qd2dAzDFJyJgfQGY1+T2c2JQZ3WTat_A@mail.gmail.com> <CAHPuVdUUeLx59B0SrzmFazd_rqUm1kU-ARG-LBEYa4jFQyaH3Q@mail.gmail.com> <3fb01cba-9558-531c-5764-9c34b111545b@pletterpet.nl> <CAHPuVdWNAJbGm=j96149Sb9gig1QuAyCXyVbsZY0BzhpP_DV3g@mail.gmail.com> <8af57aeb-66c5-fbb8-b62f-890a82c9d94e@pletterpet.nl>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_e09AiQJTtrPM9j23cjt5wHU2KE>
Subject: Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2020 17:03:16 -0000

Matthijs Mekking <matthijs@pletterpet.nl> wrote:

> I am not sure how they executed the algorithm rollover precisely.
> Particularly, were there ever two DS records in the root zone with
> different algorithms for these zones?

I can answer that :-)

Algorithm rollovers have to be double-KSK rollovers because DS records
have to have a subset of the algorithms of the DNSKEY records. Having both
algorithms in the DS record can only slow down the rollover so it's hard
to think of situations where it would make sense (other than Shumon's
multi-provider disagreement!)

[ For normal KSK rollovers I think double-DS is slightly better since it
allows smaller DNSKEY RRset sizes, tho it requires more parent zone
updates. ]


--- root.db
+++ root.db
@@ -1,4 +1,4 @@
-.                                            86400 IN SOA      a.root-servers.net. nstld.verisign-grs.com. 2018082001 1800 900 604800 86400
+.                                            86400 IN SOA      a.root-servers.net. nstld.verisign-grs.com. 2018082002 1800 900 604800 86400
 .                                            518400 IN NS      a.root-servers.net.
 .                                            518400 IN NS      b.root-servers.net.
 .                                            518400 IN NS      c.root-servers.net.
@@ -2096,7 +2096,7 @@
 br.                                          172800 IN NS      d.dns.br.
 br.                                          172800 IN NS      e.dns.br.
 br.                                          172800 IN NS      f.dns.br.
-br.                                          86400 IN DS       45673 5 2 14369AD309CC59FD59C1A422BA93B71F2C522BF3672C2E067B2C53F5 3AE522DF
+br.                                          86400 IN DS       2471 13 2 5E4F35998B8F909557FA119C4CBFDCA2D660A26F069EF006B403758A 07D1A2E4
 a.dns.br.                                    172800 IN A       200.160.0.10
 a.dns.br.                                    172800 IN AAAA    2001:12ff::10
 b.dns.br.                                    172800 IN A       200.189.41.10

--- root.db
+++ root.db
@@ -1,4 +1,4 @@
-.                                            86400 IN SOA      a.root-servers.net. nstld.verisign-grs.com. 2017121400 1800 900 604800 86400
+.                                            86400 IN SOA      a.root-servers.net. nstld.verisign-grs.com. 2017121401 1800 900 604800 86400
 .                                            518400 IN NS      a.root-servers.net.
 .                                            518400 IN NS      b.root-servers.net.
 .                                            518400 IN NS      c.root-servers.net.
@@ -11638,6 +11638,7 @@
 ns3.pknic.net.pk.                            172800 IN A       199.192.75.54
 root-s.pknic.pk.                             172800 IN A       119.81.34.90
 pl.                                          172800 IN NS      a-dns.pl.
+pl.                                          172800 IN NS      b-dns.pl.
 pl.                                          172800 IN NS      c-dns.pl.
 pl.                                          172800 IN NS      d-dns.pl.
 pl.                                          172800 IN NS      e-dns.pl.
@@ -11648,6 +11649,8 @@
 pl.                                          86400 IN DS       14075 8 2 4D12B53E0A179C5E51719F606FC429EA03F444CDF5370FBBEEB6ECEB 21E99F2B
 a-dns.pl.                                    172800 IN A       194.181.87.156
 a-dns.pl.                                    172800 IN AAAA    2001:a10:121:1::156
+b-dns.pl.                                    172800 IN A       192.195.72.53
+b-dns.pl.                                    172800 IN AAAA    2001:7f9:c::53
 c-dns.pl.                                    172800 IN A       93.190.128.146
 c-dns.pl.                                    172800 IN AAAA    2a02:38:14::146
 d-dns.pl.                                    172800 IN A       81.15.133.186
@@ -13124,7 +13127,7 @@
 se.                                          172800 IN NS      i.ns.se.
 se.                                          172800 IN NS      j.ns.se.
 se.                                          172800 IN NS      x.ns.se.
-se.                                          86400 IN DS       59747 5 2 44388B3DE9A22CAFA8A12883F60A0F984472D0DFEF0F63ED59A29BE0 18658B28
+se.                                          86400 IN DS       59407 8 2 67A8E06FCEFDD9397F77F26C41ADE4EC142F299BCFA1827F0EF8FD87 F2F63022
 nsa.netnod.se.                               172800 IN A       194.58.192.33
 nsa.netnod.se.                               172800 IN AAAA    2a01:3f1:33::53
 nsp.netnod.se.                               172800 IN A       194.58.198.33

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Cape Wrath to Rattray Head including Orkney: Mainly westerly or southwesterly
3 or 4, occasionally 5 in north. Smooth or slight in east, moderate or rough
in north, occasionally very rough at first in far north. Fair then occasional
rain or drizzle, fog patches developing in north. Moderate or good, becoming
moderate, occasionally very poor in north.

v2.23.0 | Report a Bug | By Email