IETF Logo Mail Archive

[DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt

John R Levine <johnl@taugh.com> Sat, 27 July 2024 04:01 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7696C13739A for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 21:01:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="VhLE6Jrs"; dkim=pass (2048-bit key) header.d=taugh.com header.b="A8DhcP3S"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ts2onUKYy7Bo for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 21:01:47 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3D98C14F689 for <dnsop@ietf.org>; Fri, 26 Jul 2024 21:01:47 -0700 (PDT)
Received: (qmail 21115 invoked from network); 27 Jul 2024 04:01:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=527866a47129.k2407; bh=k+kJUt2oa/V2QKqlouo1V/e2AMabYIt2jzHSiEUHwxQ=; b=VhLE6Jrs41052VMdM5adyMGZDxy9DuMbKO1OwP0AXSlss9ZzsD2L4XV+DbYCXL+a4KZ31nljmryqwg6Gd2dIploa+jGo/Q6k74/DibXiQPvEL4f4ErIhyAqIIOrqpgp7CH7toA/rnKVeX+2MsAB+4/lMsEQEPcHyNHQXQQRtYlVoe8cRKMXj6pGENKHMfYJOn37snx5eS1NzDDFW+uTyxekSmX7dpvnX4ADLKyYwELYeahTpdjSHPgi9CeuUYmMJwOSgTteFUMKLmEbCUcMvqApCHlbSe9G5bVUhFIeUUP2KM0QBx7BgG0Djv4SpV0ea8LPHl62Zqq5tS/gD0RCfcg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=527866a47129.k2407; bh=k+kJUt2oa/V2QKqlouo1V/e2AMabYIt2jzHSiEUHwxQ=; b=A8DhcP3SlLFY86PMqTRcukZlad1RvhrlTChY+EZ/la5FeFjsaeMYHeJJHVmjJIpS2dTc5q/njVaMl0TAD31N4EnzY4jinzrKQurFpARVxGGD7bhT3GygLaT1++8QnnHyfSn3VzlXTakcvZ6fmMksUThNQG/4T3iTF2Bcb7qKUdAsSHPDfje9hf86Bk2A2ZSllPT7UtpPOrl2OzzLcJ08je1qLF0WhTUgXfQkodXShi4qMUdUhSUjhgr0BNEWVYXweI0sG8uCd0+bNktQYyYuS1yGxSQ7P6i+uo5FpyCiUFwyrCl6p0BBFxr3hSwDJHVstparGunVd2xSoaiGGpMf5A==
Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 27 Jul 2024 04:01:44 -0000
Received: by ary.local (Postfix, from userid 501) id 830979053F14; Fri, 26 Jul 2024 21:01:42 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by ary.local (Postfix) with ESMTP id 0173E9053EF6; Fri, 26 Jul 2024 21:01:41 -0700 (PDT)
Date: Fri, 26 Jul 2024 21:01:41 -0700
Message-ID: <ace52668-f9e0-b779-e255-69ac00207de6@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Erik Nygren <erik+ietf@nygren.org>, Shumon Huque <shuque@gmail.com>
X-X-Sender: johnl@ary.local
In-Reply-To: <CAKC-DJiuAAFtuCVn+2hpF8j7-S0XnneHOZM=zHjdKLzUOpTxCg@mail.gmail.com>
References: <172047471396.458153.12797163404923712142@dt-datatracker-5f88556585-j5r2h> <CADyWQ+GMHrL2ABd6hMhWujMEO=pDtDXsc3tGDPx72uYqxa4JbQ@mail.gmail.com> <20240709212356.43B838F44515@ary.qy> <CAHPuVdX=8Lv3r41g8YVkjRQ-YCx9r+nB94wqep7oG+_o20EHfA@mail.gmail.com> <453c7d44-355f-571b-70b9-e8e69ab90259@taugh.com> <CAHPuVdWwiFAnK8VZYJv4OVk=9v5YCCT4pHykW4Ei3PLEyTZvfg@mail.gmail.com> <CAKC-DJiuAAFtuCVn+2hpF8j7-S0XnneHOZM=zHjdKLzUOpTxCg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Message-ID-Hash: NITR77OUQZCGRAFXW5DNFBMNIDRTKLM2
X-Message-ID-Hash: NITR77OUQZCGRAFXW5DNFBMNIDRTKLM2
X-MailFrom: johnl@taugh.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification - draft-ietf-dnsop-domain-verification-techniques-05.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_h1StidhPxsmF2d1rcVCiIypXgE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Fri, 26 Jul 2024, Erik Nygren wrote:
>> On your last point, yes, I think we can say that if a verifier sees
> multiple validation records, they can abort.
>>
> I'd think it would be better to allow looking at the full RRset and
> succeeding if any of the records match?

No.  These records are supposed to be at unique prefixed names.  If 
there's more than one record at the name, something is wrong.

Remember that the robustness principle says to be liberal *when the spec 
is unclear*.  When the spec is clear and the data is wrong, reject it.

R's,
John

v2.36.0 | Report a Bug | By Email | System Status