Re: [DNSOP] New Version Notification for draft-yorgos-dnsop-dry-run-dnssec-01.txt
"libor.peltan" <libor.peltan@nic.cz> Wed, 13 July 2022 11:26 UTC
Return-Path: <libor.peltan@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 271C0C157B55 for <dnsop@ietfa.amsl.com>; Wed, 13 Jul 2022 04:26:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AkEBMcl7SdI2 for <dnsop@ietfa.amsl.com>; Wed, 13 Jul 2022 04:26:18 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDB24C16ECB7 for <dnsop@ietf.org>; Wed, 13 Jul 2022 04:26:17 -0700 (PDT)
Received: from [IPV6:2001:1488:fffe:6:2cbd:ab4f:f02c:97f5] (unknown [IPv6:2001:1488:fffe:6:2cbd:ab4f:f02c:97f5]) by mail.nic.cz (Postfix) with ESMTPSA id 8F348148093; Wed, 13 Jul 2022 13:26:13 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1657711574; bh=jK2w03JRF3BHpLlDXStCV1sGldLppJ0fAY4yXQh7ARs=; h=Date:Subject:To:From:From; b=V+EFJbeSoJW/gnnZ3EDcRGa1Rj4bNZBOY9dZwtqwGIyXQOqVpc4lyi4WYm/CsV6Ni kg0Ywzuj0nOwnqyLVfC9RJ3VqfHUc6MHGbAzIwe5RNMmCnHhmpHhGY2hu6XAowOl6B /23m23FNeoLVWLbQMjiUuJ85orIDlIeCTA/QCUsM=
Message-ID: <05a8cd07-eff8-d9a3-7bf4-4855011cd493@nic.cz>
Date: Wed, 13 Jul 2022 13:26:13 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-US
To: Willem Toorop <willem@nlnetlabs.nl>, DNSOP Working Group <dnsop@ietf.org>
References: <165757672414.5113.12045650066277748904@ietfa.amsl.com> <03fcdc90-1857-cefd-5fec-be7ad9422db4@nlnetlabs.nl>
From: "libor.peltan" <libor.peltan@nic.cz>
In-Reply-To: <03fcdc90-1857-cefd-5fec-be7ad9422db4@nlnetlabs.nl>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.103.6 at mail
X-Virus-Status: Clean
X-Spamd-Result: default: False [0.00 / 99.00]; ASN(0.00)[asn:25192, ipnet:2001:1488::/32, country:CZ]; WHITELISTED_IP(0.00)[2001:1488:fffe:6:2cbd:ab4f:f02c:97f5]
X-Spamd-Bar: /
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: 8F348148093
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=libor.peltan@nic.cz smtp.mailfrom=libor.peltan@nic.cz
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/a9WlLwV33czW2EpjQj3Dtz9TYjI>
Subject: Re: [DNSOP] New Version Notification for draft-yorgos-dnsop-dry-run-dnssec-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2022 11:26:22 -0000
Hi Willem, Yorgos, Roy, dnsop, I dare to repeat my support for the ideas in dry-run-dnssec draft. However, I still don't like the suggested format of dry-run DS record. Another alternative idea: how about putting the Digest Type into the first octet of Digest field like in the draft, but cropping (or stretching) the rest of the actual digest in a way that the overall size of the resulting Digest field is something "normal" (e.g. 32 octets), and does not differ based on actual Digest Type? I assume that for dry-run, the weakened actual security of cropped Digest is not a big deal. Please consider my thought and employ/deny it as needed. Best, Libor Dne 12. 07. 22 v 16:35 Willem Toorop napsal(a): > Dear dnsop, > > We submitted a new version of a “dry-run DNSSEC” draft. The draft > describes a method that allows for testing DNSSEC deployments in real > world DNS(SEC) deployments without affecting the DNS service in case of > DNSSEC errors. Any encountered errors are signaled to the DNS operator > of the faulty zone with DNS Error Reporting > (draft-ietf-dnsop-dns-error-reporting). > > This is a new idea which will be presented during dnsop at the IETF114 > and was also presented at the IETF113. A recording of the IETF113 > presentation is here: https://youtu.be/watch?v=7HxcmvFOnlU&t=3675s > Slides here: > https://datatracker.ietf.org/meeting/113/materials/slides-113-dnsop-dry-run-dnssec-01 > > We received a lot of feedback with our presentation which we used to > reorganize the draft to convey the idea more clearly and coherently. We > also received some critique and objections which were non-technical in > nature. Below is a list with these objections followed by our response. > > ** This is another straw on the camel’s back ** > > Not all resolvers have to support/implement it. Most important is that > provisioning at the registry and signaling of Dry-run is supported. If > needed we can say it is OPTIONAL for resolvers in the draft. We intend > to implement it ourselves in Unbound and have it enabled by default when > error reporting is enabled. We know from experience with trust-anchor > signaling and sentinel record that with only a small, up to date > resolver population, the signaling is already quite substantial. > > There are different kinds of straws and this one is one that has the > good cause of enabling operators to deploy DNSSEC with confidence. > > > ** Why not have a duplicate parallel test deployment? ** > > There is nothing better than testing with your actual user population to > dry-run your DNSSEC deployment. Note that slack’s parallel test > deployment did not show them the Route53 failure that caused them to > have an DNSSEC outage eventually[1] > > > ** Why not sell DNSSEC domains cheaper? ** > > Yes, we’re all for that too, but that’s orthogonal to seeing what the > actual effect of starting DNSSEC with your deployment with your real > user population would be. > > > The other objections which were more technical, like for example > “registries supporting only fixed sized hashes per algorithm” and > “couldn’t we normalize the different DS hacks somehow” are all addressed > in the new version of the document. > > We’re looking forward to a new round of feedback and critique ;) > Both on-list and in-person at the IETF-114! > > Kind regards, > > Yorgos, Willem and Roy > > > Op 11-07-2022 om 23:58 schreef internet-drafts@ietf.org: >> A new version of I-D, draft-yorgos-dnsop-dry-run-dnssec-01.txt >> has been successfully submitted by Yorgos Thessalonikefs and posted to the >> IETF repository. >> >> Name: draft-yorgos-dnsop-dry-run-dnssec >> Revision: 01 >> Title: dry-run DNSSEC >> Document date: 2022-07-11 >> Group: Individual Submission >> Pages: 12 >> URL: https://www.ietf.org/archive/id/draft-yorgos-dnsop-dry-run-dnssec-01.txt >> Status: https://datatracker.ietf.org/doc/draft-yorgos-dnsop-dry-run-dnssec/ >> Html: https://www.ietf.org/archive/id/draft-yorgos-dnsop-dry-run-dnssec-01.html >> Htmlized: https://datatracker.ietf.org/doc/html/draft-yorgos-dnsop-dry-run-dnssec >> Diff: https://www.ietf.org/rfcdiff?url2=draft-yorgos-dnsop-dry-run-dnssec-01 >> >> Abstract: >> This document describes a method called "dry-run DNSSEC" that allows >> for testing DNSSEC deployments without affecting the DNS service in >> case of DNSSEC errors. It accomplishes that by introducing a new DS >> Type Digest Algorithm that signals validating resolvers that dry-run >> DNSSEC is used for the zone. DNSSEC errors are then reported with >> DNS Error Reporting, but any bogus responses to clients are withheld. >> Instead, validating resolvers fallback from dry-run DNSSEC and >> provide the response that would have been answered without the >> presence of a dry-run DS. A further option is presented for clients >> to opt-in for dry-run DNSSEC errors and allow for end-to-end DNSSEC >> testing. >> >> >> >> >> The IETF Secretariat >> >> > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- Re: [DNSOP] New Version Notification for draft-yo… Willem Toorop
- Re: [DNSOP] New Version Notification for draft-yo… libor.peltan
- Re: [DNSOP] New Version Notification for draft-yo… George Thessalonikefs
- Re: [DNSOP] New Version Notification for draft-yo… Petr Špaček
- Re: [DNSOP] New Version Notification for draft-yo… Dave Lawrence
- Re: [DNSOP] New Version Notification for draft-yo… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-yo… Mats Dufberg