IETF Logo Mail Archive

[DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-cds-consistency

Peter Thomassen <peter@desec.io> Wed, 18 June 2025 16:09 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 603183681DAC; Wed, 18 Jun 2025 09:09:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bWksGW9RId8O; Wed, 18 Jun 2025 09:09:41 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A22173681DA7; Wed, 18 Jun 2025 09:09:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=pQsKoSWk4t/HJqNx+l+zQQbV6k/u9pmK+QQm7INP0vo=; b=JOJlAwAOwDg1SoNnNx76FzWQEh FCubki1tihuOgN+9QE3UYlkSHtvsdF4yLMaO/6Y9m3FhBCR4B6+ogIqu3k0B+KNQwksaKijloK7q4 fR9v4fpRa5/ehin9faEv7h8YZlAiF7aazJ7ZTtmmRzVB5R/wAzVv3uwSFdDRmjqrnvxGX08MceDvE oKFPAjsKvtmPSoo76pvP+F3KAIG5D8rTsst+nfhLUSlaFGpmIdDG595j4eizrYLRy84fPN1hqM/AO A1CWdTfFYZ5IL8xm4qQfLLCXHF9swlT+KcCFYNFuJfARcs49hxo84KzSVe54HhE5e+mE6P8mHX+AS nqpUZobQ==;
Received: from business-90-187-67-221.pool2.vodafone-ip.de ([90.187.67.221] helo=[192.168.75.127]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97) (envelope-from <peter@desec.io>) id 1uRvM3-00000002QQZ-2N7e; Wed, 18 Jun 2025 18:09:40 +0200
Message-ID: <3eba0da1-c8ad-470f-a7cd-9ec13105afbc@desec.io>
Date: Wed, 18 Jun 2025 18:09:38 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Brian Dickson <brian.peter.dickson@gmail.com>, Joe Abley <jabley=40strandkip.nl@dmarc.ietf.org>
References: <AE182B59-62AD-42BA-8490-FC6F7F80D4F1@strandkip.nl> <4F949062-8C2D-450E-A4EF-73AD611AA429@gmail.com>
Content-Language: en-US, de-DE
From: Peter Thomassen <peter@desec.io>
Autocrypt: addr=peter@desec.io; keydata= xsFNBFRjVn0BEADXqtra70yxQrT4MQ9DEhN0mxG6XRAOHE6nP18mqxwSlcET7D6w+z3h4ole v0tyvUU02c2wg04X8WVfjoHnAvIa1dfUcNpB1+QmfFsw0xIJlbT1ogHkMiPQqR4ChDvE3ND/ 6YCS5+HT6hY+tfU+hpLsKw4l+u1Pg2NPVLYosET1jU84b7xhFnoicnCV3kUNltLtxLKSBAfk AXtp1AWWKJbfCr3y0qKElMriicoe5DUZfLrZK2iPcWBxh+n7KMO2g7aqx3aQqwW1+S7Sq7Is l6iSurYfIcHb4AfUy4o5nPB8kKACR6BuJmkEQ5WLuTGruWA2fcxaNpICmolMinTzW1CrIjgN PoskMYCNIZ2uWxS6LN8hBiGCRL4h9aL4wuT09SvR13oAPI1HD5ph+mH6wD37/ONBXrdjcFNb 1l/uVkHU/SwwcKDJOsX18T60Ao00fciTbFHgmKtFube0xGK/vjh461TyU+xKD8Orvyeovvxy MzCwM3UVq/dkdG2Ys/7Qy/4bUC1nJEwKlLv7ZTdtSckdoU2M6JpPX6i4KDB2YCMbwtqJ842z 8A/UuE2bL9aDimh/sF8WgPIhlxqF1STNqW1JTIbDPv8HeZnM4nyJOUWStj4uRiETQhBClPLz YWtnR+EUsfbSLy81vfupbMqRasDlt6aASobgn+K7Rb1Xs/mDnwARAQABzSBQZXRlciBUaG9t YXNzZW4gPHBldGVyQGRlc2VjLmlvPsLBeAQTAQIAIgUCVGNWfQIbIwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQ79YUOj7yLS88Dg//SbHnFGrtaImEiM69wyj4GzWnuGk9/upCym/R RzdBALCYHU9FUFFHwusiO9A0pnO8qv/GEtqqTHrcL205a6FTivkdZmOsWuN4oo7r4HBc/taI FLLUDg2wd8q4m4387sYEqrc3olGfyRB6hrMtEWVJLXHJmpcrxAaI1F2QO4Bu7kcdTnyGFz/p ZD8XAof2TWHqJb2ux69DFhiAJeAZlV+h9QrxTedL84l4hq3x1VWsnOEFaCJiThDX920kTnhJ ijrDocgAbmQBCniPACpPHYhBhmCJxfVqgfMuLMNsukOmKxsGcGV6rO1zB5ZUhm3O/Ixk6ow3 6FDKALWihg6Z4P/cJYySMn0iqvHkO8ryT9oJKX//mKaYoF6henXDRLCcRjKwGxFQTEgX+6yc pjgvX3rlypjkPT5ho4yEc5ePkQ2gIIHhvZburm1Zr4nDPx6v8+3XUjpXBRTWQ8/0/h0rtLJe yOPwGJxcfKf/GutTCqiio0mS01mIY9c2i7JWcljlIuSEUit6CHotc5lBOm2GJwguRJG6cXPY SQecwBdcjH3RTzBOv/DN6xWAIV7BmbX/e7DSGAc60mBO1/M0ut+a6CkxRQK8TaE3B3zh1/QO nG0XvtZfIY8ZYdTrdEDSV1Pj5pof/fqhhegHRxN2qi4qIuVcrW0jsUsx10IgAynHR7qQKsvO wU0EVGNWfQEQAPBA8iPCS4ZRX8stW0WuW7579axSq/Luyik4MWDFalt68lzvUbV0f6faN15+ aV7VwMTw3rSa2tP0U8crYAAAZ5NrRHXlYms5BK9vsi1322dAvhyNRawdprP627SO+Ez/84tY xz1X3M9esbN7gpJtHP6mHW76zYpT447v6c2qlbldjobZTDb6kKSGFCIrPJz9M4jVfya+ovxe 2Ab7hn2R0CcyMHATV5g1Ry0XXaj5y3bWypActbG9nflRn3NjhHZynu+WEPDUJCO8kNVNYKOw HObNTeaLvgvU0ONB8pYJv35kDXMhZLwo5MJuJd5i54CXwpo9mECwLJT1RpJi7u98nBrWyyaH s2brG9LPCRKBKOhiHFu57H+cElh+kOvehuS7DFTzjqDwJlkQzP5Hq0G++hZxfdYocKdcdFoh RP3dtDAe+Lfiy9qzJicZ6ACbzoQIN58xj0VWAn1W7SuMErOjv84D/FiXHD2Kxtx09wQl8vH0 Nbh9UgyDBNupToM0ixT+8Ko8eBuYHR53RPxshQhFw4EMIhXiOaxNe1W2Z95QPnYhUGOMoy3I v4fxMQUHa4kZSF2qxsFB1Cxol/aBPGwkwoqUvzp23pLQtJ6youYXtLgvx3pR4L52Q5CUzHMa HvM67XWgW1KqtnvNBXN9PwtDz/a9fQX1YO4CegrXv8C9Ro+LABEBAAHCwV8EGAECAAkFAlRj Vn0CGwwACgkQ79YUOj7yLS8rXA/9EGX2QRfJS94JTdtseu7saTK9a3IKwk6E33GpfXyUVpMt sOqV756XQwULZSWoxInRQtWojA8pQxDUYrbA4MpX0Efr2Dx1xIsJ5F3JajOqViB1SbOD2m0f bxXbcoWKitsKoag2SlvNOd8rD9FcgDvrkacnaQZcZE8DyyGx0JU451tfoD/igu85NZpTDaWG 6fth7QRlxmdGWrGXRdXAP29jq1n0I1wIyF/bXlZ7MXjOSsfyPddzsnHFTvNMZKps0QXNF+hi ESg9chIeo/IFDDVu6pCtm6mftojx84rczTZiNk8r2T3TU4N8uwWtXn/nj9xd61pnxD0xkTPH zxJrCs59WSfYqj3aFNkWO3Lg0/HGnO9wHQKMXcGPsnKITHVzxCNBQtVHomNA7ds6Kt3/WJgS pU2ciICvrpvKgPNWQ0d/SeY3vYIRvDLZ12Svx6M3eXDrsgZOT5be7kGVr3t7dBOYKcRHkZUq kU1kCcgp0vetISVDOc5fkpdUkAtd5/13pIpz4ikVR3OM4Br4XMVShm6RvoP4pyA+ftCi1+bw 0UbRCrnHgnG+wtCf5nMDGVLc04vITnII+ESZqlF02a1IFj0Z2MuQK2Oszl2Nsx/LG60G1e/R pzKEXIIJgHfbwUCWtV1zQu6v9Ng5H8EqVeWcdaPUwSQMGcDg/sPa4s/OxhgrYBg=
In-Reply-To: <4F949062-8C2D-450E-A4EF-73AD611AA429@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: NJP4FNPWWPP52T2IFAIEPDAAKSYTPIHA
X-Message-ID-Hash: NJP4FNPWWPP52T2IFAIEPDAAKSYTPIHA
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ondřej Surý <ondrej@sury.org>, dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-cds-consistency
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/anLt6cG6YeOX7DA4eJlrw8Fz3rk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Joe,

On 6/12/25 04:22, Brian Dickson wrote:
>> The core advice:
>>
>>     This document therefore specifies that parent-side entities MUST
>>     ensure that the updates indicated by CDS/CDNSKEY and CSYNC record
>>     sets are consistent across all of the child's authoritative
>>     nameservers, before taking any action based on these records.
>>
>> is, in general, not actionable. The full set of authority servers for a zone are frequently not available from a single vantage point, since a single nameserver address often maps to many different individual servers which may or may not serve consistent information (e.g. when an individual NS target is deployed using anycast in one or more address families). Depending on how you count them, most nameservers are anycast, so I think it could be said that this is not a niche observation. The revised advice might boil down to "instead of just looking for an answer as a stub resolver would, look at a random two out of 100,000 possible authoritative servers" and I'm not convinced that is much of an improvement.
>>
> 
> I think a balanced reading of the advice, which might depend on favorable interpretation of semantics and definitions, can be actionable and an improvement.
> 
> I think this boils down to looking at signatures as “proof of possession” and also as an authoritative indication of intent.
> 
> The (IMHO) reasonable expectation regarding these specific record types is that they SHOULD be consistent across an anycast set. This reading of the recommendations reduces the required queries to one per unique server name/address, without weakening the logic or the security model(s) involved.

The idea is really to do a plausibility check, not to rule out things that can't be ruled out. In other words, it's not about being sure that all is fine; it's about acting reasonably when there is an indication of a problem.

I suspect that there are many cases where errors could happen because the synchronization was not properly done (see the cases in the various Appendixes), and not because some anycast nodes are lagging.

Of course, that can happen, too. In combination with the advice in draft-ietf-dnsop-generalized-notify (in RFC ed queue) that operators not send notifications to the parent "until all publicly visible copies of the zone are updated", the parent's consistency check actually is suitable to (mostly) trigger when an operator actually has made a mistake.

>> With respect to multi-signer configurations, I think the right way to solve that is to sync CDS and CDNSKEY between participating signers just as the corresponding DNSKEY RRs are synced. This seems like a solution that is more effectively aligned with the problem; to put it another way, multi-signer implementations would be more robust if they didn't have to make assumptions about whether the polling advice in this document was followed or not.

I completely agree, but it is likely there will be failures around that sync, when one provider doesn't not properly honor the state machine and proceeds early to the next step. The draft acknowledges such (and other) scenarios in A.3.

Historically, there has been no shortage of DNSSEC-induced outages from early moves during (manual?) key rollovers and such, and I'm pretty sure that multi-provider synchronization implementations will not be immune to such bugs. These situations should lead to the update not being applied, instead of the wrong update being applied and more outages happening (and another round of avoidable DNSSEC reputational loss ensuing).

On 6/12/25 08:10, Joe Abley wrote:
> In this case the duct tape is only being applied in places that are feeling the consequence of forgetting the contract; the consequences of ignoring the contract are largely self-inflicted and not shared with other innocent bystanders.

I'm not sure I agree with that: if a domain goes bogus because of a bad DS update, then users of that domain are also affected, even though they are innocent bystanders.

> This is why I think this proposal overall does no great harm and I think it's ok to publish.

Ah great! Thank you for reading (and commenting!) anyway. :-p

Best,
Peter

v2.40.4 | Report a Bug | By Email | System Status