Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?
Paul Vixie <paul@redbarn.org> Thu, 08 February 2018 18:06 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70F4E12D80F for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 10:06:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rg_j0S_xMzx5 for <dnsop@ietfa.amsl.com>; Thu, 8 Feb 2018 10:06:06 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07ABB12D7E9 for <dnsop@ietf.org>; Thu, 8 Feb 2018 10:06:04 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:20e3:e8bd:ee44:7bb4] (unknown [IPv6:2001:559:8000:c9:20e3:e8bd:ee44:7bb4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id AF3007594C; Thu, 8 Feb 2018 18:06:03 +0000 (UTC)
Message-ID: <5A7C918A.10101@redbarn.org>
Date: Thu, 08 Feb 2018 10:06:02 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.22 (Windows/20171208)
MIME-Version: 1.0
To: Matt Larson <matt@kahlerlarson.org>
CC: Joe Abley <jabley@hopcount.ca>, sthaug@nethelp.no, Ed Lewis <edward.lewis@icann.org>, dnsop WG <dnsop@ietf.org>
References: <564E7616-6B47-48E2-B3DC-68A22032F441@icann.org> <20180208.152419.74654265.sthaug@nethelp.no> <A03DAC63-E005-4811-B706-B0284273DE6B@hopcount.ca> <32CB34DD-D682-42D7-B869-5A03057FCCC1@kahlerlarson.org> <5A7C89B6.2000907@redbarn.org> <C4EABC66-B9EB-427E-8DFD-FBD3B82D8343@kahlerlarson.org>
In-Reply-To: <C4EABC66-B9EB-427E-8DFD-FBD3B82D8343@kahlerlarson.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/e--_HZjxRHwK_LH8qXYNYcrBlVs>
Subject: Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: sentinel and timing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2018 18:06:08 -0000
Matt Larson wrote: > Out of curiosity, what other changes have there been that > deliberately invalidated a working config? the big one was last-bind8 to first-bind9. there were also some minor ones over the years like changing the default for allow-query to be localnets rather than any. since it hasn't happened in the years i've been gone from ISC, i think we can safely assign blame and move on. > I appreciate that line of reasoning when applied to invalidating > features that don't have harmful consequences if used. But in the > specific case we're talking about, the circumstances matter: I > suggest that it's better to have the server refuse to start with a > clear syslog message to force someone to adjust a harmful config > rather than have the server start but fail to resolve queries by > mysteriously returning SERVFAIL to everything. there's going to have to be a third way. if that's due to happen, we can expect the BIND9 embedders and ISC to work together to patch it in an way that disables DNSSEC validation if it recognizes some badness of some kind. running off the rails into a ditch won't be allowed to happen, for anyone whose BIND9 gets patched regularly. even if this means recognizing KSK-2010 specifically, in hard code. > At the very least, a "trusted-keys for the root KSK considered > harmful" syslog message would be a hopefully easy and > non-controversial first step in the right direction. i think that's entirely reasonable, and based on BIND9's syslogging when its hints file is seen to be out of date (doesn't match priming), i think there's sufficient precedent. but i do think we ought to be realistic as to whether the 99%'ers will ever read their syslog files. -- P Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … sthaug
- [DNSOP] Why new code/old keys? Re: [Ext] Re: sent… Edward Lewis
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Ray Bellis
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Joe Abley
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Matt Larson
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … sthaug
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Matt Larson
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Paul Vixie
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Mukund Sivaraman
- Re: [DNSOP] Why new code/old keys? Re: [Ext] Re: … Mark Andrews