Re: [DNSOP] [Ext] "The Forgotten Object Lesson Of The Dyn DDoS Attack"

Steve Crocker <> Fri, 04 January 2019 03:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8D01C130F08 for <>; Thu, 3 Jan 2019 19:01:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wQS1I8XNnrjg for <>; Thu, 3 Jan 2019 19:01:32 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4CA4D130F06 for <>; Thu, 3 Jan 2019 19:01:32 -0800 (PST)
Received: by with SMTP id u47so34506940qtj.6 for <>; Thu, 03 Jan 2019 19:01:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DmGNcqYAhprJIIaoIh2l/aUFgMJjjFvvJd6oOKMNYsE=; b=0tP90AXUmXNvRZwsj9APiqF+XDuQYSb++/BRQcgwytoWIyNi3b7kep7kFCG17HLja/ P05RECr/T7V8NTb0DAa5gUQ6oK/pctEz0roWuNKyCmkI/HD2nv+Yz7Ub6VmjvcSbvorr Dd3XRPnUz772eB4FmuHX5fGfmtKarV5wAiSSqLEeuXdpnQ50L01j8eWsvVa1cYYbneeN 6dWW1BhtvbqrqbEAYEco3K7domeWLapLGy3C9Cy15b1y5dVqEByrQyRy6TCxZJ1qjLy0 l41Ktna/FDqS5AnDoZZqSL0YllpcmXVAAOCkWveKxA+Ac4V7Y0E1rPggiy/6EJUUpudV 2Y2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DmGNcqYAhprJIIaoIh2l/aUFgMJjjFvvJd6oOKMNYsE=; b=dE6ryZXhHmslvUu9GIzTJZ78jrAnEUxtXIT/+iXQVddUGF2rHV0UkYQW8gmWDrj0xm KIpW2I2ehriw7+e48ZagjfHUgPxdf0NC4XWZMSKvKvghKrSTipSLqxQ2DGSaZfQRaWCP 5X/eqe7LR1qQuK0LWehme+GhKlVIJEm4PMqj3URJvlOGF0m+vNRQyDn9WCO+wwIwKtES 6UmDzu90Ki5ubTEIKYpUzxoDYqpkuMRq4UqTXHZ96xvtSztlUMDGnkcjxa7rVTI3c4Ew coTFYlHZGVm2b7OZXQAmgrd400iML0z0/TVHJADLlxbrlpmOpbsrKRbjYSWlPBeymCu6 JxLA==
X-Gm-Message-State: AJcUukewowk2LejCBbb7ilTEmxHAJ+EqEc0oQ97Q7ywYEjbgnlDSOC8n WqgZr5OwxjpFSfdFvo5oYAjV0w==
X-Google-Smtp-Source: ALg8bN5+M1TnHy2johl+Fc0sUvFMhleR7FL70xRVgdfHmAwguxuQXLWVq49XyfeP/sCvSLtCQzh2hQ==
X-Received: by 2002:aed:2e86:: with SMTP id k6mr46753201qtd.292.1546570891181; Thu, 03 Jan 2019 19:01:31 -0800 (PST)
Received: from ?IPv6:2601:142:2:4b7:9526:c872:3026:f730? ([2601:142:2:4b7:9526:c872:3026:f730]) by with ESMTPSA id n26sm22058397qkg.74.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Jan 2019 19:01:30 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-005133B5-20F4-4E83-930E-F3A3BA3CCE69"
Mime-Version: 1.0 (1.0)
From: Steve Crocker <>
X-Mailer: iPhone Mail (15F79)
In-Reply-To: <>
Date: Thu, 03 Jan 2019 22:01:29 -0500
Cc: Paul Hoffman <>, dnsop <>
Content-Transfer-Encoding: 7bit
Message-Id: <>
References: <> <> <> <>
To: Tim Wicinski <>
Archived-At: <>
Subject: Re: [DNSOP] [Ext] "The Forgotten Object Lesson Of The Dyn DDoS Attack"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Jan 2019 03:01:36 -0000

Weighing in on this, I think this is an important piece of work.  I’m particularly interested in what else is necessary to introduce the multiple dns operators to each, to authorize their cooperation, and facilitate cross signing of keys whenever a new operator is introduced and whenever one or more of the operators rolls its/their key(s).

This draft is framed in terms of having multiple dns operators serve the same zone on a continuing basis.  An important corner case is the transfer of a signed zone from one operator to another without loss of resolution and without loss of validity.

If I can be helpful moving this forward, I’ll be glad to help.

Steve Crocker

Sent from my iPhone

> On Jan 3, 2019, at 9:33 PM, Tim Wicinski <> wrote:
> Actually  draft-huque-dnsop-multi-provider-dnssec was adopted, but the author (whom I work with and has heard from 
> me about this regularly) has failed to push up an updated version.   I'm going to force him to turn the authorship
> over to one of the other authors who is more responsive to the needs of the chairs.
> Tim
>> On Thu, Jan 3, 2019 at 11:26 AM Paul Hoffman <> wrote:
>> On Jan 3, 2019, at 5:02 AM, Töma Gavrichenkov <> wrote:
>> > If I were to trace that through the recent DNSOP activity, I could
>> > bring up my own draft (draft-gavrichenkov-dnsop-dnssapi), also not
>> > adopted and now expired.  Maybe there were discussions of the same
>> > sort before me that I'm not aware of.
>> Or he was possibly talking about draft-huque-dnsop-multi-provider-dnssec, which expired yesterday, and also has not been adopted.
>> --Paul Hoffman_______________________________________________
>> DNSOP mailing list
> _______________________________________________
> DNSOP mailing list