Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
Paul Hoffman <paul.hoffman@icann.org> Wed, 10 January 2024 03:17 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90B9EC18DB91 for <dnsop@ietfa.amsl.com>; Tue, 9 Jan 2024 19:17:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgGjIRr15KYR for <dnsop@ietfa.amsl.com>; Tue, 9 Jan 2024 19:17:25 -0800 (PST)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23D5EC151545 for <dnsop@ietf.org>; Tue, 9 Jan 2024 19:17:25 -0800 (PST)
Received: from MBX112-W2-CO-2.pexch112.icann.org (out.mail.icann.org [64.78.33.6]) by ppa2.lax.icann.org (8.17.1.24/8.17.1.24) with ESMTPS id 40A3HOWA029583 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 10 Jan 2024 03:17:24 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Tue, 9 Jan 2024 19:17:23 -0800
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.028; Tue, 9 Jan 2024 19:17:23 -0800
From: Paul Hoffman <paul.hoffman@icann.org>
To: Paul Wouters <paul@nohats.ca>
CC: dnsop <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
Thread-Index: AQHaQ3OHANGAxqx9nkqB/8YhY14KBg==
Date: Wed, 10 Jan 2024 03:17:23 +0000
Message-ID: <AA83016F-F3FE-4263-8791-7966408BBC62@icann.org>
References: <CADyWQ+FW_9pbQFrOJz7R5BQEdL075wXBc=aZ=mcifqT8fekORg@mail.gmail.com> <6c4f5a81-2758-2baf-b5f0-5586c1553308@nohats.ca>
In-Reply-To: <6c4f5a81-2758-2baf-b5f0-5586c1553308@nohats.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2C184D8C1D74C44087C6E7B40551E79D@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-01-05_08,2024-01-05_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fM_rISWNMCcCOcxSlruU71bpYsc>
Subject: Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-rfc8109bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jan 2024 03:17:25 -0000
Thanks for the support for the doc; I hope others chime in as well. On Jan 9, 2024, at 08:33, Paul Wouters <paul@nohats.ca> wrote: > > there are 13 root servers. > > I would really like to see this changed. We keep trying to tell people > that are not DNS insiders that the world does not depend on just 13 > physical machines. This will cause that confusion to strengthen again. Good catch; fixed. >> It is in DNS master file format >> >> Maybe use "zone file presentation format" instead of "master file format" > > This still stands as well. Agree; fixed. > Perhaps a recommendation could be to check with ZONEMD and do an AXFR, > eg recomend implementing RFC 8806 - "Running a Root Server Local to a Resolver". > Comes with added bonuses on top of a signature on all the root glue. > > I still think this would also still be good to mention. This would be a very comfusing mention because the resolver isn't really "priming" at that point, it's using a complete root zone. I'll cover this with an addition to the Security Considerations section: <t>This document does not cover the use of (or the need for) priming when serving a copy of the full root zone on the same server as the resolver, such as is described in <xref target="RFC8806"/>. In such a setup, the resolver never really primes its cache because the cache is full as soon as the resolver pulls down a new complete root zone.</t> (Suggestions for better wording are welcome!) > >> [[ This section talks about sending the DO bit, but does not actually >> talk about validating the response to the priming query. This became >> important after the root KSK rollover in 2018 because some resolvers >> apparently were validating and only had the old KSK, but were still >> sending RFC 8145 telemetry even after failing to validate their >> priming response. ]] > > I said before: > > Nothing much can be done here other than advising implementers to check > if the obtained DNSKEY RRset no longer contains any KSK that is > configured as part of the software, and then doing some kind of > exponential back-off to slow down the query rate? > > The comment was removed but no text was added for this ? Should there be? I'm not seeing what adding this would solve. The only possible attack is that the old key was compromised by the machine-in-the-middle attacker, but that is a completely separate issue from priming because the priming response is not (currently) signed. > I also wrote before: > > So now I do think the document is ready, but I think it would be nice to > mention ZONEMD and local root configurations as methods to protect > against spoofed glue. See above. --Paul Hoffman
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- [DNSOP] Priming and RFC 8806 Paul Hoffman
- [DNSOP] typos/language corrections (Re: Working G… Štěpán Němec
- Re: [DNSOP] Working Group Last Call for draft-iet… Paul Wouters
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last Call for draft-iet… Roy Arends
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… George Michaelson
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Wessels, Duane
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski