[DNSOP] New draft on delegation revalidation
Shumon Huque <shuque@gmail.com> Fri, 10 April 2020 13:46 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B1853A0A98 for <dnsop@ietfa.amsl.com>; Fri, 10 Apr 2020 06:46:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VL2RZQQAOkxy for <dnsop@ietfa.amsl.com>; Fri, 10 Apr 2020 06:46:00 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED3593A0A7E for <dnsop@ietf.org>; Fri, 10 Apr 2020 06:45:42 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id e4so1403406oig.9 for <dnsop@ietf.org>; Fri, 10 Apr 2020 06:45:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=lOdQTyHICNRCyivVqwj7AnE+nYw4ewjd57ZRWt+hrlA=; b=TXCzgUTFOvpXDUZnJARx30ZZPWyScCDjCvby6WVajuPv1CMMD1lHr0mhlRWnbD18HD aRoOIFyiNmIXeVm+MPhfisWDc+FBP/5jv+B3Gc/vdbE3H8dUSEiegtKHaYid4PXIYQkM 82IU4ArE7ALsWnjffP9hhBOhatBnXpSrr10FnEvjoG1suL7lDCVPod202CqfCFoe7Oj0 lcoBMVvRkzq0QVup3wedWFKToiUQ9BppSCOnI+LmRWNfbBfwyeljrlQ2r7Yttlyn4Yjy 26f5oFqyPVW7d5eNscLNEFzK5hv2SGaLp75yS0nt0uFTVGAa0e2RqHsdhMitvZ639uoh 2WeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=lOdQTyHICNRCyivVqwj7AnE+nYw4ewjd57ZRWt+hrlA=; b=GB8x5Lyjtxbx3rdByhRcUvkKhJcG92ZIoh8JaglcGZPV97wE3kxEZTBTeKeWkSytUk ZLnX+qi/X/Uv/i1i4SctGb0P7vHAhVDY4uVbh3+BAqbqVTk8ZbKoKTAeaquZLCRcaHiU ivAiTmwlM7+vajwSVTx62OOuoAXTj9PLYR26Tmta7clwJ02mOjaD3aHi/iby93VLKYw/ /M+kyOLFbafPYlH9RNE9oe8zOx2ppCuKDINH37sWsOz5ZQTVH1VAjV/KSLuU1HwkV+jR 6/2dYaHBz/ZTZBUn0XzzQ11J0gh2bPHjP/c4Gr7ZiPORzgX7UDHnDYD/PODrTcO1xDa7 epXQ==
X-Gm-Message-State: AGi0PuYgFdbggABTHjtFnEB9Q/IGJTAcErnM/cD3kOBcgfEF0Q3eS6Ui itmlEfAcRPBixvTOGdYEJmXv4j1U/YEOZ6bqZ/uZuaKwepw=
X-Google-Smtp-Source: APiQypK4T5fx2bS9Z80SpAQnf+OiueR+HfRvg+DSc7KFos04DmEd1uxo0i/omggbpskrPvTNIQt+LI/17oXjv/TsOrc=
X-Received: by 2002:a05:6808:2d9:: with SMTP id a25mr3394828oid.125.1586526341362; Fri, 10 Apr 2020 06:45:41 -0700 (PDT)
MIME-Version: 1.0
From: Shumon Huque <shuque@gmail.com>
Date: Fri, 10 Apr 2020 09:45:30 -0400
Message-ID: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000000fa2305a2eff346"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fXmzHFzh153OO01hA5Oq8-T-fO8>
Subject: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Apr 2020 13:46:02 -0000
Hi folks, Paul Vixie, Ralph Dolmans, and I have submitted this I-D for consideration: https://tools.ietf.org/html/draft-huque-dnsop-ns-revalidation-01 I mentioned it on the dns-operations@dns-oarc.net mailing list last week, where the topic came up in another thread, and there has already been some lively discussion about it there. So we recommend reading the thread there: https://lists.dns-oarc.net/pipermail/dns-operations/2020-April/020041.html There is a range of different behaviors in resolver implementations in this respect today, and it would be good if we could agree on more commonality. The main recommendations in the draft are to: (1) deterministically prefer the authoritative child NS set over the non-authoritative, unsigned, delegating NS set in the parent, (2) revalidate the parent delegation at the expiration of the parent NS set TTL, to promptly detect when the parent has re-delegated the zone elsewhere (or removed the delegation). These are not new ideas of course. They have been proposed in Vixie et. al.'s resimprove draft from 2010, and Wouter Wijngaard's resolver mitigations draft from 2009. The Unbound resolver already mostly implements this with the 'harden-referral-path' configuration option. Comments/discussion welcome. Shumon, Paul, and Ralph.
- Re: [DNSOP] New draft on delegation revalidation Mark Andrews
- [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Tim Wicinski
- Re: [DNSOP] New draft on delegation revalidation Brian Dickson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John Levine
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Puneet Sood
- Re: [DNSOP] New draft on delegation revalidation Ólafur Guðmundsson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John R Levine
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Vladimír Čunát
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Vladimír Čunát
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Masataka Ohta
- Re: [DNSOP] Privacy and DNSSEC Vittorio Bertola
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- [DNSOP] Client Validation - filtering validation? Brian Dickson
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Mark Andrews
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] Client Validation - filtering validat… Vittorio Bertola
- Re: [DNSOP] Client Validation - filtering validat… Paul Wouters
- Re: [DNSOP] Client Validation - filtering validat… S Moonesamy
- Re: [DNSOP] Client Validation - filtering validat… John Levine
- Re: [DNSOP] Client Validation - filtering validat… Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Wouters
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie