[DNSOP] Extending the semantics of DSYNC to enable parent to signal absence of scanner or frequency of scans.
Johan Stenstam <johan.stenstam@internetstiftelsen.se> Thu, 12 June 2025 14:35 UTC
Return-Path: <johan.stenstam@internetstiftelsen.se>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 418EE34348B1 for <dnsop@mail2.ietf.org>; Thu, 12 Jun 2025 07:35:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=internetstiftelsen.se
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MqucFSeXssBt for <dnsop@mail2.ietf.org>; Thu, 12 Jun 2025 07:34:59 -0700 (PDT)
Received: from GVYP280CU001.outbound.protection.outlook.com (mail-swedencentralazon11022134.outbound.protection.outlook.com [52.101.82.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id EEB1334348A4 for <dnsop@ietf.org>; Thu, 12 Jun 2025 07:34:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=w7zo6wGpTuGaU5b3gyc1pulBzhnz8I0UT7VZ/XzuL+Rqmbk9fUvhsFcKnQLQhjUyk9ihsWQzoYvsSU/XMaIi/3JZsq/CqdRKLVybiF48D2QUqPDL1g9Sv/CaN3ZG1qPrE7+MGmXOeaWeBbfrUWOHjW3KG64a2w2gQKvlLfp2Uyn2zh1lK+kCt5JttkqjbQlGNgxbBR/go1edXZ9rs6r0Immp2s0HrmQnqeBMhiwl+kkLhZa2k5iErq0zVCS07cfKY/RTp/yFCBjy9G5uTjPl03+5z41Q1ABXAUhAYJ/AWM1dW7lQufiyIpAumBJlv/gIAh/U+IgJOEWtsoaKgS+lyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kCCodDjVDZYRINwY+17eh90Y2weXEDSpIQVp8ZzQLfs=; b=TaczQ4EP5puatkMqB7h3uj/6tanBiL/xTwt17flI6I/2RGrdPfWjuMfxr8Ii4z5dRIVqd2Hs5eIdhenTNBaWXMAQE8cYIwXV/rJxoVtRBrO93y3avvoB5kXmbfXApkWnSGc4WwU1bVFrRFBEz7BdK5k+pNukju2Hnlak3TvkaImoXLDb9ktQNeFwz818u5S2Wil7aONDIVJF+aEPLlHUb+eHMaAuzrPFChjbEhvOgGfnAWQStd5zcFapg3solzdGLlkVsnPdjLQmA6bRDHVT6dfRalRtItKWz+ilX/10J72/2DCsdvm5AZq498sfrHvMrnA6JMeAOiHkZxTrkSI8aA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internetstiftelsen.se; dmarc=pass action=none header.from=internetstiftelsen.se; dkim=pass header.d=internetstiftelsen.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=internetstiftelsen.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kCCodDjVDZYRINwY+17eh90Y2weXEDSpIQVp8ZzQLfs=; b=nA66mSOEIF0Cks+d84cXONgIpl5QMA8b6ObJeCS5bCmMZEe2M+w7+jXvKVmBor9EPQdyx9b43tKQrc305KasMa0RkQ3tjDUZeEBRl6f4TdIhZPqMrTLsbMVQ4NnnQI1B5RpM9jXfIYJpPmJPaQvbGCROWLHanqgmyBbMMd/gc8TlzqRqqvb6aJTYdiro0OYNgcQWVa20h47sXvxqv+zckwOo7Fse8TRlDDyolliljN8PTOZ7m3XrPEdtcNrBr/5g53fGZhkiQK3qFjnz372ZiTG7/dvFARDroSz03mfGsuKIkoz9cHYH46W/FnzwiuBwObNcXPfohvBmkvb3z5VtiA==
Received: from GVYP280MB0112.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:1b::5) by MM0P280MB0327.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190:12::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8835.15; Thu, 12 Jun 2025 14:34:55 +0000
Received: from GVYP280MB0112.SWEP280.PROD.OUTLOOK.COM ([fe80::f7d:805c:bd5d:abc2]) by GVYP280MB0112.SWEP280.PROD.OUTLOOK.COM ([fe80::f7d:805c:bd5d:abc2%3]) with mapi id 15.20.8835.018; Thu, 12 Jun 2025 14:34:54 +0000
From: Johan Stenstam <johan.stenstam@internetstiftelsen.se>
To: DNSOP Working Group <dnsop@ietf.org>
Thread-Topic: Extending the semantics of DSYNC to enable parent to signal absence of scanner or frequency of scans.
Thread-Index: AQHb26cpZv171pPa9UCnL6Xyz8ItQg==
Date: Thu, 12 Jun 2025 14:34:54 +0000
Message-ID: <664DF8C5-5B5E-4929-9005-4FE516B2FEF6@internetstiftelsen.se>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=internetstiftelsen.se;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVYP280MB0112:EE_|MM0P280MB0327:EE_
x-ms-office365-filtering-correlation-id: de764953-29d1-49bf-38c7-08dda9be4c4b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|10070799003|376014|8096899003|13003099007|4053099003|38070700018;
x-microsoft-antispam-message-info: M1N5v+HnbdJZiLhmypCy4wEwXQ/Cvg5dXdf3IXZI/tJsyYSaVoIAIATpqa0Y632vYcxHcq7h5nY6x34DArbN6wWqttIqhKZODs2AcqsbQpC52gB/uUJ1p0hSy6pb+chiC+w67qViA1qAaBvDO2MmJ68ODxZveqYTe6HpAddRoUQ49saPDg7GwMMoGQ3YbeA9sMINaVhKuDUHRQMHVnp7EQOsjP3JE/lWLlvFcEKH+5rugHz1DvR6B/k2qylnrpS0170nf9/hiO19UAjXXlnmbYYmR96igeGyjK/L4z+d2Shpgrrx5HeZ9U0RGljh737CJ143cTKHK+3th9KUVIe3DaT0Dak1u0JXixB2u7UXO2JezuJduEzLBIyUiOSvlnVXzbnl8rSd7tgW/Jtoawqmuojh0R5vvhMdTElUBmEZ+IZTpi12aLEUQF0v7cQxDxlL005HzXRhMc1FgQRY0C4Her6tyxaPUbOH8l/uus6ZS2jhEwVq3ItnCdxZVx9jOQfsOwzAn19ktLN7fyxPqVXKsEJcr9KRWha7bkjDI7oc96HrJWn39VAqkg44iwWwqYJeE23jSfCjDslet5InzG8LITvZ25s0Ew5ZwRBbLdBpUJu33si0jhY7wfhrUlYR1Lz3jb2lOoarrnqDz0qP14WBsbgsUdhvIVyrJogWG3kO99zAO1HxGVdgrzqNsIFIiygrbA0RfbFq1lPcvPIfbDBcrGG1wqpy6L5CREtcV/g8zuL0YhM4Lb8M625z7hFYpWHh1Hj0wn1y0ECT5MP+Y3uGMk2IBy3m/VCKHZ2FqGZM3XvNUY54vuTMYGNEwa9Jswgt+gKkgfSoMF2gYMNf7dUDA+blRAihQ2Ug5CUswarPHomHBMmmSK4VDc7GYAehB3hF1hqiHDOz+Eb+jxEsvT1i8kSVGLsZ7BnvBqegGxPaPyDL03WwBXIPVCm36JDrSsjD7UBgD6erTgtuaWWVU/PwG7ZnbEyEuu3f4/cR2glrIHLN/zwfThwm/2p8hfHa9Rc8TZ3B/AT/6Cz3foipjY7ttVjjkk/01qaSQI6Hp8G7GeMZbyIzIzFVIJLfmCUszO8Rq7orLrZP05kzMDR2e55nVAc5P4gVF+YESBIDG7jpuRyLim11nrE+sO8V1bB0AN/bTMqXC0a+QXMf8OieKvwX+6yBQNdBIQYQriELP4upJgENUpYfwWeR1Y35b1447yXCn0moinyszof1jFDWQ+k9o9pC+mS9SCvqrF5bXVL9tuod47gxY56o+Ah3OIi3PBW/KW+p+ucrvz5m6bpxgtjCjESa63GTn2/nhYEA4EMGICta3C7gr0pnp0nrKw+NpUFvf3s+VoxoIrD3QdVmemk+y2YT7A9sVGj/TijTF/oyLdVpGZzgvAzgt30bcORHxyLtXGDwVq3bHxPOrqMUD6BBJHKUrMKghEgdQ5vk+oqRNQ9ZPl0CNPmPO5x4inUlzXKo73kYGlz2LRNI3QzbWPwgwwLj3q/4Tl21va7BSZrRJtA=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVYP280MB0112.SWEP280.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(10070799003)(376014)(8096899003)(13003099007)(4053099003)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: df5xFFYoRFzy2c7+BwZnnbRT3dG/06yXcwzC/lv9SZiRwuDYcinD/9xlqx0l3ouBnyGU9G6xwP9I8IUaeRS9JrLk1qJ7nVOVbm929qB1EgUyf8WEe/HZW5fT92E5HrWDASKc5g8quTExr12bzWFGO87SnCX5A6p07HeXRaU43LjvBc5G9NZD3uvF9eM46cQ+6ekqsdWA/jXCI7LKWmUa3OfK37Hddf+KFGirPcYBLEQNZEZ6gGnEhWGw1f35CaINVk+SoDH/eW8BfOBzZImUcWVMo9vwn4USv+Utv5bBPg1HxfkHK/5XdYCSu21JN0NNFNWEtZd08101lAcM+TzJfRjZs1UgbaIdwsNDUWaXXwwKGz3Zd4VMIGP3zDNNnKRjb6B6Yl67krTvZ38XvvAJpdsLb/onQf8XLCNtkiFT+2OTOMkIrysUCP4SBGe2VhBq6CbG7mQSFtHidAeH9KOl7DXcWXhNWSA39lcEiqt7ip09wEIVZaQ9c5gUeNsBI93J7yrTBCOIHNJ1Z327u0kHSzsr7JGj/Lloe5dmSEqEdmYqKy0/crWPAYf/WMHAeziVlFm4NgJKFopOZhMS4/6eS+bkkR63FxoDE7ArDeZwMXYt5WdrN2vn5xJCoMdGhtzPwGp25N6ryzWO78IsvW2JKr8uo1giz8q/JFI0sxLQRI8ssO7PDVZSYzmaTNfmllTpS0XOWj5oiV7TZy0TsLUbVzYZs/UvI4G6uaFoloX+JS6JuSbKfGKs/3qx203ReboFd3sWof7SiUe3RAXQbxNlmasST/QhvLPG3KysffOKHp//Ct5SEDPuh/lBSa393ulKP2TcolPFPoeUt3+QoQf9Z1jDW49+R3a6eyDiY6/XwVlc7SOTHAoplIKlsgzjiLp/OMdTXpMiTKeFvwt2rUMW9STXpZDInX9BY8foIAIECQO1PZSpuPCIMt3rIggMkPStNWpqyC2xdO3eoxsFCIK8afozFt0p3k5GfdbAuN/+GG0NKd1Vbj+2B8U1YGH+YP+ds07s6VpBqqWReQUO0PBR0jsRD2LosQv0L/QvLHV+cMNXeFVYitNNNbPsnugYFeaPBjm69f07AT0SU/lWmBKYdYi2dTG5HtQ/zCpDxIo1Glo6/EzX3rKzeK9sJphLZkHQk+HxiAJVZoslqyFczEKDy8fqjgMjjvGb9iuFGKqiNXOHNU2qnx2VzUPbaaEhyqxQs3YBEZtlew7Xccn6Upb2ff8/grXkcFqu+M5m5ZB3zwQaE5Ha/35MUZ6D0X4CKVWRYSYf7lXocAJbx84Xkcw6Kh6omWivbE7BaUS5Kx7AQ40pfSnqPH+SwN9EgXBhKUAF5cL6Yu/NH9p+7JOMvXROizfEziyl4QF46d1J5KIRXwc5bmXdd9XrQ+E93dD9HFWTd+7Vl3/ZNpZ9vVgAI8FXtCHu+O+ry8dgRltEcLgaaS7lWaQDky3qTPMg7mZ3QbjKd42JEA/+JbRgbTm13FzfgPWr2XlGFgBniHN1UmfpNNAntJCv4iHdpWn5m30OP4qanIafajfh9x4sZRqwcnVRYsyxrWesKxVvBYz9GTFz9WmpvCMOPV5qpMwKFuvyo/kM3Mue68U11x2MwEHJ8dmPJ3+GaPVfQ+SX8jFGzPd9c83aYMTEiC/FflYA9mn+0CzuvjpogwbVcxQTizM3iCxDJaqIr1yDOEIrlkEZK0u6/gHRD0k2AmAbRsSIx7i/kMdV
Content-Type: multipart/signed; boundary="Apple-Mail=_A77A2D28-2D90-461D-8CA9-9F28724ADFC0"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-OriginatorOrg: internetstiftelsen.se
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0112.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: de764953-29d1-49bf-38c7-08dda9be4c4b
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jun 2025 14:34:54.4742 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c2aa68f8-18f3-48ae-81ba-02301d121d9a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wG9WJyMkaOafurNcwrIrVVI/03IaewEd0TL91uT/1ydYOZLVAnKRpkoFstYrPtR59XOy/qQFCLh6qWqK7pEpVIqCo/FsAgm59YgsnHUelhq57vsE5yEKRyViEr4rmHz/
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM0P280MB0327
Message-ID-Hash: LLYJAQJKYZUCTPZ26EE4Q5OVPQF7E2FJ
X-Message-ID-Hash: LLYJAQJKYZUCTPZ26EE4Q5OVPQF7E2FJ
X-MailFrom: johan.stenstam@internetstiftelsen.se
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Erik Bergström <erik.bergstrom@internetstiftelsen.se>, Leon Fernandez <leon.fernandez@internetstiftelsen.se>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Extending the semantics of DSYNC to enable parent to signal absence of scanner or frequency of scans.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fr_XnOg3u69IgR_vGPlVs40h-fs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi all, We just uploaded an absolutely trivial new draft that is intended to close two holes that should be easy to close once we have DSYNC published (it is in the RFC Editor queue since earlier this spring). https://datatracker.ietf.org/doc/draft-berra-dnsop-announce-scanner/ What holes may that be? Hole #1: what is the frequency of the parent scanner? As I work for a parent (.SE) that actually does both CDS and CSYNC scanning I know for a fact that we regularly get emails from children that are confused that we have not picked up on the CDS or CSYNC that they just published. We explain that the scanner only runs once every 24h and case is closed. Hole #2: is there a scanner at all or not? Up until now there has been no standardized method for finding out (a) if there is a parent-side CDS (and/or CSYNC) scanner. Sure, we publish the existence on a web page somewhere, but I’m sure that child-side software will not read that. I’m also sure that other scanner operators publish existence of their scanners in some way differently from how we do it. And also human operators will typically not bother to hunt for that information. However, my assumption (or perhaps, my hope) is that as DSYNC gains use there will be an increasing amount of child-side software systems that look for the DSYNC RRset to figure out how to announce new CDS and/or CSYNC publications. So then we can obviously use that to send signals back directly to the child system. Our proposal is the following: a) To signal the ABSENCE of a scanner or the FREQUENCY of a scanner that does not support generalized notifications the parent should publish a DSYNC record with a Target of “.” I.e. the target “.” should be interpreted as “don’t send notifications here, we’re just trying to tell you something”. b) In the ABSENCE of a scanner, set the Port to 0 (zero). I.e.: example. DSYNC CDS NOTIFY 0 . is effectively a statement that says “there is no CDS scanner here, we will not se your CDS records, don’t email us to ask whether our scanner is broken, etc…” c) In the PRESENCE of a scanner, but no support (yet) for generalized notifications, set the Port to the intended frequency of the scanner, measured in minutes. I.e.: Example. DSYNC CSYNC NOTIFY 1440 . is a statement that “yes, there is a CSYNC scanner, but it only runs once every 24h and we do not (yet) support generalized notifications, please have some patience”. Consequences: Parent-side there is zero implementation work. Publishing these records is just policy statements. Child-side there is limited implementation work to deal with this information from the parent. If a child-side implementation doesn’t want to deal with this information then that’s ok and nothing will break. But, presumably child side implementations are not yet set fully in stone, and by checking this data (if it is published by the parent) may allow them to set expectations correctly and thereby work better. The draft is only a couple of pages long and we appreciate all and any comments. Regards, Johan
- [DNSOP] Extending the semantics of DSYNC to enabl… Johan Stenstam
- [DNSOP] Re: Extending the semantics of DSYNC to e… Peter Thomassen