IETF Logo Mail Archive

Re: [DNSOP] DNSSEC Strict Mode

Ben Schwartz <bemasc@google.com> Tue, 23 February 2021 15:53 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC8B73A2951 for <dnsop@ietfa.amsl.com>; Tue, 23 Feb 2021 07:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tz3MayDOYzMR for <dnsop@ietfa.amsl.com>; Tue, 23 Feb 2021 07:53:46 -0800 (PST)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 208C33A2C74 for <dnsop@ietf.org>; Tue, 23 Feb 2021 07:53:46 -0800 (PST)
Received: by mail-io1-xd2a.google.com with SMTP id k17so9765566ioc.5 for <dnsop@ietf.org>; Tue, 23 Feb 2021 07:53:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PnqwdKE9KQhVR7ruecjbtNbSiacfbr7r/PT5WBDkSaQ=; b=Z+G/u52Nx7MPUG8R2Vra9jLPt1NErPnV6RfDrF4J2s2AD8ngeEfr1UOUYNlPMduWFS NbbCDRIxZGaRW16FSjLgojpdKmeROmNczDdWBvsE3IDDI8i1LVK2JkgdVJZWXHn/J+ij 1AmFJfer4hDuVV7uiCiuhjw8R7STM3nbdHR6j6jR186UnnZqtZnITGXROQpH/74GJFC4 VawBG19Qyxd3ozgLlvEkwBJE1oYWIxiEfLL7iahtkpLOhHofF+oSC8sxGABYMQX1o0On cipFP0t55hsaEdv6VktMujmCB0fI/3tELQ1vLvWUljXAOpHdfAkYjgDoiurzfWFIz8KJ I9Pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PnqwdKE9KQhVR7ruecjbtNbSiacfbr7r/PT5WBDkSaQ=; b=UM8BZ5FEDiAgWOkBrVbtO+JJlL7rFXwPAAnkGLHb++EYs6F0mKxDoCx1WPNpqtE/t5 BqwbuaQtmV1OOmtfRKyXmB0wlOoOJMk4hoBmd9ijfIl5FLWVfauOCFf0YC/mpQE/67Zk 13sZWTKR91npwcJRQIxSzW244p32qDf1nmTD5NbGkPlE1QPh6r4HAZaghbYWSUZah/pF dsHz2/fGAm9vo3+YJtiUhrQYd10wIWE7Zy0deiqOD/vLLBMrP1L44N0Mch11ZmO9vPjF /h0PH8Yin9GjVpmqwukOWavzyZdGE49tKWFawgZPOnMrSFluXcjQYIIm3iZ3Ea74G/Ly zCXA==
X-Gm-Message-State: AOAM533Z0wQB6ABCRPAACcimaBvc42jToDDicXEsM+dnLExrd2UXEsRw HDp51Rbqc1A58gi6uJj9VnP9XmkDFaPrxweaucMHRw==
X-Google-Smtp-Source: ABdhPJy/v3GmRuJ+eqYeNKcuynAT68XmHq4yfDnykb57J/76J5cpSj5Xu2PlyRZz89J6BGFomOPLyBWMZrd1DOjCPmM=
X-Received: by 2002:a6b:be86:: with SMTP id o128mr19345798iof.111.1614095625294; Tue, 23 Feb 2021 07:53:45 -0800 (PST)
MIME-Version: 1.0
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <4d343f14-7e40-a510-ddce-d295415ca167@nic.cz> <CAHbrMsAFq-76LvWc2j2kxK2mVAiFpGvChJWz_p=XSqM6ghutBw@mail.gmail.com> <4e483c38-be57-32ac-57d6-ff847b267830@nic.cz>
In-Reply-To: <4e483c38-be57-32ac-57d6-ff847b267830@nic.cz>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 23 Feb 2021 10:53:34 -0500
Message-ID: <CAHbrMsCdxcwgV6jw1ZB71r31+xWvYhCaBhziNbU-5ihsr=Pdxg@mail.gmail.com>
To: "libor.peltan" <libor.peltan@nic.cz>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="00000000000065717605bc02ec5b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gk_q2gxyNO8Ei23ZpVJXMpXtXFw>
Subject: Re: [DNSOP] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 15:53:48 -0000

On Tue, Feb 23, 2021 at 10:36 AM libor.peltan <libor.peltan@nic.cz> wrote:

> Hi Ben,
>
> Yes, RFC 6840 tells validators to be lax.
>
> However, it also requires exactly the same as RFC 4035 from signers.
>
> As I understand it, the requirement is rephrased, but entirely equivalent,
> and there is a MUST.
>
> So, is your proposal only about a bit in DNSKEY record, signalling "this
> zone is RFC compliant"?
>
That's a fair characterization, but of course the point of the draft is to
change the behavior of validators.  Also, we need to be very clear about
which RFC requirements are being described here.

> If so, I have no more questions, but you should maybe state this clearly ;)
>
 OK, clarified in my copy:
https://github.com/bemasc/dnssec-strict-mode/commit/1d2a88aabdbf1c137baafa5465adbab263eee344

> Cheers,
>
> Libor
>
>

v2.23.0 | Report a Bug | By Email