[DNSOP] Fwd: New Version Notification for draft-thomassen-dnsop-cds-consistency-03.txt
Peter Thomassen <peter@desec.io> Sat, 04 March 2023 20:17 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A391C14F5E0 for <dnsop@ietfa.amsl.com>; Sat, 4 Mar 2023 12:17:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rfjQ2YVNFyGF for <dnsop@ietfa.amsl.com>; Sat, 4 Mar 2023 12:17:53 -0800 (PST)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C202C14E513 for <dnsop@ietf.org>; Sat, 4 Mar 2023 12:17:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From :To:References:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=G/508xr3gY9EMYcuYsolOQoT0LS4eKrpJeUMFZlJ7/c=; b=R8WwWkwJgE8RBR4X4TC4EwOaTG EqgsWf7eZN4TCysXYG17dYrkUIXFLCqaCGXsxed5aC9h5HDlekpGusDw8ALcg6E5j9dBSzBy4rWKc 7kE4wYqgbI2lnvp+92Qkzf/VIXOmkva9yF0x90flDE2tG+jNSFdKXnwxXw7m2xRxuqdFet5ybHAZV uSfXJAOSo7nuMfSVhJ0DUHkVK2wyS1JHgPG1k0XiHHKXmQlIz/kwt81Q42enSwBE3tCeAog/TJeLC UVEyciloojacps4zevpuO4LxHo3CO1ZPqgjwxfKWr6Q/ZWL9JZ64ERf7QTuiheCoPzwAW5trZEltz yI0qHlEA==;
Received: from [91.65.176.145] (helo=[192.168.178.70]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1pYYKD-00DpB1-ER for dnsop@ietf.org; Sat, 04 Mar 2023 21:17:49 +0100
Message-ID: <d59a7283-b890-88e6-7db8-fbdfd455364d@desec.io>
Date: Sat, 04 Mar 2023 21:17:48 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1
References: <167795989697.46988.15234848850431710337@ietfa.amsl.com>
Content-Language: en-US
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <167795989697.46988.15234848850431710337@ietfa.amsl.com>
X-Forwarded-Message-Id: <167795989697.46988.15234848850431710337@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jM7ggmIG9rnLSfxziTYzUY2k0dQ>
Subject: [DNSOP] Fwd: New Version Notification for draft-thomassen-dnsop-cds-consistency-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Mar 2023 20:17:57 -0000
Dear DNSOP, This revision of "Consistency for CDS/CDNSKEY and CSYNC is Mandatory" has the following changes: - Advise to attempt retries to resolve inconsistencies - Added that checking C* consistency also significantly limits impact from nameserver hijacking I've been pondering a related issue, but have omitted it from the draft right now. The question is (from the perspective of a parent, such as registry): --> When ingesting a CSYNC record and subsequently setting out to update the NS RRset, should you be checking that any new NS hostnames don't break the existing DNSSEC setup? For example, it can happen that the zone served by new nameserver does not have the DNSKEY or RRSIG records as required by the DS RRset (e.g., wrong algorithm, or no matching key tag). It could also happen that the new nameserver does not advertise any of the other nameserver's DNSKEYs, so that DNSKEYs from the new nameserver and RRSIGs from an existing one are inconsistent. Depending what's retrieved and cached from which nameserver, this can lead to validation failures. There are two moving pieces, namely the delegation and the DS RRset. Changing either of them has similar implications. For DS updates, we have RFC 7344 Section 4.1: "MUST NOT break the current delegation if applied to DS RRset". So, when processing CDS/CDNSKEY records, one is supposed to check such things. Is it an omission that RFC 7477 (CSYNC) has no such acceptance rules? If so, should they be added to this draft? Practically, one could say something like "When processing CSYNC, run the same checks on the combined target configuration as when processing CDS/CDNSKEY." (Note that the CSYNC spec requires the use of DNSSEC; it would be a little weird if it could be used to break it ...) Thanks, Peter -------- Forwarded Message -------- Subject: New Version Notification for draft-thomassen-dnsop-cds-consistency-03.txt Date: Sat, 04 Mar 2023 11:58:16 -0800 From: internet-drafts@ietf.org To: Peter Thomassen <peter.thomassen@securesystems.de> A new version of I-D, draft-thomassen-dnsop-cds-consistency-03.txt has been successfully submitted by Peter Thomassen and posted to the IETF repository. Name: draft-thomassen-dnsop-cds-consistency Revision: 03 Title: Consistency for CDS/CDNSKEY and CSYNC is Mandatory Document date: 2023-03-04 Group: Individual Submission Pages: 10 URL: https://www.ietf.org/archive/id/draft-thomassen-dnsop-cds-consistency-03.txt Status: https://datatracker.ietf.org/doc/draft-thomassen-dnsop-cds-consistency/ Html: https://www.ietf.org/archive/id/draft-thomassen-dnsop-cds-consistency-03.html Htmlized: https://datatracker.ietf.org/doc/html/draft-thomassen-dnsop-cds-consistency Diff: https://author-tools.ietf.org/iddiff?url2=draft-thomassen-dnsop-cds-consistency-03 Abstract: Maintenance of DNS delegations requires occasional changes of the DS and NS record sets on the parent side of the delegation. [RFC7344] automates this for DS records by having the child publish CDS and/or CDNSKEY records which hold the prospective DS parameters. Similarly, CSYNC records indicate a desired update of the delegation's NS records [RFC7477]. Parent-side entities (e.g. Registries, Registrars) typically discover these records by periodically querying them from the child ("polling"), before using them to update the delegation's parameters. This document specifies that if polling is used, parent-side entities MUST ensure that updates triggered via CDS/CDNSKEY and CSYNC records are consistent across the child's authoritative nameservers, before taking any action based on these records. The IETF Secretariat
- [DNSOP] Fwd: New Version Notification for draft-t… Peter Thomassen