Re: [DNSOP] Possible greater value for draft-ietf-dnsop-ns-revalidation
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 11 August 2021 18:18 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 932513A1F66 for <dnsop@ietfa.amsl.com>; Wed, 11 Aug 2021 11:18:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HgLCbgZ9RvAw for <dnsop@ietfa.amsl.com>; Wed, 11 Aug 2021 11:18:13 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55F9E3A1F62 for <dnsop@ietf.org>; Wed, 11 Aug 2021 11:18:13 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id u13so6083717lje.5 for <dnsop@ietf.org>; Wed, 11 Aug 2021 11:18:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VGL+lQagMaFpmQOxfpisY7Su3VOD+XDg1YPaWVBmJV8=; b=uXJvUwSFGiiZlN0+Y4DeMrmwkEpFKMm8zve7R4OtdvtS0U0D6T3osZt229V/AwpQKk w0bj7vgUz8ZVT654kjMXyWPm1zbK3EJMCGGmnZsKQC0P8ed1mrHEDzqI69cWLzb6Tsn3 /6NxPzeANjJJDBT8oFe+uqJpBM0aSyaG/igoeZYKT/gBMl5gfzUo2Pu9l3q8Ul3Jgr0Q pyX99DcdYMBONBuqBkhXvbTnqN/e3aNOC85f6NMmHq5mjrcetr6AB8IueltxeLPX7pyj 2r09VVe1PwPnmzxUHsdTrWysaiPaaejAQpsHnEdVdsi2QFnkXFoyH1m1c9b/JVAJPxQM u7OQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VGL+lQagMaFpmQOxfpisY7Su3VOD+XDg1YPaWVBmJV8=; b=BBrzHhBV5YYo7F3r0w37e1lk/gaXE3I+/BdWN1LOzWw5G0zC7jVvK36VNYjKPYBe6p TJTPFjwmt1uX41d5o5vZhbHIsK4ANssvcYpKuqgZWFPBxlcUP4MuLJawLGkOejUmFIhr f43J7zIwJyVUqKIQM3nyZjnmtMzCcw1o+zWAH6X0jzP89PV8Lqi23oBeGK8cX3mWAmE2 3wB+0a/RXga8nPBpCWFbkSJYZdEK71e/fJQ9GIXK/tjadbyuo9kVWTcdnNQiefnR7AdX Fkgm47IhicKQyIOHW4ExdiZNKOO9W5rctcLo9TfE44qkbGfPfrXoPTyOwTrxsemJKmIH 7RLg==
X-Gm-Message-State: AOAM531AhWoy4bzwTUn0UUA8MK6z37PTwpTAGH3yaEujER1t+ZCoGCEh QsfQmrrXDltMoCtHvdd2lkZR8Vr3T3yGc6rh00Y=
X-Google-Smtp-Source: ABdhPJwy9RJrSfA3Uq5AlT8ULlSZCurc+XdQAOXmuIuToq7weqF8c//nXQfh+SaFhhmA425Z7HNVfeYaDrwnRXzvkDk=
X-Received: by 2002:a2e:9bd8:: with SMTP id w24mr26954ljj.148.1628705889703; Wed, 11 Aug 2021 11:18:09 -0700 (PDT)
MIME-Version: 1.0
References: <5EC4E79F-0E29-4BDF-8D06-12AFB634BD9F@icann.org> <CAHPuVdU+C9w5F8cFMFDfSR_Bo+8dRapLUHRBPjtxBSzadDu6nw@mail.gmail.com>
In-Reply-To: <CAHPuVdU+C9w5F8cFMFDfSR_Bo+8dRapLUHRBPjtxBSzadDu6nw@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Wed, 11 Aug 2021 14:17:57 -0400
Message-ID: <CAH1iCiqYEqOCAAgPqxFMx-17HOqb52YBUNSueV71FsvLYf2c0Q@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: Paul Hoffman <paul.hoffman@icann.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ffdd1705c94ca3ea"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/k9kTmbnBNmNgCHecGba3aQo4ReU>
Subject: Re: [DNSOP] Possible greater value for draft-ietf-dnsop-ns-revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2021 18:18:20 -0000
On Tue, Aug 10, 2021 at 3:48 PM Shumon Huque <shuque@gmail.com> wrote: > On Tue, Aug 10, 2021 at 1:55 PM Paul Hoffman <paul.hoffman@icann.org> > wrote: > >> Greetings again. In the DPRIVE WG, we are discussing a proposal that >> would make encrypting transport on a first lookup more likely using a DS >> hack. Whether or not that becomes a WG item in DPRIVE, it reminded me that >> DNSOP had not finished with draft-ietf-dnsop-ns-revalidation, and that this >> draft could be expanded beyond revalidating just NS RRsets to revalidating >> all glue. >> > > Paul, > > I think that's a reasonable thing to consider (and I suspect some > resolvers may already revalidate glue), as long as it's done lazily (or in > parallel) and doesn't interpose additional delay in following a referral. > I'll await other comments .. > > But I'm trying to better understand the connection to the DS hack draft > (I've not followed it very closely, I'll admit). Does it require or benefit > from glue revalidation? Isn't the child zone owner explicitly putting its > NS name and addresses into the hacked DS record at the parent? > > Technically, Paul is referring to _a_ DS proposal, where there are going to be at least _two_ such proposals (mine being the other one). I plan on bringing mine to the DNSOP WG rather than DPRIVE, as I believe it will have more utility than strictly DPRIVE use cases. Having said that, both proposals share one feature, which is the child including the NS set in a new DS record (new algorithm consisting only of a hash of data including NS) on the parental side of the delegation. As such, it definitely will be the case that glue revalidation has benefits. FYI: My proposal, which uses different methods compared to the one Paul references, does not place anything other than NS references in any DS records for the child zone. Rather, it places glue data in additional DS record(s) (different new algorithm(s)), at the corresponding owner names (name server zone, in name server zone's appropriate TLD(s)). In cases where the name server zone itself is glue-less (served by a separate zone), the glue data would be placed in records at that zone's owner name. Brian > Given the results of the survey and the possible cross-WG interest, I'd >> like to see draft-ietf-dnsop-ns-revalidation moved forward in DNSOP sooner >> rather than later. >> > > I'm working on the remaining loose ends and plan to push another update > soon. > > Shumon. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Possible greater value for draft-ietf-dns… Paul Hoffman
- Re: [DNSOP] Possible greater value for draft-ietf… Shumon Huque
- Re: [DNSOP] Possible greater value for draft-ietf… Brian Dickson
- Re: [DNSOP] Possible greater value for draft-ietf… Raffaele Sommese