Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD
Geoff Huston <gih@apnic.net> Wed, 04 April 2018 00:29 UTC
Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48326127369 for <dnsop@ietfa.amsl.com>; Tue, 3 Apr 2018 17:29:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t-a0FLSDuxhu for <dnsop@ietfa.amsl.com>; Tue, 3 Apr 2018 17:28:58 -0700 (PDT)
Received: from JPN01-TY1-obe.outbound.protection.outlook.com (mail-ty1jpn01on0080.outbound.protection.outlook.com [104.47.93.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F805126B72 for <dnsop@ietf.org>; Tue, 3 Apr 2018 17:28:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.onmicrosoft.com; s=selector1-apnic-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=I6yQ3vFBtctHWwhgFFR04TwcICsgDMfbc3nF8RFZ7KQ=; b=CiWT3dOHFwpIMFfC6B/3mxvE6sxUUKRRWIh2IMSJQbItog4ZRNWa1dUDjPVvecFzoFYzy3zZ5TyRXpT+wR3BFTTP9+gxCgh6ZUF2SO1BGfpXItudtnYfzIkwJNBKmG4zJoOSmZXPG2AXAgPU17olTVjzRWcMISnVyhDz+TUlfmI=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=gih@apnic.net;
Received: from [IPv6:2001:388:1000:110:54ea:eeb0:a9ed:a3a1] (2001:388:1000:110:54ea:eeb0:a9ed:a3a1) by TY1PR04MB0703.apcprd04.prod.outlook.com (2a01:111:e400:5a08::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.631.10; Wed, 4 Apr 2018 00:28:52 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Geoff Huston <gih@apnic.net>
In-Reply-To: <412D2533-2332-4F38-BAC6-4C5AF391C124@isc.org>
Date: Wed, 04 Apr 2018 10:28:39 +1000
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <756BFAD3-2867-4646-B028-7D93C05BA8F3@apnic.net>
References: <039408B0-89EE-4038-B9C9-CBCC35EC24EC@isc.org> <64816369-700A-4413-B1F0-160FB145EE6C@gmail.com> <BF3E4F4D-027C-4A2B-8026-14AF3FBA4603@isc.org> <2F103A8E-72F6-4159-900D-B7006D0AC647@gmail.com> <6D617FAC-D981-4AE1-8943-4F0D12C46397@vpnc.org> <0B0775D9-B5E6-4778-A199-FE4D09A0BE17@apnic.net> <D19F6299-922A-4DCE-8E95-85CA72E63129@vpnc.org> <A4AA3F56-12A5-4951-B01A-450B493E0E4A@apnic.net> <412D2533-2332-4F38-BAC6-4C5AF391C124@isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.3445.6.18)
X-Originating-IP: [2001:388:1000:110:54ea:eeb0:a9ed:a3a1]
X-ClientProxiedBy: SG2PR06CA0204.apcprd06.prod.outlook.com (2603:1096:4:1::36) To TY1PR04MB0703.apcprd04.prod.outlook.com (2a01:111:e400:5a08::25)
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 2b050208-a2b7-41b5-5c56-08d599c30bd5
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:TY1PR04MB0703;
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0703; 3:uE3ou5cXT7v0sr7UQv0YFUY3gVVMzBW7KqO2hxnLrqAn2AOZYh8QbQWz8trvnu1X8FR+dzqkq+up1HWwxRpsMDmez45eJMohRtxY7WSVUXspR11jRHGPvmg68vGPysY9Q/+u9U5x0mmQ9tcyqSIqj57GT2UD7qwNYp76XN1nh9tsErVYWrOSk93qTzhEVC5Pb7BmSSLxeqV9H23zr4QrGE1MphnonIFo41/17maQu2dyA/N/wv3627B7Qlf6z3oy; 25:87KtaIqJWYpfgHpNrG+NAeBchxPVukeMCEMgwYG4O5htJGg2QcntS/Hvg+PmtXYBXx52ADRWEm/Eu+EJm2WICWgD7qPZXtw740/pd8bGkxIMToIPtRzkKavxlfd//E60Tz3upouHvOxYHJSPCZRDrI/qFC1l+kt6+KB1aCfRfvXkn1G2J1NG4/mob+3vGPL7RZyFrhG414x2ZPc4hqNCxTSAMHWEaX3JyV4iH2fTaBdyND0tXdl3+QnZCA4lO7PK77u8nbbhUQ+5Rv63nOZ7AC9WLoTzRWtokOMOmEL4WLts4suSTjBdB1jkZZzGvTvUqxEIQaxLomH69vuY4+RBGA==; 31:yU1wK4SuzClK/pvmivWIppDgDmJ0njKV6MOZ2g4/+4JX8hYwPz9guqEz80/Tc5fkzKDljXWEwXpQ9qvZypjDWiGIQ693En+zwy4IXGK2V0IBDvABVmRrLlHaFZYyaWAnzHFaaXfYcisfk3aS22ZYEU/CSJ3KAOVmNiygdVH2FH6TOeTfb/H+ovuYHDWh4/dJuWZ/TBiAt0jJ3T22uUIKfxDisjYFWiOlXBuBdlN25v8=
X-MS-TrafficTypeDiagnostic: TY1PR04MB0703:
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0703; 20:yZ5DbfcVcl9gb9h+2HiCN9QA9Fuy7HHAu5cSRJMfzn3Lzbi0E4HIdRZ6ohkeXPzgcyycYsrDDIxbnnhjvjSAVrEF6Kw88XjN2tOU2joOVU708eyYj4QQrfyhlESeG6O/blzNaX14d5VBs5Y8/Crt+JtLkFhGPiFUWZ0z8mfXi8m2E2Cxmad36X+mcU7HMRC56jV0wyKkfCFG1cqrL8tqyXQ5AGeJCnNoxj7ealoYinlkrAJ4f65XwW1z3YbtKIdT; 4:nlfYDpwIGi3h0zOnraAfRtiQDPxqxNYWhsZ8117j2glmM5JLjwujuptflO4uN0kWBeF8b65t5PJBMjnvkatgvduztfqCVg1x9AVlUtYXrCc+JiGYVuSrPzTgYeeRkDimDbc1nNT7K/bOpaQkFjTegWq5dTj+4/owlnTcuuThKv3aBy7AQaogq1S027L6KHJgaLycTd4UMXdKqFAAJhL9H/Dvk1qY4d5BcvA0E8hvdATvutcrU6o+foNET3V1Ps2WkHaBZUID+xUnO9WnC/2IQkSJ6AK4IA6+V91Oa6rHHaltmKRkg4ufndwUtjVNKXHtIE4rvxBv8Cs5AH81r1NZPPE88l5PmC+CRCtz/rhZd3TaISv/kuDbO0Mxt8iOOXnF
X-Microsoft-Antispam-PRVS: <TY1PR04MB0703D8C98C4E5420F1946106B8A40@TY1PR04MB0703.apcprd04.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(192374486261705)(17755550239193);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231221)(944501327)(52105095)(6041310)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011); SRVR:TY1PR04MB0703; BCL:0; PCL:0; RULEID:; SRVR:TY1PR04MB0703;
X-Forefront-PRVS: 0632519F33
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(346002)(39840400004)(366004)(376002)(396003)(39380400002)(199004)(189003)(76176011)(11346002)(6916009)(2616005)(81156014)(386003)(316002)(36756003)(6486002)(68736007)(53936002)(46003)(93886005)(106356001)(97736004)(54906003)(81166006)(50466002)(82746002)(446003)(105586002)(478600001)(229853002)(476003)(53546011)(52396003)(25786009)(6116002)(1706002)(23676004)(2486003)(83716003)(8676002)(47776003)(4326008)(8746002)(6246003)(59450400001)(16526019)(52116002)(5660300001)(7736002)(86362001)(8936002)(50226002)(33656002)(305945005)(6666003)(57306001)(186003)(52146003)(2906002)(486006)(42262002); DIR:OUT; SFP:1101; SCL:1; SRVR:TY1PR04MB0703; H:[IPv6:2001:388:1000:110:54ea:eeb0:a9ed:a3a1]; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
Received-SPF: None (protection.outlook.com: apnic.net does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1;TY1PR04MB0703;23:4UMdbRma4M66rfN8qRDMcXT9WkSLP7I6zbWNrW+ZiPmTG8kwreIn/WPEelQEWj/b8zvf+7m9Nv5f5XifxxvnnUtdIiva507MshJPXws8D1Tjs2xwvJyZtCt9NKRYDSBK7iM2MRJqil4cZAUAlQ8pgphYEvLVsDkTqs7tLTDxvjsrHLTsn9Nh9ZQneLcMYLstUQgUr9fDR7DayVAYWF25xuw018QBK3epeNFvP13vLfiCIe0MAracGyRV+A5+gQ+DKmXeYNlJ8Zh4f6qK+7A/XXeDBu/GFndqd3e5SZTbZejChu/MKqvkzufcMlcbgCpNe47BpJvmOOHt6kltb2zekShHVOrekRB6hUX916z0dBn9X3aTlM5xyTnonRKmFi8eX4tQxq8k62zejP6kwjEPR39bLUWiA49vhtgMemYC0biyeqeMdWwxDYWiNUaIJ30Ehv3VDOYze1p1v19bl/8eNPWIy8MJRRkVXNYA52ddPs2X1Lva1F24UTrL+H4ZoIcmeHET6+wQiH/WsK7pSa6B1ALbIm+XcE4gaI4IOMWO9oE+LyaGHoFxbrtc+9FZmSLMd5b3uKGDZoda9/MfmTzdPHjHsumUX4kkqO/sGidPEWhhs+H4lM70V6rikQtLsIV6JtJjfawg6skkBzXJJ17w+kZfUmi3ILgdHoNh/CG/UPJEuAUA5JECmHc6LvVqFQxvkDtb3YmLD13RrlPNRwCCJSoZjdrwHAb9kioc+uvuJBzk0i5KxGD23cqpWCS+UXiACnSd0gUx/hEB+/z4MN7bOd8Z/WhUWf1uP7ftAS/0vx09e3aNJG04fgL8xUVYNB7cfOdL38RPYGVXuwWJ19gocJhaQvBZjVrImH90JcJbKI/oDQO3FwQjqxcTX4DTR1VG1tGnsx6nGjbn7EVYuWoFIzrpyzKp/VCBYnq1Saf7by7/4gk8dki2NpOO//jV/vW1JtYB6k2CrQyleGxmGstOVR11Ti/8RVhxmygFmENpqyD31hAQRa5WHlGXfAzWhl+ZbyutdHxUPmhZPujRN7qN2Jzuod6SVfZDul1mr4fkhVdjr7L+cg1AUPVDRCtoQiJv4FpQ6d3FAZm7qDewqT/Vxj8vhxblGzeIP5eATtfBDHe1Fp+lOiZ9hBKw+jfIi8O0anJ9N4QjxTguNtYecbIzeeLHpZwKszGetgB3dAqDFwmpHtqfMVlWRgqh/LENZ3kJt6pQtKcwVvVVjmaKM1gxGGRPnNDt5zSx04WB7AzNTQ4XgXT2QZP12TZ6xmPt9WM3EbLDR6lCPzXpU1/0NcTSDI564gk3llgc78zzU4ZV8wZHJeAiBFvwfpP7ydOOMZF3Q4/IWkaBQfWkEXuZEXbPkpxTOtaMBc7Yt335IX0hV/M=
X-Microsoft-Antispam-Message-Info: b48Uvm2DZjDA3rO8DhS7q3KqTPGOrqeWVgDtNUoKFp1bFBO5aHCJ5gma8S5oee9l6KPtWXaW+QGLYGNchcK6IennfbTGE5gkRqX4wecIfx/HQQXO3Ph4hxzdzsF44lcp6iBG5JN6ut//EZQGO0VaKMxJDhr5LBVT1ce9s7nO2ldzWJN7BV9ZtcL0qC/zhxQx
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0703; 6:KlPHfE+mrTLDwoJvWiXI2XdkeEHnDJaPus2Eo1R6UvJeFtD8mgLvE8XILEDAIjxXRDH2q2UK5tJB2IjxzrVvZ2BNjDT3e37vqN3E8F86O50MRnIG9a/jP68juvHr2XGce6jFe6voenFgTVvwFEjU1CRE7jyZsoaEo5XkyTLF9AS4IiYhyCyxaHOoLp6Qta4f9FW7QrE4AY/bahOoSza7UNyYn2kikCOU7z7j8708KX/2BGSYCNEbtTPzMpP0IBPVdlc8WVntrpFIvGuahhGPulWZbR5DDQbCI7cenOZLOt5xgiB3tN24wy8MWFzsmjbH5tuqO1XSBw1bydeOA65dOfwngCof1SFegQpiz6XJH/x2MuVmzTL2NULRKu/pI/AivXYTXReVltuazu6FL8Cqu9TCKzMWNGACUdKDrc1WdSXZGk1uQdXK5QOlDqBGgMDe5VGeyljNmtUh9fp0cdTV/w==; 5:UG9DVH8/08o6OcewhPuygxwEQPPQPVsbFxYqR+Dhccukkb0zKquYwY1nuIbSerQEOzZFvGrPiz3UVETs6SrI7WhlpdygXcQTu09oRwprQDHUoKG0YE21Z3bR1my/H10FMcCf0R1rdsUlNecXN9DuiF3DA4hxuTLGrYKXsxIzYBk=; 24:8CFseqC74mEUiOFKDWvCvx4LlNAO24jrJXz9Gnz9znIk17CKZ/jOVL+G9chc7DyIEcAOFt3+3ob2+nkjMrTFF/PLldxwaOw75X3mOz3HK9w=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; TY1PR04MB0703; 7:U2m017GGtRToFiCpCzatPvaGcN5NoCiQoA+6a2pM+JfINnKzz3VIDeBc4NgkZFa1huOCa4gNsmZqX6h+sd4Xe2sgG7U+6bmiowsD9jAgIlQH3CX/heRd7h/6C6F8whqajKjhTSMGpkhg+0yhVAQC/7+BTJM8mKto98mwV+Xw96+XKYu6PlZJkCywYs62G9JXlFuEteRos09eDHLvchBHjI05OGf7K8RQgFEtRMGQuP0QgsfkZl9W64XpMJIBnNqR
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Apr 2018 00:28:52.9622 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 2b050208-a2b7-41b5-5c56-08d599c30bd5
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY1PR04MB0703
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kCdUODOM83TetzAPmZ3b-3KiHLE>
Subject: Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and AD
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Apr 2018 00:29:01 -0000
I thought that if the query contained CD = 1 then the DNS response would not be validated, and precondition 1 would not be met. But I’m probably wrong, so could you please suggest wording here? regards, Geoff > On 4 Apr 2018, at 10:21 am, Mark Andrews <marka@isc.org> wrote: > > You are effectively saying that the resolver MUST ignore CD=1 for these queries. > >> On 4 Apr 2018, at 7:36 am, Geoff Huston <gih@apnic.net> wrote: >> >> >> >>> On 4 Apr 2018, at 7:11 am, Paul Hoffman <paul.hoffman@vpnc.org> wrote: >>> >>> On 3 Apr 2018, at 13:45, Geoff Huston wrote: >>> >>>> Is the wording “that the resolver has to do DNSSEC validation on what it gets back from the authoritative server *regardless* of whether the originating client requests it?” a clarification that updates the validation behaviours as specified in RFC4035 and RFC6840 as to when a security aware resolver performs validation? Or merely a clarification of the precondition in the context of the sentinel behaviour but of no wider import? >>> >>> The latter. Otherwise, someone reading the document might not understand that the response must be validated no matter what. >> >> >> So you are saying that the document should revert to the wording: >> >> All of the following conditions must be met to trigger special >> processing inside resolver code: >> >> o The DNS response is DNSSEC validated, regardless of whether >> DNSSSEC validation was requested. >> >> o The result of validation is “Secure". >> >> o The QTYPE is either A or AAAA (Query Type value 1 or 28). >> >> o The OPCODE is QUERY. >> >> o The leftmost label of the original QNAME (the name sent in the >> Question Section in the original query) is either "root-key- >> sentinel-is-ta-<key-tag>" or "root-key-sentinel-not-ta-<key-tag>”. >> >> >> (I’ve split the initial condition into two explicit preconditions to be consistent with the rest of the enumerated list) >> >> Any objections to this from the WG? I’ll wait for 24 hours and then post this wording as version 11 unless the WG says otherwise >>
- [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 and … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Paul Hoffman
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Evan Hunt
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Evan Hunt
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Warren Kumari
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Paul Hoffman
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Geoff Huston
- Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-10 … Petr Špaček