[DNSOP] Re: Extending the semantics of DSYNC to enable parent to signal absence of scanner or frequency of scans.
Peter Thomassen <peter@desec.io> Wed, 18 June 2025 14:03 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id D6362367229E; Wed, 18 Jun 2025 07:03:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=desec.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EarKCQwHRa7Q; Wed, 18 Jun 2025 07:03:00 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 215FD3672287; Wed, 18 Jun 2025 07:02:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=desec.io; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2Pcv1kc5G8x7HkGjqwGrRTGi1IhG7y51hq3S7OREvO0=; b=hRIABaPznKF16bh+fpNvCKoHf2 b7Ic0UAwuQSXHDIiq/jMPeLqscFycP6LLImVt7gyKq8Jogxrsr7h8XlblE9wh9lxpUdz2ad6pS91i 1Cg8epWOzsvg0LkIyoYGrX5brI77J8cpUq0tJMbqSexdXRxHFVtaBjc9RC15xPoRpTQ5JM4aQ/08k mdxWaiVZIwFrfKSrJCfep52kjetGlC0HwcL8q25y9qzYx5w4kr44yKz/YPjIsVKWvu8D9ia+MyjBS 78dyyxp/aAHnNEa4lU3tvY4bomVDdChFD6GM4nmogsrHFJY1Z5Kj/xBOLtcr/bIPdBT0SgJMBd6rN rNVbWG7Q==;
Received: from [90.187.67.221] (helo=[192.168.75.127]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.97) (envelope-from <peter@desec.io>) id 1uRtNO-00000002MA5-3gjF; Wed, 18 Jun 2025 16:02:55 +0200
Message-ID: <d0995a85-cbdd-4ec6-bd2c-09fe23455e92@desec.io>
Date: Wed, 18 Jun 2025 16:02:54 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Johan Stenstam <johan.stenstam=40internetstiftelsen.se@dmarc.ietf.org>, DNSOP Working Group <dnsop@ietf.org>
References: <664DF8C5-5B5E-4929-9005-4FE516B2FEF6@internetstiftelsen.se>
Content-Language: en-US, de-DE
From: Peter Thomassen <peter@desec.io>
Autocrypt: addr=peter@desec.io; keydata= xsFNBFRjVn0BEADXqtra70yxQrT4MQ9DEhN0mxG6XRAOHE6nP18mqxwSlcET7D6w+z3h4ole v0tyvUU02c2wg04X8WVfjoHnAvIa1dfUcNpB1+QmfFsw0xIJlbT1ogHkMiPQqR4ChDvE3ND/ 6YCS5+HT6hY+tfU+hpLsKw4l+u1Pg2NPVLYosET1jU84b7xhFnoicnCV3kUNltLtxLKSBAfk AXtp1AWWKJbfCr3y0qKElMriicoe5DUZfLrZK2iPcWBxh+n7KMO2g7aqx3aQqwW1+S7Sq7Is l6iSurYfIcHb4AfUy4o5nPB8kKACR6BuJmkEQ5WLuTGruWA2fcxaNpICmolMinTzW1CrIjgN PoskMYCNIZ2uWxS6LN8hBiGCRL4h9aL4wuT09SvR13oAPI1HD5ph+mH6wD37/ONBXrdjcFNb 1l/uVkHU/SwwcKDJOsX18T60Ao00fciTbFHgmKtFube0xGK/vjh461TyU+xKD8Orvyeovvxy MzCwM3UVq/dkdG2Ys/7Qy/4bUC1nJEwKlLv7ZTdtSckdoU2M6JpPX6i4KDB2YCMbwtqJ842z 8A/UuE2bL9aDimh/sF8WgPIhlxqF1STNqW1JTIbDPv8HeZnM4nyJOUWStj4uRiETQhBClPLz YWtnR+EUsfbSLy81vfupbMqRasDlt6aASobgn+K7Rb1Xs/mDnwARAQABzSBQZXRlciBUaG9t YXNzZW4gPHBldGVyQGRlc2VjLmlvPsLBeAQTAQIAIgUCVGNWfQIbIwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AACgkQ79YUOj7yLS88Dg//SbHnFGrtaImEiM69wyj4GzWnuGk9/upCym/R RzdBALCYHU9FUFFHwusiO9A0pnO8qv/GEtqqTHrcL205a6FTivkdZmOsWuN4oo7r4HBc/taI FLLUDg2wd8q4m4387sYEqrc3olGfyRB6hrMtEWVJLXHJmpcrxAaI1F2QO4Bu7kcdTnyGFz/p ZD8XAof2TWHqJb2ux69DFhiAJeAZlV+h9QrxTedL84l4hq3x1VWsnOEFaCJiThDX920kTnhJ ijrDocgAbmQBCniPACpPHYhBhmCJxfVqgfMuLMNsukOmKxsGcGV6rO1zB5ZUhm3O/Ixk6ow3 6FDKALWihg6Z4P/cJYySMn0iqvHkO8ryT9oJKX//mKaYoF6henXDRLCcRjKwGxFQTEgX+6yc pjgvX3rlypjkPT5ho4yEc5ePkQ2gIIHhvZburm1Zr4nDPx6v8+3XUjpXBRTWQ8/0/h0rtLJe yOPwGJxcfKf/GutTCqiio0mS01mIY9c2i7JWcljlIuSEUit6CHotc5lBOm2GJwguRJG6cXPY SQecwBdcjH3RTzBOv/DN6xWAIV7BmbX/e7DSGAc60mBO1/M0ut+a6CkxRQK8TaE3B3zh1/QO nG0XvtZfIY8ZYdTrdEDSV1Pj5pof/fqhhegHRxN2qi4qIuVcrW0jsUsx10IgAynHR7qQKsvO wU0EVGNWfQEQAPBA8iPCS4ZRX8stW0WuW7579axSq/Luyik4MWDFalt68lzvUbV0f6faN15+ aV7VwMTw3rSa2tP0U8crYAAAZ5NrRHXlYms5BK9vsi1322dAvhyNRawdprP627SO+Ez/84tY xz1X3M9esbN7gpJtHP6mHW76zYpT447v6c2qlbldjobZTDb6kKSGFCIrPJz9M4jVfya+ovxe 2Ab7hn2R0CcyMHATV5g1Ry0XXaj5y3bWypActbG9nflRn3NjhHZynu+WEPDUJCO8kNVNYKOw HObNTeaLvgvU0ONB8pYJv35kDXMhZLwo5MJuJd5i54CXwpo9mECwLJT1RpJi7u98nBrWyyaH s2brG9LPCRKBKOhiHFu57H+cElh+kOvehuS7DFTzjqDwJlkQzP5Hq0G++hZxfdYocKdcdFoh RP3dtDAe+Lfiy9qzJicZ6ACbzoQIN58xj0VWAn1W7SuMErOjv84D/FiXHD2Kxtx09wQl8vH0 Nbh9UgyDBNupToM0ixT+8Ko8eBuYHR53RPxshQhFw4EMIhXiOaxNe1W2Z95QPnYhUGOMoy3I v4fxMQUHa4kZSF2qxsFB1Cxol/aBPGwkwoqUvzp23pLQtJ6youYXtLgvx3pR4L52Q5CUzHMa HvM67XWgW1KqtnvNBXN9PwtDz/a9fQX1YO4CegrXv8C9Ro+LABEBAAHCwV8EGAECAAkFAlRj Vn0CGwwACgkQ79YUOj7yLS8rXA/9EGX2QRfJS94JTdtseu7saTK9a3IKwk6E33GpfXyUVpMt sOqV756XQwULZSWoxInRQtWojA8pQxDUYrbA4MpX0Efr2Dx1xIsJ5F3JajOqViB1SbOD2m0f bxXbcoWKitsKoag2SlvNOd8rD9FcgDvrkacnaQZcZE8DyyGx0JU451tfoD/igu85NZpTDaWG 6fth7QRlxmdGWrGXRdXAP29jq1n0I1wIyF/bXlZ7MXjOSsfyPddzsnHFTvNMZKps0QXNF+hi ESg9chIeo/IFDDVu6pCtm6mftojx84rczTZiNk8r2T3TU4N8uwWtXn/nj9xd61pnxD0xkTPH zxJrCs59WSfYqj3aFNkWO3Lg0/HGnO9wHQKMXcGPsnKITHVzxCNBQtVHomNA7ds6Kt3/WJgS pU2ciICvrpvKgPNWQ0d/SeY3vYIRvDLZ12Svx6M3eXDrsgZOT5be7kGVr3t7dBOYKcRHkZUq kU1kCcgp0vetISVDOc5fkpdUkAtd5/13pIpz4ikVR3OM4Br4XMVShm6RvoP4pyA+ftCi1+bw 0UbRCrnHgnG+wtCf5nMDGVLc04vITnII+ESZqlF02a1IFj0Z2MuQK2Oszl2Nsx/LG60G1e/R pzKEXIIJgHfbwUCWtV1zQu6v9Ng5H8EqVeWcdaPUwSQMGcDg/sPa4s/OxhgrYBg=
In-Reply-To: <664DF8C5-5B5E-4929-9005-4FE516B2FEF6@internetstiftelsen.se>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: VD42Z5C4I7HQIV2VFYEKKRJ5X72BNDCU
X-Message-ID-Hash: VD42Z5C4I7HQIV2VFYEKKRJ5X72BNDCU
X-MailFrom: peter@desec.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Erik Bergström <erik.bergstrom@internetstiftelsen.se>, Leon Fernandez <leon.fernandez@internetstiftelsen.se>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Extending the semantics of DSYNC to enable parent to signal absence of scanner or frequency of scans.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kYV0vVriQtJIN4WlurfA_cIFujE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Johan, I think this is a fine thing to do. There is a question of whether a scanner policy (existing with internal, or absence) should also be signal-able when another DSYNC record indicates a notification endpoint. I'm not sure this is useful, but I wanted to raise the point and see what others think. Also, while learning the scanner interval might help the child operator predict when to expect the new DS RRset to be published (for example) and thus better judge whether there is a problem, there may be additional delays (e.g., when using the Accept-after-Delay method of RFC 8078 Section 3.3, which is used by some ccTLD registries). This raises the question how useful the retrieved interval is for a child operator (in the context of initializing a DS record set). This concern of course does not change that utility of learning whether a scanner exists or not. Best, Peter On 6/12/25 16:34, Johan Stenstam wrote: > Hi all, > > We just uploaded an absolutely trivial new draft that is intended to close two holes that should be easy to close once we have DSYNC published (it is in the RFC Editor queue since earlier this spring). > > Announce Existence of Parent CDS/CSYNC Scanner <https://datatracker.ietf.org/doc/draft-berra-dnsop-announce-scanner/> > datatracker.ietf.org <https://datatracker.ietf.org/doc/draft-berra-dnsop-announce-scanner/> > ietf-logo-nor-180.png <https://datatracker.ietf.org/doc/draft-berra-dnsop-announce-scanner/> > > <https://datatracker.ietf.org/doc/draft-berra-dnsop-announce-scanner/> > > What holes may that be? > > Hole #1: what is the frequency of the parent scanner? > > As I work for a parent (.SE) that actually does both CDS and CSYNC scanning I know for a fact that we regularly get emails from children that are confused that we have not picked up on the CDS or CSYNC that they just published. We explain that the scanner only runs once every 24h and case is closed. > > Hole #2: is there a scanner at all or not? > > Up until now there has been no standardized method for finding out (a) if there is a parent-side CDS (and/or CSYNC) scanner. Sure, we publish the existence on a web page somewhere, but I’m sure that child-side software will not read that. I’m also sure that other scanner operators publish existence of their scanners in some way differently from how we do it. And also human operators will typically not bother to hunt for that information. > > However, my assumption (or perhaps, my hope) is that as DSYNC gains use there will be an increasing amount of child-side software systems that look for the DSYNC RRset to figure out how to announce new CDS and/or CSYNC publications. So then we can obviously use that to send signals back directly to the child system. > > Our proposal is the following: > > a) To signal the ABSENCE of a scanner or the FREQUENCY of a scanner that does not support generalized notifications the parent should publish a DSYNC record with a Target of “.” I.e. the target “.” should be interpreted as “don’t send notifications here, we’re just trying to tell you something”. > > b) In the ABSENCE of a scanner, set the Port to 0 (zero). I.e.: > > example. DSYNC CDS NOTIFY 0 . > > is effectively a statement that says “there is no CDS scanner here, we will not se your CDS records, don’t email us to ask whether our scanner is broken, etc…” > > c) In the PRESENCE of a scanner, but no support (yet) for generalized notifications, set the Port to the intended frequency of the scanner, measured in minutes. I.e.: > > Example. DSYNC CSYNC NOTIFY 1440 . > > is a statement that “yes, there is a CSYNC scanner, but it only runs once every 24h and we do not (yet) support generalized notifications, please have some patience”. > > Consequences: > > Parent-side there is zero implementation work. Publishing these records is just policy statements. > > Child-side there is limited implementation work to deal with this information from the parent. If a child-side implementation doesn’t want to deal with this information then that’s ok and nothing will break. But, presumably child side implementations are not yet set fully in stone, and by checking this data (if it is published by the parent) may allow them to set expectations correctly and thereby work better. > > The draft is only a couple of pages long and we appreciate all and any comments. > > Regards, > Johan > > > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-leave@ietf.org -- Like our community service? 💛 Please consider donating at https://desec.io/ deSEC e.V. Möckernstraße 74 10965 Berlin Germany Vorstandsvorsitz: Nils Wisiol Registergericht: AG Berlin (Charlottenburg) VR 37525
- [DNSOP] Extending the semantics of DSYNC to enabl… Johan Stenstam
- [DNSOP] Re: Extending the semantics of DSYNC to e… Peter Thomassen