Re: [DNSOP] Obsoleting DLV
Matthijs Mekking <matthijs@pletterpet.nl> Thu, 25 July 2019 12:59 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3161120172 for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2019 05:59:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tCOSI3dyLtTx for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2019 05:59:47 -0700 (PDT)
Received: from lb2-smtp-cloud9.xs4all.net (lb2-smtp-cloud9.xs4all.net [194.109.24.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF51F120167 for <dnsop@ietf.org>; Thu, 25 Jul 2019 05:59:46 -0700 (PDT)
Received: from [IPv6:2001:980:4eb1:1:b483:1312:ef97:d0a0] ([IPv6:2001:980:4eb1:1:b483:1312:ef97:d0a0]) by smtp-cloud9.xs4all.net with ESMTPSA id qdLPhOAXT0QvJqdLQhBuuY; Thu, 25 Jul 2019 14:59:44 +0200
To: dnsop@ietf.org
References: <56a4b9a1-6e80-be24-0852-fe3b91869f1e@pletterpet.nl> <alpine.OSX.2.20.1907231804420.14762@dhcp-9328.meeting.ietf.org>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <082f6fbb-9327-f974-71c5-dac959487aa6@pletterpet.nl>
Date: Thu, 25 Jul 2019 14:59:39 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <alpine.OSX.2.20.1907231804420.14762@dhcp-9328.meeting.ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfGgFpWOayQKJ8iVArBQ1RkL8vZ4gvTJmQv2VqeTsKmaFJWtSTemDjdEeXyIS6OKAX7otxNsK9/rqBHCvreZ9RNn86pVS4SdS83sBXy1Tao0kSA7GiYXf THhhojjcnbFNjSGFOQ/fbv+AZd4n+LeXovLKqgdtx3Wk5j+CiWPnrVtDaANwZ/vwQEHfHDr1Jib+dn4noxwXkcrPRu+3MSud6MK7Qxo21K9J8Dof4eHRVvwQ A7MgM23BIY6FmoBpYlNCsRdBb3jtHzyrSRoIABatYss=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/m7JAhW2YInUPxH4mGBXSLscXXQE>
Subject: Re: [DNSOP] Obsoleting DLV
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 12:59:50 -0000
Sam,
On 7/25/19 1:22 AM, Samuel Weiler wrote:
> On Tue, 2 Jul 2019, Matthijs Mekking wrote:
>
>> Here's a draft with discussion why also the protocol should go
>> away. We would like to hear what you think about it.
>
> The discussion of the private network use case in section 2 has two
> minor errors plus one bit that is unclear.
>
> When we designed DLV, we certainly considered a private network use
> case. RFC5074 does not strictly have public trust anchors take
> precedence over ("mask") DLV records [1].
I read text from RFC 6840 (Section C.3):
When the trust anchors have come from different sources (e.g.,
automated updates ([RFC5011]), one or more DNSSEC Lookaside
Validation (DLV) registries ([RFC5074]), and manual configuration), a
validator may wish to choose between them based on the perceived
reliability of those sources. The order of precedence might be
exposed as a configuration option.
> I suggest replacing the text in section 2 starting with "One other..."
> with:
>
> One other possible reason to keep DLV is to distribute trust anchors
> for private enterprises. The authors are not aware of any such use
> of DLV.
>
> That does not include the argument in the below bullet, which I find
> unclear. What does "name redirection" mean in this context?
>
> o Since the zones are related to private networks, it would make
> more sense to make the internal network more secure to avoid name
> redirection, rather than complicate the DNS protocol.
Thanks, I made the change in the GitHub repository (BTW I also resolved
Paul Wouters nit comments from earlier).
Best regards,
Matthijs
> -- Sam
>
>
> [1] Specifically, 5074 says to use public trust anchors first. If they
> give a validation result other than "Secure", then do DLV processing.
> I'm not 100% sure of how BIND's logic works here.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Obsoleting DLV Matthijs Mekking
- Re: [DNSOP] Obsoleting DLV David Conrad
- Re: [DNSOP] Obsoleting DLV Paul Wouters
- Re: [DNSOP] Obsoleting DLV Dan York
- Re: [DNSOP] Obsoleting DLV Warren Kumari
- Re: [DNSOP] Obsoleting DLV Joe Abley
- Re: [DNSOP] Obsoleting DLV Jim Reid
- Re: [DNSOP] Obsoleting DLV Erwin Lansing
- Re: [DNSOP] Obsoleting DLV Paul Vixie
- Re: [DNSOP] Obsoleting DLV Loganaden Velvindron
- Re: [DNSOP] Obsoleting DLV Tim Wicinski
- Re: [DNSOP] Obsoleting DLV Samuel Weiler
- Re: [DNSOP] Obsoleting DLV Samuel Weiler
- Re: [DNSOP] Obsoleting DLV Tony Finch
- Re: [DNSOP] Obsoleting DLV Matthijs Mekking
- Re: [DNSOP] Obsoleting DLV Mark Andrews