IETF Logo Mail Archive

Re: [DNSOP] [Ext] DNSSEC Strict Mode

Wes Hardaker <wjhns1@hardakers.net> Thu, 25 February 2021 00:10 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A3C93A1DFB for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 16:10:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hi6LmSui_4sc for <dnsop@ietfa.amsl.com>; Wed, 24 Feb 2021 16:10:40 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A89A53A1DFA for <dnsop@ietf.org>; Wed, 24 Feb 2021 16:10:40 -0800 (PST)
Received: from localhost (unknown [10.0.0.3]) by mail.hardakers.net (Postfix) with ESMTPA id 7353E29E10; Wed, 24 Feb 2021 16:10:36 -0800 (PST)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Ulrich Wisser <ulrich=40wisser.se@dmarc.ietf.org>
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, Paul Hoffman <paul.hoffman@icann.org>, Samuel Weiler <weiler@watson.org>, dnsop <dnsop@ietf.org>
References: <CAHbrMsBeCiZ-31hjKvet2UPDPFhdVYpgqR6Kw-WWz1ERgeSFoQ@mail.gmail.com> <7BB07063-2CA3-4283-8866-2B19A7AAA9A0@icann.org> <45e3c45-d324-8124-5dae-98acba9dd7cb@watson.org> <CAHbrMsBsG8OnXOXwAFY5eNf-0viQ_e5nKKhp1XVpnpMkGW1L-Q@mail.gmail.com> <02CAFAF2-BD58-48D4-B9CC-DD06EB99357B@wisser.se>
Date: Wed, 24 Feb 2021 16:10:36 -0800
In-Reply-To: <02CAFAF2-BD58-48D4-B9CC-DD06EB99357B@wisser.se> (Ulrich Wisser's message of "Wed, 24 Feb 2021 16:01:21 +0100")
Message-ID: <ybly2fd9fcz.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mbZWbTaMOyd1Mf_tGNU0uJcCqdY>
Subject: Re: [DNSOP] [Ext] DNSSEC Strict Mode
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 00:10:43 -0000

Ulrich Wisser <ulrich=40wisser.se@dmarc.ietf.org> writes:

> Not only am I in favor of the RFC6840 lax validation, it is in fact
> necessary for secure DNSSEC operation.

I almost wrote up an ID specifically to say validation should always
be lax but be much more clear about it than the current specs.

I kind of like Ben's proposal, *if* it was married with a clear set of
text saying without it validators should take any acceptable validation
path (and not "all or nothing").

Only operators understand their situations with respect to "should I be
more robust or more secure?"  You can't have both, and right now I know
operators that refuse to roll their algorithm because the complexity is
too high (hence my other draft).  So they stick with an insecure
algorithm instead.  Is that better?  Wouldn't it be better for people
that just want security but robustness to give them an option that
provides that without the ultra-security required by others? 
-- 
Wes Hardaker
USC/ISI

v2.23.0 | Report a Bug | By Email