IETF Logo Mail Archive

[DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-cds-consistency

Frederico A C Neves <fneves@registro.br> Wed, 11 June 2025 12:20 UTC

Return-Path: <fneves@registro.br>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 4D19533A6C4D for <dnsop@mail2.ietf.org>; Wed, 11 Jun 2025 05:20:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=registro.br
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bYC-A23-77cM for <dnsop@mail2.ietf.org>; Wed, 11 Jun 2025 05:20:19 -0700 (PDT)
Received: from clone.registro.br (clone.registro.br [200.160.2.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1815633A6C48 for <dnsop@ietf.org>; Wed, 11 Jun 2025 05:20:19 -0700 (PDT)
Received: by clone.registro.br (Postfix, from userid 1000) id B063E471FE; Wed, 11 Jun 2025 09:20:17 -0300 (-03)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=registro.br; s=clone; t=1749644417; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qQBJF7UZkmsUtzWGo2RKTs6NCQclnEG1lKETB6fagXk=; b=JUfQZBHzraksfJRLJ8p+MU29vvCtCdAzpqdwizE5iqMd0X04+5KTT5Eh4buddMqqRXXMNx qPW/1MmlZGSVtjLbnxXORxCPSxU/OllHcxNw/glV1h59tkOdr1N+50rU5vRPugYQu3CNF/ KPbeepku7/IrPNTdoj2ueBRkovVp1oxQy3yop++OLCSo6Ji8jms2iz2Kb7p3USklYitBcF V7OCMcC1lbVXVf0b+9tPVx3oSmZWBDnMLbItLxu7kYHYlSG5kHQIlFbjVnqFtBfNlot+OK IHmwJ4RJHMMt8YOpI2OcAI2wRPWiSnsL/r7+RhxGl3NrJ2RHYdZn/hgHJXAmIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=registro.br; s=clone; t=1749644417; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qQBJF7UZkmsUtzWGo2RKTs6NCQclnEG1lKETB6fagXk=; b=iyjZxCyJMis03arH6pzGh0WOL2fYgYUgVQMj/RxU90HvnwB5k7quofFLtRKtEGK14jQkkj IgAySI0ptLQxolcO10UeeShe3kfPy73Yu97cuRHPpBpNZWJvkjAIiukVuifcYhDIA4KHmX 9CLoF9hMmRsvagE0kSQ81ScoodT1ARokIrXsQlVA5bGQx0lT3F4jeV2ui2khgORvRViMxM QlxbH6WQ98VJhptTn5/OP5iTMXRgiC+40xD487bNi2YBnAwnNI+3N1Dh26vW814L/jKRLP Qc0ya55hIKZ543fTYWJaQ2HoZeB+z3LlaUHXzs34WMjfdwqhdXUsoC0a1IjJag==
ARC-Seal: i=1; s=clone; d=registro.br; t=1749644417; a=rsa-sha256; cv=none; b=IghXZpBEGhGareX4exYoqLrxx0kOMS1hcYoFJ8afYi+1tRMl9XYjxp2TG9OzvDfKvM3W8W r8pQPYNogTav+UQhISCHUGbrviHJ/O01ZcafRQysFyT1mEfeEUxOrfw6IwwczelscjUN7N gCjBR/tk8EXhotwWq41ai/XQv4ElqFy1FYaNj+xqcELoNd7rR21I6ftvUzsj648D5pLw8y Ee14PRiWtfVp8NZvde6gORNKbBz0HWt9QjtQk+K/UxC3VLvoK3ZqoynrpaP/wlPPH084n0 qZZOLR4IG8o5F7HXl8/+sFDEwq8uYWVwmf2FTj9JtRLUxHtxA8XOTSX6j7e9+Q==
ARC-Authentication-Results: i=1; clone.registro.br; none
Date: Wed, 11 Jun 2025 09:20:17 -0300
From: Frederico A C Neves <fneves@registro.br>
To: Joe Abley <jabley=40strandkip.nl@dmarc.ietf.org>
Message-ID: <aEl0gT62_PPXM1cG@registro.br>
References: <C586176E-4D7E-454D-8607-ADFAD602B01E@sury.org> <AE182B59-62AD-42BA-8490-FC6F7F80D4F1@strandkip.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <AE182B59-62AD-42BA-8490-FC6F7F80D4F1@strandkip.nl>
X-Spamd-Result: default: False [-3.10 / 15.00]; BAYES_HAM(-3.00)[100.00%]; MIME_GOOD(-0.10)[text/plain]; FUZZY_RATELIMITED(0.00)[rspamd.com]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; MISSING_XM_UA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; NEURAL_HAM(-0.00)[-0.880]; DKIM_SIGNED(0.00)[registro.br:s=clone]; FROM_EQ_ENVFROM(0.00)[]; ARC_SIGNED(0.00)[registro.br:s=clone:i=1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_THREE(0.00)[3]
X-Rspamd-Server: clone.registro.br
X-Rspamd-Action: no action
X-Rspamd-Queue-Id: B063E471FE
Message-ID-Hash: IRDBOSUS5UBKIMT6CE3AOX5LK23BDJXW
X-Message-ID-Hash: IRDBOSUS5UBKIMT6CE3AOX5LK23BDJXW
X-MailFrom: fneves@registro.br
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Ondřej Surý <ondrej@sury.org>, dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-cds-consistency
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/peKtBGaH5pWXPWBHnD6pNeS92LM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Wed, Jun 11, 2025 at 02:13:38PM +0200, Joe Abley wrote:
> Hi Ondrej,
> 
> On 28 May 2025, at 14:42, Ondřej Surý <ondrej@sury.org> wrote:
> 
> > this starts a Working Group Last Call for draft-ietf-dnsop-cds-consistency
> > 
> > Current versions of the draft is available here:
> > https://datatracker.ietf.org/doc/draft-ietf-dnsop-cds-consistency/
> > 
> > The Current Intended Status of this document is: Proposed Standard
> 
> I don't think the recommendations in the document will do any harm, and some people think they are useful, so I think it is fine to publish this advice. However, I do have some reservations, about which I am happy to be told why I am wrong.
> 
> The core advice:
> 
>    This document therefore specifies that parent-side entities MUST
>    ensure that the updates indicated by CDS/CDNSKEY and CSYNC record
>    sets are consistent across all of the child's authoritative
>    nameservers, before taking any action based on these records.
> 
> is, in general, not actionable. The full set of authority servers for a zone are frequently not available from a single vantage point, since a single nameserver address often maps to many different individual servers which may or may not serve consistent information (e.g. when an individual NS target is deployed using anycast in one or more address families). Depending on how you count them, most nameservers are anycast, so I think it could be said that this is not a niche observation. The revised advice might boil down to "instead of just looking for an answer as a stub resolver would, look at a random two out of 100,000 possible authoritative servers" and I'm not convinced that is much of an improvement.
> 
> I am also not very convinced that incoherence between authoritative servers or the effects of caching are good reasons to do this. I can see how there are failure modes where those effects could be unhelpful, but there are always more failure modes and sometimes I think a failure should just be a failure and the greater mission  is not actually helped by the application of yet more duct tape.
> 
> With respect to multi-signer configurations, I think the right way to solve that is to sync CDS and CDNSKEY between participating signers just as the corresponding DNSKEY RRs are synced. This seems like a solution that is more effectively aligned with the problem; to put it another way, multi-signer implementations would be more robust if they didn't have to make assumptions about whether the polling advice in this document was followed or not.
> 
> 
> Joe

Agree with both points Joe.

Fred

v2.39.1 | Report a Bug | By Email | System Status