[DNSOP] Call for Adoption: Consistency for CDS/CDNSKEY and CSYNC is Mandatory

Tim Wicinski <tjw.ietf@gmail.com> Wed, 07 June 2023 15:52 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 5E1E7C1519A7; Wed, 7 Jun 2023 08:52:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id HwPu1aKJRvs2; Wed, 7 Jun 2023 08:52:54 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D495C16950B; Wed, 7 Jun 2023 08:52:49 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-977c88c9021so739084066b.3; Wed, 07 Jun 2023 08:52:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686153166; x=1688745166; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=JHumUGnOJRGcDRxV8IMXTKNZwRvRMVKENBBcivUpVn8=; b=L0klTcoQ3JUn12NV9F09Jik7mW2fZ37Dc0dk4aQAzk+XXgrhBIlNjA0K74vxf+QH2r vh/yILse7xhAeaOQ3QJx4nMdqC38R6xdhz4ngtB+4Ys/3SB0gGC+yBqhFh76UWCNEFSO G5wn88PKvcX6QjIvpSMAOIhu+ebW+pOyVz7KsixW8j9TGijoqc3SHXNOlMRYoHjOWQsA IHPXf5ERUN/oQgnd+ARFfmJJaPjs7KPOsBH0See+NyXJftVI31nWCnx3EVFZK8D+dlnW Y5BBHOxuhIdHrETzx35t3YDqkhgTxvEfZ+oEN8GAGfiFlK9D/j9m8hwETrxS9OcT4gjm Yy5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686153166; x=1688745166; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=JHumUGnOJRGcDRxV8IMXTKNZwRvRMVKENBBcivUpVn8=; b=CVLvfCRCXOYGBbz1o5Nah5QROXCwTCA0SaTtcwOOJgTIacH8inFAYaDAkh3EJYBdfw kLkFJbsPauj26nFgCND/ZmEIh/WX37jW7sbnWPGnERy1dbLfSzUtLqitHDzLWgHI09rq fuu1AxuXAKIW385F2vH4KTDMmrbvCc9isBuRQJIMzaFLDS7crYjlt6/9w/ji7i8FZdVN yTzwywteA/uGe1K+denHeSFjwzTJablS3qwNB7KPR2q+N4MDaJhW2hAVBcOAKUQJ7Mn/ 0lTafySx3RFfJg3ZEtSUo1ny8pjPgsPzFFY+SDmhFhZT9mqYNiqtUfZJ1aE5TMEab2xF fGcQ==
X-Gm-Message-State: AC+VfDwYcprdz/nS2VQbBtzLuaFfT+qa4lQoQq8boxp0AcRtvnQXoF0/ tOQT3z/o4PpMmeESxKlHo9D3v5MpPKnubHYG6aj3Kw3s
X-Google-Smtp-Source: ACHHUZ4I67bV6g8WWtdAHX/86bWqTsy/6yaHEn49Q55jUpJeYcufnMpdZJVR4hD29zM5ri4BmO2iYTx8bLyJ0rXCgTo=
X-Received: by 2002:a17:907:7b9c:b0:973:ff8d:2a46 with SMTP id ne28-20020a1709077b9c00b00973ff8d2a46mr6757181ejc.3.1686153166342; Wed, 07 Jun 2023 08:52:46 -0700 (PDT)
MIME-Version: 1.0
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Wed, 07 Jun 2023 11:52:34 -0400
Message-ID: <CADyWQ+HtK9LW8-HqSBdnPwidPz_yB1Obt=JR6dAFEMRLonGOyw@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Cc: dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000844d7305fd8c20ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pocl2z9HwySssCzEyFudg7qm7_E>
Subject: [DNSOP] Call for Adoption: Consistency for CDS/CDNSKEY and CSYNC is Mandatory
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2023 15:52:55 -0000


We've had this document in DNSOP for a bit and Peter has presented three
different meetings. When I went back and looked at the minutes, the
feedback was good.  But when the chairs and Warren discussed it, we had
confused ourselves on this document, which is our bad.  We decided to stop
confusing ourselves and let the working group help us out.

What I did was to pull the comments on this document from the minutes of
the meetings and include them below to make it easier to remember what was

This starts a Call for Adoption for draft-thomassen-dnsop-cds-consistency

The draft is available here:

Please review this draft to see if you think it is suitable for adoption
by DNSOP, and send any comments to the list, clearly stating your view.

Please also indicate if you are willing to contribute text, review, etc.

This call for adoption ends: 21 June 2023

tim wicinski
For DNSOP co-chairs

Minutes from past meetings on "Consistency for CDS/CDNSKEY and CSYNC is


    Mark: CDS records are no different than any others
        One NS might be down, which would stop the
        Peter: This is telling the parent how to act when faced with
inconsistent information
    Viktor: There might be hidden masters
        Don't want to get stuck
        Peter: Wording could be changed to allow servers down
    Ben: There is a missing time constant
        When do I recheck if I get an inconsistent set?
        Peter: 7344 doesn't put any time limit
        Ben: Should suggest some time to retry when there is an

    Wes: Supports this
        Likes mandating checking everywhere
    Ralf: Supports this
        Can't ask "all" servers in anycast
        What if you don't get a response
        Peter: Ask each provider
            Is willing to add in wording about non responses
        Paul Wouters: This wasn't in CSYNC, our bug
    Viktor: Concern was hidden masters and nameservers that are gone
and are never going to come back

    Viktor: Corner case: if someone is moving to a host that doesn't
        Peter: Could add a way to turn off DNSSEC on transfer
    Johan Stenstram: Breaks the logic that "if it is signed, it is
        Doesn't like "if this is really important"
        Let's not go there
        Authoritative servers are proxies for the registrant
        Out of sync is reflection on the registrant: business issues
    Wes: CSYNC was for keeping DNS up and running
        CSYNC can't fix the business problems
    Peter: Agrees that one signature should be OK
        Other parts of the spec also suggest asking multiple places