Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"

Bob Harold <rharolde@umich.edu> Wed, 06 May 2020 16:48 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF84B3A0412 for <dnsop@ietfa.amsl.com>; Wed, 6 May 2020 09:48:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDJzXVQxs27J for <dnsop@ietfa.amsl.com>; Wed, 6 May 2020 09:48:02 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CD543A05E2 for <dnsop@ietf.org>; Wed, 6 May 2020 09:48:02 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id a21so3086421ljb.9 for <dnsop@ietf.org>; Wed, 06 May 2020 09:48:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kQLU+/EY50Mg8Tn4Uowo+pKzLxK7y1ENzQLu0ObmncM=; b=f8vQk1iD41a4sm7+q5nHbyOedcuki1BMACgzHDgwyUFj2OWUk3AiZfLx8vaYdwAKBc vU39z+pS/ay3W4dVCD4+ECB3ZKi0haEvngMOqd7MjPnGjcGV13j+H4YcgUyH42dI1/TH qLtzaFokpmuSFN/u/zSo/esA3T45dXDxuQms84t5UwbUClsHSASRbYDQZ7QcfOV4Unj0 o4cERbpxKYlsjHg3kIPFiRTvIuh/iSQxz4I8WJCi4UjLyiTnmOdKQsQRi7tXsGsFxOkv n5BY/PiC7hvy8BLmF7jpglFde3SOTHzl2u7ZZtt6xJGZBYY9u/5BjGaowXu6jOteq4hc 0iIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kQLU+/EY50Mg8Tn4Uowo+pKzLxK7y1ENzQLu0ObmncM=; b=NimAqhzK2I+Q4//hx2y3DwJ5Ez6dWgU+I0AuD19/bAX38c78KtaAU+1ef9UThGiYG2 EcnBeUN0GACPWE1AqL7y2cpZDuLEm9/nzM81RtdYz/tPlYjxjaWso+zCczi9KzzqzeB6 Bl+4ypBhsU4bv9aSDOzfNWhdM/83j6aWR0HJCMqsBTXiYxPNSeFlp/r4IWJhfDhPnPMg P7U9rMIg+cy2kbU2+hMRRq8Q51EeUt+L8MdMWfkuI7DF3GRgYUYWD/9OT4Mwvrwps3n4 K0Un1FQa2zN03ZJmqh4QVZnEQ6U9ySEPebol/fqufGZOBbcV2yW7s38ml2vKyTWxol3Q AH2w==
X-Gm-Message-State: AGi0PuZMYS9OmvAbji7c0OeL1JoeYyVeEpRvRb8fR2iKqyJ5oUAIhL30 lomUqTiYSRC9ZLcJRLLO6q5ZpzlE5UkOuxwTvbEhXg==
X-Google-Smtp-Source: APiQypIBIHCeKxjNuMdVsWaQE/KmShOGSNhNCNL638pGKRZmfxlYh9riYndlFFs7fUFse3X4DYpkv6Sm0gg/DPWB69Q=
X-Received: by 2002:a2e:7d0f:: with SMTP id y15mr5745159ljc.91.1588783680260; Wed, 06 May 2020 09:48:00 -0700 (PDT)
MIME-Version: 1.0
References: <158861946403.9316.9132034162941715598@ietfa.amsl.com> <CA+nkc8Bd+X9vfMq-Fzm6x1BbkiYGxh_TaxTwRXGj+2bXF+w-aw@mail.gmail.com> <CA+nkc8Bp_Js5_PF3PPPjtSuEetUwZpNxjJie5UXkD_3X-HRASg@mail.gmail.com> <SA0PR15MB379199F512D21F540C066464E3A70@SA0PR15MB3791.namprd15.prod.outlook.com> <CADZyTknCkTb9upGNLt-SF_13=Q-+P+D5vk_5uV61hBwGZttJJw@mail.gmail.com> <CA+nkc8Dk65zUgjUdmfvHK=WTzpAAfYdFEYKsVp8km5Lme=PMWw@mail.gmail.com> <CADZyTkkT-kSwq_VSOsYNG65a9KZedd-G6byfDz4D0DGR=ozUeg@mail.gmail.com>
In-Reply-To: <CADZyTkkT-kSwq_VSOsYNG65a9KZedd-G6byfDz4D0DGR=ozUeg@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
Date: Wed, 6 May 2020 12:47:48 -0400
Message-ID: <CA+nkc8D6BxB=oanLjP5Cy2jpaTL2kt94AYi52tLOfooWbmYwHg@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e3205f05a4fd8658"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/q3OoK3fAiruSxj35Oeft0Hpk5zI>
Subject: Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 16:48:06 -0000

On Wed, May 6, 2020 at 12:16 PM Daniel Migault <mglt.ietf@gmail.com> wrote:

>
>
> On Tue, May 5, 2020 at 2:53 PM Bob Harold <rharolde@umich.edu> wrote:
>
>>
>> On Tue, May 5, 2020 at 12:02 PM Daniel Migault <mglt.ietf@gmail.com>
>> wrote:
>>
>>> Hi Bob,
>>>
>>> I apology the previous email has just been sent unexpectedly.
>>>
>>> Thanks for the comments. The new version of the file is available here
>>> [1] and a diff is available at [2].
>>>
>>> I propose the following text for clarification. Feel free to let me know
>>> if that addresses your concern.
>>>
>>> OLD:
>>> Not updating the configuration file prevents a failed synchronization to
>>> to the absence of write permission that are hardly in the control of the
>>> software."
>>>
>>> NEW
>>> Avoiding the configuration file to be updated prevents old configuration
>>> file to survive to writing error on read-only file systems.
>>>
>>
>> I understand that we do not want the system to fail due to missing write
>> permissions.  It seems like this could be handled two ways:
>> 1. Just keep in memory, and do not try to write a new configuration.
>> That works, until the old trust anchor is removed, then it fails if the
>> service is restarted.
>> 2. Attempt to write a new configuration, but keep going even if that
>> fails.  If the write succeeds, then this works even after the old trust
>> anchor is removed.
>>
>> I would prefer the second method.  I think that is what some software
>> already does.  (BIND?)
>>
>>
> Thank you for your feed backs, though this may be changed, in the current
> document we encourage to have an instantiation process that performs some
> validation and checks before the service is started. One of these checks is
> to ensure the configuration is up-to-date. With such process in place, we
> expect that every instance of the service is appropriately provisioned. A
> concrete (simple) deployment can always retrieve the service from a repo or
> perform a check for updates.
>
> With that set, 1 or 2 would work the same. The reason I would maybe prefer
> 1) over 2) is that 1 is known to carry the old configuration which will
> force the necessary check at startup. On the other hand 2) works fine
> unless KSK roll over happens and a write error happens. This means that
> most of the time this will work fine and this is what makes it dangerous in
> my opinion.
>
> But again, I am happy to update this with what the WG thinks it mostly
> appropriated. I have raised the following issue:
>
> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/issues/1
>
>
>

Thanks for explaining.  I had forgotten about the checks before starting.
In my case I was hoping to only need the root trust anchor, and keep it
updated by just patching regularly.  Might be wishful thinking.

-- 
Bob Harold


>
>
>
>
>
>
>
>> --
>> Bob Harold
>>
>>
>>>
>>> Please inline other comments.
>>>
>>> Yours,
>>> Daniel
>>>
>>> [1]
>>> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-mglt-dnsop-dnssec-validator-requirements.mkd
>>> [2]
>>> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/f8ab674b12442aff6ba3c72a3ca8f795f24b2df9#diff-c7cc8f0bdd4d7cce2082828d70d2bf35
>>>
>>>
>>> On Tue, May 5, 2020 at 11:52 AM Daniel Migault <daniel.migault=
>>> 40ericsson.com@dmarc.ietf.org> wrote:
>>>
>>>> Hi Bob,
>>>>
>>>> Thanks for the comments. The new version of the file is available here
>>>> [1] and diff can be seen at [2].
>>>>
>>>> I propose the following text. Does it clarify the concern ?
>>>> Avoiding the configuration file to be updated prevents old
>>>> configuration file to survive to writing error on read-only file systems.
>>>>
>>>>
>>>> "Not updating the configuration file prevents a failed
>>>>    synchronization to to the absence of write permission that are hardly
>>>>    in the control of the software."
>>>>
>>>> <mglt>
>>>> </mglt>
>>>>
>>>> [1]
>>>> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-mglt-dnsop-dnssec-validator-requirements.mkd
>>>> [2]
>>>> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/f8ab674b12442aff6ba3c72a3ca8f795f24b2df9#diff-c7cc8f0bdd4d7cce2082828d70d2bf35
>>>>
>>>> ------------------------------
>>>> *From:* Bob Harold <rharolde@umich.edu>
>>>> *Sent:* Monday, May 4, 2020 4:29 PM
>>>> *To:* Daniel Migault <daniel.migault@ericsson.com>
>>>> *Subject:* Fwd: [DNSOP] The DNSOP WG has placed
>>>> draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption
>>>> By WG Issued"
>>>>
>>>> Minor nits:
>>>>
>>>> 7.  Trust Anchor Related Recommendations
>>>>
>>>> Last sentence, last few words:
>>>> "in section Section 8" > "in Section 8"
>>>>
>>>> <mglt>
>>>> addressed
>>>> </mglt>
>>>>
>>>> 7.2.1.  Automated Updates to DNSSEC Trust Anchors
>>>>
>>>> "TA updates is" > "TA updates are"
>>>>
>>>> <mglt>
>>>> addressed
>>>> </mglt>
>>>>
>>>> "but due to human" > "due to human"
>>>>
>>>> <mglt>
>>>> addressed
>>>> </mglt>
>>>>
>>>> 7.2.2.  Automated Trust Anchor Check
>>>>
>>>> "Not updating the configuration file prevents a failed
>>>>    synchronization to to the absence of write permission that are hardly
>>>>    in the control of the software."
>>>>
>>>> <mglt>
>>>> I propose the following text. Does it clarify the concern ?
>>>> Avoiding the configuration file to be updated prevents old
>>>> configuration file to survive to writing error on read-only file systems.
>>>> </mglt>
>>>>
>>>> Seems confusing, please rewrite.
>>>>
>>>> "The TA can be queries" > "The TA can be queried"
>>>>
>>>> <mglt>
>>>> addressed
>>>> </mglt>
>>>>
>>>> "does not only concerns" > "does not only concern"
>>>> <mglt>
>>>> addressed
>>>> </mglt>
>>>> "if the mismatch result" > "if the mismatch resulted"
>>>> <mglt>
>>>> addressed
>>>> </mglt>
>>>>
>>>> 8.  Negative Trust Anchors Related Recommendations
>>>>
>>>> "disable the signature check for that key the time" > "disable the
>>>> signature check for that key until the time"
>>>> <mglt>
>>>> addressed
>>>> </mglt>
>>>>
>>>> "This does not prevents" > "This does not prevent"
>>>> <mglt>
>>>> addressed
>>>> </mglt>
>>>> "either an attack or a failure into" > "either an attack or a failure
>>>> in"
>>>> <mglt>
>>>> addressed
>>>> </mglt>
>>>> 10.1.  Automated Reporting
>>>>
>>>> "will take the appropriated steps" > "will take the appropriate steps"
>>>> <mglt>
>>>> addressed
>>>> </mglt>
>>>> --
>>>> Bob Harold
>>>>
>>>>
>>>> ---------- Forwarded message ---------
>>>> From: *Bob Harold* <rharolde@umich.edu>
>>>> Date: Mon, May 4, 2020 at 4:28 PM
>>>> Subject: Re: [DNSOP] The DNSOP WG has placed
>>>> draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption
>>>> By WG Issued"
>>>> To: IETF DNSOP WG <dnsop@ietf.org>
>>>>
>>>>
>>>> Looks useful, I will review.
>>>>
>>>> --
>>>> Bob Harold
>>>>
>>>>
>>>> On Mon, May 4, 2020 at 3:13 PM IETF Secretariat <
>>>> ietf-secretariat-reply@ietf.org> wrote:
>>>>
>>>>
>>>> The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements
>>>> in
>>>> state Call For Adoption By WG Issued (entered by Tim Wicinski)
>>>>
>>>> The document is available at
>>>>
>>>> https://datatracker.ietf.org/doc/draft-mglt-dnsop-dnssec-validator-requirements/
>>>>
>>>>
>>>
>>> --
>>> Daniel Migault
>>> Ericsson
>>>
>>
>
> --
> Daniel Migault
> Ericsson
>