IETF Logo Mail Archive

Re: [DNSOP] signalling mandatory DNSSEC in the parent zone

Ulrich Wisser <ulrich@wisser.se> Mon, 01 March 2021 15:46 UTC

Return-Path: <ulrich@wisser.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 523633A1E51 for <dnsop@ietfa.amsl.com>; Mon, 1 Mar 2021 07:46:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wisser.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rlreo3g_IAfI for <dnsop@ietfa.amsl.com>; Mon, 1 Mar 2021 07:46:37 -0800 (PST)
Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [80.241.56.172]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AC553A1E50 for <DNSOP@ietf.org>; Mon, 1 Mar 2021 07:46:36 -0800 (PST)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4Dq4PQ4b8NzQk03; Mon, 1 Mar 2021 16:46:34 +0100 (CET)
X-Virus-Scanned: amavisd-new at heinlein-support.de
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisser.se; s=MBO0001; t=1614613592; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gE0zTKVhryZvrbYaT8j+c7G0fAFtrNUa32nXLm15U6M=; b=p6dPokllzyZ1rODALyDb+ocfnbVcnv535Stsd7l00saJa9UULs0lIwVOuZBKxI21vTyV1X Ye+Cq0SmfCdnWt+RWi3vSRvfiOoBwh8LXQM2hxdM+dUP4LmwnNupDt1x1Y3fi/VeGYgwCm iHmlV6szFfoGcJITMEhgEsRGGP8tMbouhB8vnYxBlSgV+JgUKAabUFYFJqYRV5xTxqkyuM gbPcH4tNQCXHTW/HgQ+5l2QVG9Uc+zBXUWgkV/QCjWTP1qR2KrTaGnXI9SvnQPUG8DmCVG 4jnT6SV04V+gpW9NPdshD9J7BlFnsU9w0nAN//wMZQcZQhdArAdO9eUMnZkEkw==
Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter04.heinlein-hosting.de (spamfilter04.heinlein-hosting.de [80.241.56.122]) (amavisd-new, port 10030) with ESMTP id JLJMHpFrF39S; Mon, 1 Mar 2021 16:46:31 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0
From: Ulrich Wisser <ulrich@wisser.se>
In-Reply-To: <A148F043-6DC6-47B0-B6B0-F112BF346E73@rfc1035.com>
Date: Mon, 01 Mar 2021 16:46:30 +0100
Cc: dnsop <DNSOP@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3679416F-914B-41B5-A8D6-93993BEDA65C@wisser.se>
References: <4C3B1EF7-D37F-40D4-9C39-70FADF2B71CC@wisser.se> <789EBF89-24CC-452A-A1D0-AE5583D6A476@wisser.se> <A148F043-6DC6-47B0-B6B0-F112BF346E73@rfc1035.com>
To: Jim Reid <jim@rfc1035.com>
X-MBO-SPAM-Probability: **
X-Rspamd-Score: 2.05 / 15.00 / 15.00
X-Rspamd-Queue-Id: 9908517E3
X-Rspamd-UID: 791207
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qP4CAWBwVzpu7XsfK8AcDxh7CLo>
Subject: Re: [DNSOP] signalling mandatory DNSSEC in the parent zone
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 15:46:39 -0000

Hi Jim,

I don’t want to signal this to resolvers, there is no need to. As domains are resolved by themselves a resolvers doesn’t need to know if all other subdomains of .se are signed too, just that the one it is interested in is signed.

But if .se would have that policy, how would you move a domain between name server operators?
- If approved by the chairs Shumon and I will present our work on automating this at the next dnsop meeting.
- if the operators do not support the same algorithm, only lax validation can save you. (And that is how this discussion started)

/Ulrich


> On 1 Mar 2021, at 15:18, Jim Reid <jim@rfc1035.com> wrote:
> 
> 
> 
>> On 1 Mar 2021, at 13:29, Ulrich Wisser <ulrich=40wisser.se@dmarc.ietf.org> wrote:
>> 
>> 100% signed would mean unsigned zones do not get delegated, going insecure is no longer an option.
>> I would like the protocol to be able to handle that case. 
> 
> Ulrich, that seems to be a (registry-specific?) policy matter => probably out of scope for the DNS protocol.
> 
> How could a parent signal “everything below this point of the tree is signed”? How could they guarantee that was true, given delegation means there’s a change of control for some part of the name space? How would resolving servers be expected to use this signalling information? If they come across an unsigned but working delegation, should they treat that as a validation failure or continue to resolve the query? That would seem to be a local policy/configuration matter too.
> 
> I’m not sure it matters to anyone if some parent zone has this sort of policy or not. Could you explain the use case or problem statement?
>

v2.23.0 | Report a Bug | By Email