Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs. DS record

Edward Lewis <> Mon, 13 November 2017 15:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 60B371205F1 for <>; Mon, 13 Nov 2017 07:45:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GVzfnRpQPKDI for <>; Mon, 13 Nov 2017 07:45:34 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D76FB1242F7 for <>; Mon, 13 Nov 2017 07:45:32 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 13 Nov 2017 07:45:30 -0800
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Mon, 13 Nov 2017 07:45:30 -0800
From: Edward Lewis <>
To: Evan Hunt <>, Petr Špaček <>
CC: "" <>
Thread-Topic: [Ext] Re: [DNSOP] Configured Trust Anchor vs. DS record
Thread-Index: AQHTWWiXPRp7CRP4/kG/0ZKc0dRV56MMpuMAgAAyMoCABicTAA==
Date: Mon, 13 Nov 2017 15:45:30 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/f.27.0.171010
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3593414730_1453672502"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Re: Configured Trust Anchor vs. DS record
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Nov 2017 15:45:37 -0000

On 11/9/17, 12:48, "DNSOP on behalf of Evan Hunt" < on behalf of> wrote:

>    On Thu, Nov 09, 2017 at 03:48:26PM +0100, Petr Špaček wrote:
>    > Nice write-up Edward! You have nicely summarized why Mark and me agree
>    > that validator should use longest suffix match when selecting TA to
>    > validate data.
>    +1.

Hmmm, that wasn't my intent. ;)  I had been trying to justify the other conclusion.  But, if my work is leading you towards this "other" conclusion, I've been taking time to understand why.

I'm beginning to have a new understanding on this.  The overlooked (by me) point is that we are focusing on a situation where the local operator has chosen to explicitly configure a trust anchor.  Beside code distributions shipping with the IANA managed KSK (or its DS form) for the global public Internet's root zone, if any operator wants another trust anchor point, they have to take explicit action to configure it.  The question is - what is the expectation of the operator in doing this?

There was a time when TLDs were signed but the root zone was not.  Then operators had to configure trust anchors for the TLDs to enable validation.  When the root zone was signed in 2010, the TLDs had to remind all those with trust anchors to remove them (before the TLD could change it's KSK).  I can no longer find reports of the efforts to undo TLD trust anchors (Sweden and maybe CzechRep?) that I thought were once floating around.  "Fears" surrounding this would lead one to favor the more open "any" policies, on the other hand, mass migration from TLDs to root for the top of the trust chain was probably a one-time event as a result of the on-set of DNSSEC in the root zone.

I'm not sure that the need for robustness outweighs the expectation of someone explicitly adding a trust anchor anymore.

OTOH, in the sense "I am not sure" there's the example of split-DNS and poor query path management (i.e., leaks).  I'm not sure if robustness helps here, or is a bad-behavior enabler.

>    > Things might get even more complicated when negative trust anchors are
>    > configured, bleh.
>    Fortuantely a negative trust anchor is a longest suffix match too.

This is an emerging "thing" - more active awareness and management of the trust anchor element of a validator.