[DNSOP] Re: Does DNSSEC need a dry run?
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> Sun, 21 July 2024 01:21 UTC
Return-Path: <yorgos@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 692C5C14F609 for <dnsop@ietfa.amsl.com>; Sat, 20 Jul 2024 18:21:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DtuEDh8rjLYY for <dnsop@ietfa.amsl.com>; Sat, 20 Jul 2024 18:21:18 -0700 (PDT)
Received: from mout-b-105.mailbox.org (mout-b-105.mailbox.org [IPv6:2001:67c:2050:102:465::105]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07D3DC14F5E4 for <dnsop@ietf.org>; Sat, 20 Jul 2024 18:21:16 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-105.mailbox.org (Postfix) with ESMTPS id 4WRQbV6txKz9vV6; Sun, 21 Jul 2024 03:21:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1721524871; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=6c3OjeqWgD1wjoc/J4XZeJELVnrmh8O7RnXOzPZwlIc=; b=pr/elSwZWIvSbvLy1y7yIzPqhasbpBbeYa39cIzKm+ox+8Wmjkw7LsZeoPTBXpswsEJxLt U+qAVoSgAZK8mttFOcwswnvdisT4Hl46LTSh78XmmIXsAxAuxpvAt/gUfECYGnAYCDmMe2 dsKrf7b8EpQY1B+nYuom5OF7vE5I0F3cKBhJ5+YstjNndWl+liHXAeKJ8z49B3m++HmERO ywaw0tqHxX+XPvY85THauTD8UO03+n5TdepJI9qN5pqvLJBv05eYZ6zhIG/h00MJlBL4Og UZ1r0SvUE1DkyiajX7Ab64rOVvrm2mGWyEdOyvs8Aq2P2ToBk7Kmg/0J7+vPEw==
Message-ID: <0d08424c-ee32-4368-893b-9434ab5ec565@nlnetlabs.nl>
Date: Sun, 21 Jul 2024 03:21:06 +0200
MIME-Version: 1.0
To: Joe Abley <jabley@strandkip.nl>
References: <0198BFEA-EF0B-48D7-BC44-8563DA68CE62@strandkip.nl>
Content-Language: en-GB
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Autocrypt: addr=yorgos@nlnetlabs.nl; keydata= xsFNBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8SJr7Y+hr 6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBvomb9s8Bo28uKn8tb TMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jIqxDYS8sylWlDn6Qim+77feLl ObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6W6AqukhpuKuWvoAUXKjfguXQolxeexub mKaLcGOTvecw+cbh/a5SPHRtRVr9qTxpelk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpA k1fXA+mYfx5BcFpECYdU9kz4UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36Tg AP8RKrvFfPUym5OPYbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2y BVbGnjNrS9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS 2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVrg3LssVS2 bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQABzStZb3Jnb3MgVGhl c3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+wsGABBMBCAAqAhsjBQkPGq82BQsJ CAcCBhUICQoLAgQWAgMBAh4BAheABQJlEZpoAhkBAAoJEM/zNE2Qh6SQKwQP/2kt4M0be9OB vpRQbQ5Zz5C8eWChCcoEP4aMnS0jYtoe6t4B01WvuqQNplXlxiwFrjIZ/3xwH20jSWtn4wnI SYZYob3DvkUy5f4GglP0lGb4yZiLMNBWBOwVNPr5E77FZWJ6n7cPxkB30VUZhv0L+k6gUYXg 6jZm6Mij7c0wU1/M7KPn+ZwQC5IT/TTue1+CfaQwJJMQHUv96EwnrohiwROb70wyt+ZfUIdK E/2uaF8d2DR03rgr179I2sFfiraDxcS5Gzij0ZdtdD51tRZ+S3JG7wCpQ+yZSaF+SeN9yAjM 4sMe00xT0e8L2xhFPqaBiDoxbQxRP3rhwg8OfQ8eSO7Th+TqqfM08ijcTjhHCTD/PSanC7CJ dP0+Uvk1wO8xlM5q5bGEExoNcUrrLUf9UZc5VbVjxmGz/m6uDQZhGoPYv0wASEhlO976nM6V lwmn7XfwqbmgvwtwKTzxeCyjhYneamM72If9TuypV2Fyi98RmqiJ0lxHrQ5dD/SDHWOjmONU TSHMsdhpFndH1QlKgDJ6mY1BMLHE4m568mTn1jMvs5iHyMzjJTUBvsSb4zZHyyIuizKz1YUZ gDfq7ALIoMfSt63P6D7vXdidEEMDjcnsSQpvJ/LQWfwWx9E4PhmkBuH1vdk3/SH7U+5QCgJL 9g9I59Ipgsr0zhJSNXBuD4BYzsFNBFfYHeYBEAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+R O43dotGH9eFnVwE4/ftcK1SN42ihlF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8s aPqJP6zTUmPqp/GSzS6YrhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ck eXyl77/lHVhWYylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVP NCYmZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64NW/RJ 7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvPGFxr4xBiyMX1 JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf6RcZ02fr7SCZZhdBrlrf lvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4hmQBxPvXxI2ERmKRomo6lrMaDMzI jD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e 7wNYE4a/fb8xYM4j7p6qYtnNZPb8sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibr YwARAQABwsFlBBgBCAAPAhsMBQJlEZm7BQkPGq9VAAoJEM/zNE2Qh6SQS0MP/16XU1WaPLyY 8wIeincUS52KzudWWi9nfQvZvL0H7+w8iRpkP3qjFRMW3jYKOKGD4hF7FXl8hKHNxhyFgmIh T/beqrA9MhgQslIHZ88Jd7P0Jfi+EiCqzOCVo86avBxCi74Uk0AEzSQ3lpmqfiYnViXxs6tH IUsdcd/m3lwv5M/O/wu/WlPNFx0HSkZlWIRAEsyL13zaoF+UwRRjrMrELL6s4lffO3jzGo9F Z3BTDB7gRlU26sxwPHrIva91txhtZbNlE81/zvRmkOAMKG8HA3y9atwez4jP8pn+wJnj/WlI jWTcrmVv8uBTh2CtYymI2/fHIyJ1HElBb/V77JMlhNK/3eMOLLO8ajc96K/O1Y3R/5pijDDG DELPWrqNdGV9mGq5owG7sjYGSKQ9WFJ0Y5WvEzg11z8/Fh2Pw6O0ojteWhhNrI0s7HbudZn2 xO4QY9kdNA+UzUxmealXgef5kb8M2msF0tWuGn+xP/hcljLg2bk8V5ZCzVNTO9b8Z+bGVQR1 GmnkLePj7NGBVSciCvcR79JJG0kyPsirdjORMXQQWA5i8IYukO8amUcYeSQW6MR7tKq7+7+4 mLKtwOXV2EZ2B+nHhiTTiqb8rCt0nsY0lt7gHni83InToz4k2eFo4WuOXMdLPwmQPJwaXCFg 3B8+NrtIAE8F4VHNKaM70rYX
In-Reply-To: <0198BFEA-EF0B-48D7-BC44-8563DA68CE62@strandkip.nl>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: GA56FR5UUXJ5MEGHZDUJ4CJ3XUAYFNY4
X-Message-ID-Hash: GA56FR5UUXJ5MEGHZDUJ4CJ3XUAYFNY4
X-MailFrom: yorgos@nlnetlabs.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Does DNSSEC need a dry run?
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sqUuoU8PDdizffE5Sv4eZdcuQ0Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Joe, On 21/07/2024 02:15, Joe Abley wrote: > I've lost the original new version announcement to reply to so apologies > for the thread crime, but I have a more fundamental question about this > draft. No problem! > Even after you have tested with a dry run mechanism, you need to make > material changes to your zone to progress to actually signing in a way > that you expect people to validate, and you can only get useful test > results from validators that have implemented the test mechanism. So the > thing you tested is not actually the same thing as what you deploy, and > the test coverage might well ve limited. > This doesn't make it feel like a great test. I understand. That is why the whole point of dry-run is to have a turn-key action when you are done testing. You don't touch any of the signed and deployed and tested zone. You only update the DS on the parent. > > Isn't signing a test zone with exactly the processes, protocols and > software that will be used in real life and validating it with real > deployed validating resolvers actually a better test? Yes! That is the point. > > Who is this mechanism for? People that are afraid to sign their zones. They can test without breaking their DNS. After testing they can either replace the dry-run DS on the parent with the real DS and join the rest of the DNSSEC community. Or remove the dry-run DS altogether and run away screaming from DNSSEC; but without ever breaking their zone. Best regards, -- Yorgos
- [DNSOP] Does DNSSEC need a dry run? Joe Abley
- [DNSOP] Re: Does DNSSEC need a dry run? Yorgos Thessalonikefs