IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt

Geoff Huston <gih@apnic.net> Tue, 22 February 2022 19:03 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA1553A0EA5 for <dnsop@ietfa.amsl.com>; Tue, 22 Feb 2022 11:03:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vKoFwSEGghzy for <dnsop@ietfa.amsl.com>; Tue, 22 Feb 2022 11:03:07 -0800 (PST)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01on20602.outbound.protection.outlook.com [IPv6:2a01:111:f403:7004::602]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89BA03A07F0 for <dnsop@ietf.org>; Tue, 22 Feb 2022 11:03:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oZnJ31piVbd0WLGjYPmH5wuqf0tSIPF3P1/uSFkHeJrWjj3J0tsx3yKITT7JbBKN8e6mdoRxaLrMjULH6Rck2p8RIKJT1aCFUoQzYzIvo+72IAqvTaNdxvGUNhecJ6h8xv7BVP9M2IKAppxdvOhanwDLiVDwbcX/JxdBpIRiFHqUdbAUXfHHrJBOLrbYhvjMliDarVm9pCGo/cN3jwZtILTXzgHlGQIUNXQrj4skASYNyeAWQxIdGalN5pX+l2ooDRNYJTOpwRzufcJwT0TosafWrjZ3FY4oCgFIVvgKJz1MEl08XfOzL/IOHph3SSGMr5VJEXdXivnhIPW9agxyKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=urB0cikI942iyvdA0YylGIAnAn+194jHK5fMH4ww+Oc=; b=ZCp7LlJcvyIy17G7973OyTljZoHThqGOtufAg8+NCejzawbwNOg2fUNHQtXzaBzqZ1KqaLudqsmzDE6SCcn0TUTqPM3aWkSpPuuZxHSQpixJng2b7NBeQCl3iETA7iVIFQJw88RatW+9TTdLAQckKuH9P7i7dnQnOHQVbZ+bV+RGkkBMaRo+WaTM3zZeNpgNf4IdsNY0xPPjRiP42vYagoCNyieEA6dYbcrRbdnJqOu2gGyHRdxMsYHZ1bOReIKGSb8RvT+uIziQeKDeAZZH2EVHIRQc12iZ1R9CS/vv5rM0y6zOSucd+7o4/uGc5pGs6fkDv0rvIHsXrgExqbV3Vg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=urB0cikI942iyvdA0YylGIAnAn+194jHK5fMH4ww+Oc=; b=FgJBOhIfBdI737f9V0PPVF9xC317jyrhvYX3/BoMNt8ZzUflFiKgEybCZG7+hixQ5Ov4fC0PqwslmVQc8QCdRq3/eFKcCqS5y2gHfpXzxeSYR4ca+rnIYp+c6AELP7QGUxRaAvmleQm50hkabXv1sS/Vazp5FAqoc38e1HWY1vk=
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:176::18) by SY7P282MB4122.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:1f1::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4995.16; Tue, 22 Feb 2022 19:02:59 +0000
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::2d75:2788:316:de9]) by SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::2d75:2788:316:de9%3]) with mapi id 15.20.5017.022; Tue, 22 Feb 2022 19:02:59 +0000
From: Geoff Huston <gih@apnic.net>
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
CC: "dnsop@ietf.org" <dnsop@ietf.org>, Wes Hardaker <wjhns1@hardakers.net>
Thread-Topic: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt
Thread-Index: AQHYHf3dVJbAGYA6xkOeG6jYpR0jJayfguOAgAB+voA=
Date: Tue, 22 Feb 2022 19:02:59 +0000
Message-ID: <B5A5CA65-E1C0-4EE1-B7C7-F14374EB5955@apnic.net>
References: <163777315136.16773.10633006296842101587@ietfa.amsl.com> <4e4527b6-b0b3-33f3-3849-8a593fe29a1d@nic.cz> <ybly22j7m5m.fsf@w7.hardakers.net> <95a4103b-dd26-17ba-d4dd-ac82b2bd510f@nic.cz>
In-Reply-To: <95a4103b-dd26-17ba-d4dd-ac82b2bd510f@nic.cz>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3693.60.0.1.1)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 70f2d3e4-de5c-4aef-a139-08d9f635f1c1
x-ms-traffictypediagnostic: SY7P282MB4122:EE_
x-microsoft-antispam-prvs: <SY7P282MB41225AB1D7694D15BC24F612B83B9@SY7P282MB4122.AUSP282.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KaefNnjk8kqbx9X6kssXpZ3i1treAH1ViYXkBwFFA2BceRp0DgqdygFx/bXNDYic1pHCMlVl0QSDqDKzlSWrOr9z3OI01Me78l1EFCo7DcAtNKF8OEEEWZ1FxJAtfNB6lAXxxwbt3Dq1SgzhiMnJQZHwuVciKg329/Xjdhw13Gd0X40B78VjwuWCQsl8gP8wU1hsuAeYnFroQeiGecIFZ4zuCRzvG3UcJpKUo9IrKPHrxYdBghV3fscSn4j80CJ2WSgPuk6CJq4Sm+R4eMQHMMRM5Yr9p40tZWFlNy2LhizGuQVWC5vt3PPEJ6y2TgIt1BqEkCePncaVS+t03VdageUpK3CcMdYsE8tWMRCOoVxpglo3VlTwXsB2vIUYoKyCwl6RwzSaMLCAZJS+hCtqs2889RtAR0r4yxlrgzeeFyzsXbarp5Zh7ejWmrQ5oFB603BnYIi7oVSfxYZLli0AbknNfRoOkMMHutJ/p6IzxKCGcLo6bIWK6kyIraM9HbEW8plVwog+rbB+bDAuMoQ0zZrWZYVTByJ4NKFb05SZxfvDj8Q9JeZ4c8eFZaxOws6mWPFATXI1CvAh62naAo+2QzzVzV21TfTK6azfmDADdfKllpqEsolr7tRZsU3ghtxm58GLx2VkTWlm12QvDn2GREimzPbPAI696qUevYG+CN/sAGa+rigRUJpZvzVe1m1/atUJiT9u+1Xx5Kxe6AxuiV7bwyOBpIOJZaMcCxu0s2HKgKRo64p3y1zsZ4FG4oro
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(346002)(136003)(366004)(396003)(376002)(39840400004)(2616005)(2906002)(6512007)(66574015)(186003)(71200400001)(6506007)(83380400001)(36756003)(8936002)(4744005)(53546011)(33656002)(508600001)(38070700005)(64756008)(8676002)(6486002)(86362001)(38100700002)(316002)(4326008)(5660300002)(76116006)(54906003)(122000001)(66946007)(66446008)(66476007)(66556008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zT2l+1+RdyEMtGn0PDTOwUcHlx0Ib4IXG0gDGoD9dSmgxGCsI5MyQx1aC+3J+UrQNMLi0SNDOFbN7BSnvw6gC13sc+edP7mVmsDFmAu7dbYDAgljwtelkp/2BN1Hxv1M0X82xbNjeCrAPcQrJap9B4naFjUs+A5LO3pTl8jjmIIO/hvjNPoBiaqBoC6R7jw/RycGRDenfzTq4ftGKSPVgTPFGzX8TJBGWLduFsZdO7gGHBIbAgCF1eA44il/jdGjAkVL/cV5iuICPEYXfL13+idKWWsKQ7OapF/KtbyZBAGPcNdivaFjQHra0FCI9LWH42aWVaFPvWL7iIjIU7aarUfp8otCOqk0cenAkunBWqhZRO7Wl4QRnBaa+8uFJC4rXqD96dGZGeLV23ESJwAaGMFs0PYkkGohymZOLlxqOUJlsRpQrsANYAiANgVtR/RTyRaz6NvJ03Y5vJhtf+At2brzbWZx9zAOi/q7xgMPsTnPVT6ajYGmTd0qL4QzAdoGmd4avkvXC0POMzeSQQWMOwAuUNOmET5YMif3fnX8Efsvz9+HuXuHAldw454lDYEQwOCAXKWRbXtCMqsqokESnN7UnNXWTAype3FZKYIB75nozkZme/gCh988TGFWoIgpORlNrv/jbPOZIDgvnX6+8+6nqY680AYN8NC7nqtmNLWjsMD0p1aY4JqM73qrorbRytDbkXSJmbpFaRyMOL3yYo1vtAe37r9/pZiaH/ESCIkPIXHmnjGcYl5i7roFSX3QuTPR6OHsUoy67w35Xi3T5hYws78qmfcjrpMYdCkpjyw3508bKjHFhxZX28Wulk/jSNJfh+CMVUSy8Dz8+Ry0SZRsrTrgRwjQCvjwMvskt6LCOwfO5uIiUDxO//JSeY5zSvzy0A16zvLuFERueDZeP9BjuITLdjZtCnv86Cj8WYtQ7gpktvGZf/fJ/oxpGFjuu+31lccgKumw+CBJx+c2DLWR3+c9pjuaGJUIuXuqWATrimkLEtZ9eFwvuU3ROrfzU3AFCNlbXXfvnf9mU+0Uyj3Te1alU9vCZXwsjAsfqKqUW5Wy5a05OvQb9EGpe2U9aBFtvGR5ZqeSIsb8QQW7orC0wcKDcyAHKU6gAmv0Buh66v35JgwdB/MLp5FBSVLCQnZjAWRSgDLf+kPcWDxP5rcajILTpZk2qL6J+Tp0yAGJDSHHCAgSKRRMw0C+3iTuK7618t+swgXX+4Hk2wamdGMpsBMAe6vb5LL2gcaXla/Wjw1XPMVANooMfBcQ1dLbgUEerkK6saYpE20PA5ws2WFu1j1IUXFj0PSQmnhVXz71fODB+gyKEFGO3fXoKyB2xJ85tZOnbioHR9uPjDIZJf4zjKJcj7iercuIinNTGhHuUAFLnQqosLw3kOrwwgk3GJeRk0mu+JHvOSB/dhupR0mPJiqOjr6acCswTCAor/ax2S/vB0b//7RYLd//SUxU+t2wI+ug8hkyAY0U8ogn2a95Oe9fuDhoLbfCB9Yy/pt2prOFOEzaZq7nA444+uJ4PQpDkkqrE1gWgtrXES2Ys6c5RI9SC9lL52E2FKA1iHGH+b44uuq6aKmHxdpI5m7bFbVwvpu2qm3HfqOP7LWKBPFDDRrPB6O32HK1Cg6Ck1o=
Content-Type: text/plain; charset="utf-8"
Content-ID: <3FE3A2CD7CACB348B7779D82BA69B49D@AUSP282.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 70f2d3e4-de5c-4aef-a139-08d9f635f1c1
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2022 19:02:59.8396 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /bfxYYQNlm8z3FYBQr8kn+fzTYtVxjUk7gf89W8otoTgJdq2qgtMPWe0F7W3bzdO
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY7P282MB4122
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vwGhUedJLmHZC_hAcG-3xJw1Fx4>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-nsec3-guidance-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Feb 2022 19:03:14 -0000

> On 22 Feb 2022, at 10:29 pm, Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote:
> 
> On 09/02/2022 22.41, Wes Hardaker wrote:
>> So I've re-arranged things a bit to hopefully address the flow better.
>> Let em know if you think further improvements are warranted.
>> 
> I'd still probably suggest at least a minimalist change like:
> -Note that a validating resolver MUST still validate the signature
> +Note that a validating resolver returning an insecure response MUST still validate the signature

Hi Vladimir,

I’m not sure I follow that latter comment relating to "a validating resolver returning an insecure response" - Do you mean:

a) - a DNSSEC-validation capable resolver responding to a query that had the CD bit set?

b) - a DNSSEC-validation capable resolver responding to a query that had no EDNS(0) extensions at all?

c) - a DNSSEC-validation capable resolver responding to a query that received an NSEC record signed with an algorithm, that was not recognised by the resolver?

Geoff

v2.23.0 | Report a Bug | By Email