Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Mon, 28 November 2022 11:29 UTC
Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A260EC1522BC for <dnsop@ietfa.amsl.com>; Mon, 28 Nov 2022 03:29:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5i6E85_nxjZ for <dnsop@ietfa.amsl.com>; Mon, 28 Nov 2022 03:29:04 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00B75C14F74D for <dnsop@ietf.org>; Mon, 28 Nov 2022 03:29:03 -0800 (PST)
Received: from [IPV6:2a02:768:2d1c:226:3ba7:a2e2:7b83:bf0f] (unknown [IPv6:2a02:768:2d1c:226:3ba7:a2e2:7b83:bf0f]) by mail.nic.cz (Postfix) with ESMTPSA id C116F1C06DA; Mon, 28 Nov 2022 12:28:57 +0100 (CET)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=vladimir.cunat@nic.cz smtp.mailfrom=vladimir.cunat+ietf@nic.cz
Content-Type: multipart/alternative; boundary="------------vOWwMURABFpuvnWNk8hF705C"
Message-ID: <26cd83b9-1bd0-2925-07f7-6a5c2248d479@nic.cz>
Date: Mon, 28 Nov 2022 12:28:57 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
To: Daniel Migault <mglt.ietf@gmail.com>, dnsop@ietf.org
References: <CADyWQ+FwRaSdpSWXBDqCG9ZPNPiG4pGUx37PVtExbqVPr5ZfmA@mail.gmail.com> <65d26b98-e0d6-e69b-10d4-17632451cab6@nic.cz> <CADZyTk=wUydEv4X8KgHe3Mj0cZTmiaR3mjn_Z2n73U-eST-HPA@mail.gmail.com> <f397b7d4-fe4f-6000-5ce5-f2faa7b27b3e@nic.cz> <CADZyTkkdn__VhRRqwKDbNx3ymTR0KJmxoTN9aKMcox-JS=pW_A@mail.gmail.com>
Content-Language: cs, en-US
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
In-Reply-To: <CADZyTkkdn__VhRRqwKDbNx3ymTR0KJmxoTN9aKMcox-JS=pW_A@mail.gmail.com>
X-Virus-Scanned: clamav-milter 0.103.7 at mail
X-Virus-Status: Clean
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: C116F1C06DA
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.10 / 20.00]; BAYES_HAM(-5.00)[100.00%]; R_MIXED_CHARSET(1.00)[subject]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ARC_NA(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:44489, ipnet:2a02:768::/32, country:CZ]; FREEMAIL_TO(0.00)[gmail.com,ietf.org]; NEURAL_HAM(-0.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; TAGGED_RCPT(0.00)[]; FROM_HAS_DN(0.00)[]; TAGGED_FROM(0.00)[ietf]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]
X-Rspamd-Action: no action
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vzegAA5HYAK0vUkslwkeHRY2xXU>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2022 11:29:08 -0000
On 25/11/2022 18.26, Daniel Migault wrote: > So let me know how we came to this lines and I suspect we do share > some similar concerns. A recurrent question and reticence we receive > from MNO and ISPs regarding DNSSEC is that they are really scared > about having the cache with incoherent RRsets in their cache that > causes the validation to fail and in many cases they imagine a > mechanism to prevent and address such incoherent data in the cache. > One of the intentions of this draft is to prevent such mechanisms to > be implemented - mostly as it is likely to generate errors that DNSSEC > experts would not be able to catch or understand - as generated by the > home made solutions. As a result we wanted to minimize the change to > the DNSSEC mechanic and only rely on very simple and standard > mechanisms. 4033 provided one way to limit some incoherencies, and we > also thought of a similar mechanism that was like the one described > in I-D.ietf-dnsop-ns-revalidation which as we saw it ensures > something like a mechanism that refreshes the chain of trust. I get that in countries with low validation rates [1] it may be difficult to explain to resolver operators that it should be only the authoritative side who worries that they "do DNSSEC wrong". Maybe I'm also personally biased against putting much work to work around mistakes done on the other side of the protocol. [1] https://stats.labs.apnic.net/dnssec > What we expect is that the validator proposes this option and as such > the DRO selects that option in the validator if present. Well, OK. > Well yes, I'm in favor of keeping the supported-algorithm set > centralized internet-wide, instead of trying to start deploying a > decentralized mechanism. > [...] > > I mainly wanted to dissuade from early algorithm deprecation on > validator side. [...] > > I got your point and agree it might be counter productive to encourage > a mechanism that is not reliable. I propose to remove the text below: > [...] OK. I don't see the part about extended errors as problematic (RFC 8914). It really seems to be getting into (open-source) implementations and it can help with debugging in some cases, though deploying it is probably not very important either. > Oh! sure for the TA. My understanding of the text is that it > recommends 5011 for running instances, but that new instances are > configured with up-to-date TA that in most cases are updated by > software update. So yes I agree and will check this appears clearly. I don't think 5011 is worth doing at all. Maybe in some exceptional use cases. Well, I haven't heard much about deployment experience with non-root TAs, so perhaps I just don't know those well.
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Brian Dickson
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Brian Dickson
- Re: [DNSOP] Working Group Last Call for draft-iet… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Florian Obser
- Re: [DNSOP] Working Group Last Call for draft-iet… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Livingood, Jason
- Re: [DNSOP] Working Group Last Call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault