IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Mon, 28 November 2022 11:29 UTC

Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A260EC1522BC for <dnsop@ietfa.amsl.com>; Mon, 28 Nov 2022 03:29:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5i6E85_nxjZ for <dnsop@ietfa.amsl.com>; Mon, 28 Nov 2022 03:29:04 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00B75C14F74D for <dnsop@ietf.org>; Mon, 28 Nov 2022 03:29:03 -0800 (PST)
Received: from [IPV6:2a02:768:2d1c:226:3ba7:a2e2:7b83:bf0f] (unknown [IPv6:2a02:768:2d1c:226:3ba7:a2e2:7b83:bf0f]) by mail.nic.cz (Postfix) with ESMTPSA id C116F1C06DA; Mon, 28 Nov 2022 12:28:57 +0100 (CET)
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=vladimir.cunat@nic.cz smtp.mailfrom=vladimir.cunat+ietf@nic.cz
Content-Type: multipart/alternative; boundary="------------vOWwMURABFpuvnWNk8hF705C"
Message-ID: <26cd83b9-1bd0-2925-07f7-6a5c2248d479@nic.cz>
Date: Mon, 28 Nov 2022 12:28:57 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0
To: Daniel Migault <mglt.ietf@gmail.com>, dnsop@ietf.org
References: <CADyWQ+FwRaSdpSWXBDqCG9ZPNPiG4pGUx37PVtExbqVPr5ZfmA@mail.gmail.com> <65d26b98-e0d6-e69b-10d4-17632451cab6@nic.cz> <CADZyTk=wUydEv4X8KgHe3Mj0cZTmiaR3mjn_Z2n73U-eST-HPA@mail.gmail.com> <f397b7d4-fe4f-6000-5ce5-f2faa7b27b3e@nic.cz> <CADZyTkkdn__VhRRqwKDbNx3ymTR0KJmxoTN9aKMcox-JS=pW_A@mail.gmail.com>
Content-Language: cs, en-US
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
In-Reply-To: <CADZyTkkdn__VhRRqwKDbNx3ymTR0KJmxoTN9aKMcox-JS=pW_A@mail.gmail.com>
X-Virus-Scanned: clamav-milter 0.103.7 at mail
X-Virus-Status: Clean
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: C116F1C06DA
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.10 / 20.00]; BAYES_HAM(-5.00)[100.00%]; R_MIXED_CHARSET(1.00)[subject]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ARC_NA(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:44489, ipnet:2a02:768::/32, country:CZ]; FREEMAIL_TO(0.00)[gmail.com,ietf.org]; NEURAL_HAM(-0.00)[-1.000]; RCPT_COUNT_TWO(0.00)[2]; TAGGED_RCPT(0.00)[]; FROM_HAS_DN(0.00)[]; TAGGED_FROM(0.00)[ietf]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_ENVRCPT(0.00)[gmail.com]; MID_RHS_MATCH_FROM(0.00)[]
X-Rspamd-Action: no action
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vzegAA5HYAK0vUkslwkeHRY2xXU>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2022 11:29:08 -0000

On 25/11/2022 18.26, Daniel Migault wrote:
> So let me know how we came to this lines and I suspect we do share 
> some similar concerns. A recurrent question and reticence we receive 
> from MNO and ISPs regarding DNSSEC is that they are really scared 
> about having the cache with incoherent RRsets in their cache that 
> causes the validation to fail and in many cases they imagine a 
> mechanism to prevent and address such incoherent data in the cache.
> One of the intentions of this draft is to prevent such mechanisms to 
> be implemented - mostly as it is likely to generate errors that DNSSEC 
> experts would not be able to catch or understand - as generated by the 
> home made solutions.  As a result we wanted  to minimize the change to 
> the DNSSEC mechanic and only rely on very simple and standard  
> mechanisms. 4033 provided one way to limit some incoherencies, and we 
> also thought of a similar mechanism that was   like the one described 
> in I-D.ietf-dnsop-ns-revalidation which as we saw it ensures 
> something like a mechanism that refreshes the chain of trust.

I get that in countries with low validation rates [1] it may be 
difficult to explain to resolver operators that it should be only the 
authoritative side who worries that they "do DNSSEC wrong". Maybe I'm 
also personally biased against putting much work to work around mistakes 
done on the other side of the protocol.

[1] https://stats.labs.apnic.net/dnssec


> What we expect is that the validator proposes this option and as such 
> the DRO selects that option in the validator if present.

Well, OK.



>     Well yes, I'm in favor of keeping the supported-algorithm set
>     centralized internet-wide, instead of trying to start deploying a
>     decentralized mechanism.
>     [...]
>
>     I mainly wanted to dissuade from early algorithm deprecation on
>     validator side. [...]
>
> I got your point and agree it might be counter productive to encourage 
> a mechanism that is not reliable. I propose to remove the text below:
> [...]

OK.

I don't see the part about extended errors as problematic (RFC 8914).  
It really seems to be getting into (open-source) implementations and it 
can help with debugging in some cases, though deploying it is probably 
not very important either.



> Oh! sure for the TA. My understanding of the text is that it 
> recommends 5011 for running instances, but that new instances are 
> configured with up-to-date TA that in most cases are updated by 
> software update. So yes I agree and will check this appears clearly.

I don't think 5011 is worth doing at all.  Maybe in some exceptional use 
cases.  Well, I haven't heard much about deployment experience with 
non-root TAs, so perhaps I just don't know those well.

v2.23.0 | Report a Bug | By Email