[DNSOP] Re: SECDIR IETF LC review of draft-ietf-dnsop-ds-automation-05
Donald Eastlake <d3e3e3@gmail.com> Sun, 17 May 2026 22:38 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2A8B2EFB8F78 for <dnsop@mail2.ietf.org>; Sun, 17 May 2026 15:38:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779057489; bh=Gv0nDvVQjs+w15wvQmP856u+8/JMlC9OJdPlYK8mskk=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=eWzt/Vv1w51+jLdykqNNbxGmzRgbF2fg1a2bdI2oqu7XfhloayZovkpUaM+QDiFIi zNLovC+qExcots1nFa6jkuuhLZwlTkbBfzlDWiM9hCguzJTPX2e5MwStrUxZYP5qix piB4E1tFNjfU9btmcVHL/IASGdMZT3DqoMvYqeRE=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.849
X-Spam-Level:
X-Spam-Status: No, score=-1.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bX5FDO4yoxx8 for <dnsop@mail2.ietf.org>; Sun, 17 May 2026 15:38:08 -0700 (PDT)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7A582EFB8F62 for <dnsop@ietf.org>; Sun, 17 May 2026 15:38:08 -0700 (PDT)
Received: by mail-qt1-x836.google.com with SMTP id d75a77b69052e-50e5bea4045so13133211cf.3 for <dnsop@ietf.org>; Sun, 17 May 2026 15:38:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1779057482; cv=none; d=google.com; s=arc-20240605; b=ezLPZWOQzA7Gsz0LWREg3DDluco+rEo8+Of93VLMMmEASsvJGfv5jOVOQdc4nylwX+ AI8yVmNzcB0b+4M7xAk8PaALK6PsvFp2j213VvPLjnZ0MYcvFHsgWEDcKx7PQ5udO9de 4k4Evl3OFg00VYM/t9y3IVNRWlHude93ITRSMsVv3rcz0QUfnRGcxmHDmH4CRCf7XB3F kLtkwSu9K5RbIU2tnAwe2Bt7AnepXodc6qcAvb6teOfXjvAjBIUWbIR2mhwpjiCP+WLU jTQJz1OcvTfnN4qPBAkIy+5zbnXn5y9RDy8QIEbS3ToFujLOPTgCbDMiwrYoPDrm1tIP unSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=+eNn/QacUh2zoTNn9i+ldSBBk2p/MkJKA39La6Z/Las=; fh=Ro+mElpihF3iuFJCkxhZRoumybzfyKc8P+dkrKJqXqI=; b=Vfh3AG5GRUD8CFLVOw2NHhUmdao5hkPdCRsEIAYDLHhil+XwvpOmYd6uk7RNzXn3dG mbwh5czz6VKJ7u13VOzdJrIVh8BPlWkI3BSGjSHJqiPB7VKeAW71KboSH5rM9tBTyx1Q jeTsNQZuIPiqOEo5iPhsusBhReM40KXqwHDWPDoF4EcIpcHaYdkV7YYyeK4fKvFdegFN 2AUA05GIOTxdGt682C/IH5LuROOTn4vRPMElUFf49Va+IRq97GEIR/RHxp/yDtq142w2 hTGqiNT9kqL8FTjES+zf9T5XxjuHtO9K3DBcZGFxBnEQkSt6pPIZhAfZhpkiEwK2bBi7 v/IA==; darn=ietf.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779057482; x=1779662282; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=+eNn/QacUh2zoTNn9i+ldSBBk2p/MkJKA39La6Z/Las=; b=P6xpQLkqOW8+XBwIH3CJhvksVIsh5JYZC0uWeBhpwCB4eOt+KmEaPcovVELRZ+DzrV b7vFDlGOTfiYuUbh2gfnYhG9vuRsPp7taW54Fiy9b4FziAcMgYlfiUkpZUl+9FtpHLIV NiGUhtY/6uL9dVuIdMaECOFBrzg87zRHFSUJG/Mw4huRzAB/QhKF4jtD/XrAi5sv1Qi0 x2jV35gTDP9RaoKH++UBOc5QG5l3ztOhDQV4VM3v5D344eFRC3QPZTZJnUnsk/+qtOwC CnoY6tMDCX04+XVtB+kAWjccHKbfx4nSlXYjcF35Pk3kxLCGR6YGobSiDZf4jgozeS9r mdbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779057482; x=1779662282; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=+eNn/QacUh2zoTNn9i+ldSBBk2p/MkJKA39La6Z/Las=; b=UBPDDzZfdWUYrYCAYyte6P4n3ZEWT+tTpiHI+2o0guPzgRca+UL1+GuLT4XyL4vwUZ 0hEa6MXzrIxuG0lonr3L+3PxbsWLO9Z9iG3IsnLpm/HJD+CHfPfQk562utNcqgekTxKH Ln0zV0kWHdqnngyrant3W8cBTGbZPmWXDtxjCGKjkPg+JOyIdPqLiKjjFTbcLSf1kEXK FYhg6FPPgaFZiv8bQhWZRo1DnPFeM75QRBcA7bgu8PL544QvhsTaHUU7s6SBkZCkq5EV qvgY0hsZehgEcIAr60dGdmUi04y4WhTjSkLk0BUKK6FJg9684gX2q/9EXqMws1Pq2vxT 5hGA==
X-Forwarded-Encrypted: i=1; AFNElJ86aAjK8zG/j4LLCMqYy0CQQYLP46WQfFIhvcANFrG3qH/t+DQt11svEo/WtBFrYIgEqvDUjQ==@ietf.org
X-Gm-Message-State: AOJu0YwGMciQub9Y8/AfunLUwj0Sxh2iltMxsfzhWTJlDjSr3n3a6flL 5/8/JwNT49pOsVYUPBCaB3JB/jL5fXRnGVTrILvU33Ih2k5y0exMZVdxrYONhq0aKOzFV/0j8rM o9W35BsOymIirBuw/8DJ6q0xpoitOQi8=
X-Gm-Gg: Acq92OGIHYrKIifF4xw4e0MquAkxEAw/H1ZAiz9YvHwy9dCVeINEaxeVJCZggIcitPK o6jHZR0VpEQZewvIZVjvcYH3zzV7pZM7rPwMXvmM/e/N4UD2i/Yq9+XnCgP4Qhvn0tcm48HVEap d5O4WStaIYZ23MUuzOWgAW2K9S/wT5Yevohaf/VytcEW03Lss4SYzjeccgoBPBPmey9O/Ke5r4u vC+Xe/yIE43YgPxW4GbP7lc0x+URUHtktTNQIMjnLKFhnowJJN8ygK6o+HSkly0ljn4wP6uxODh SAoUyxBiRFH7W1kf
X-Received: by 2002:a05:622a:1b90:b0:50f:b17d:7e57 with SMTP id d75a77b69052e-5165a06069fmr178577261cf.24.1779057481851; Sun, 17 May 2026 15:38:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAF4+nEGTJq-_GOAdFWiW8q-Ci7GU9giP8asn0LojZaZQZCTYXw@mail.gmail.com> <d4b32903-8ad8-4c47-99bd-5a9236c5b039@desec.io>
In-Reply-To: <d4b32903-8ad8-4c47-99bd-5a9236c5b039@desec.io>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Sun, 17 May 2026 18:37:50 -0400
X-Gm-Features: AVHnY4JSd-tmj3k7LD6_b41-i6IvMXh2f4wEUuGPQakumwffAHyjUNMWUNLgrBo
Message-ID: <CAF4+nEHVs8vA3XXNhDXsOiPR9SAOdptWJ398-PVwG_5C_nxK2Q@mail.gmail.com>
To: Peter Thomassen <peter@desec.io>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: ZLCULLU7NVNDKXLEPT3SAKLYS6KRBSCE
X-Message-ID-Hash: ZLCULLU7NVNDKXLEPT3SAKLYS6KRBSCE
X-MailFrom: d3e3e3@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "iesg@ietf.org" <iesg@ietf.org>, secdir <secdir@ietf.org>, draft-ietf-dnsop-ds-automation.all@ietf.org, Last Call <last-call@ietf.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: SECDIR IETF LC review of draft-ietf-dnsop-ds-automation-05
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xQc__RCP67W1TKVPgleJagn7tp4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Peter, Sorry for the delay in response. As below, I consider my comments to have been resolved except for my one comment that in Section 7.2, poiny 1, to replace "SHOULD" with "MUST". However, I am content, as you suggest, to leave this up to the IESG. On Thu, May 14, 2026 at 6:39 AM Peter Thomassen <peter@desec.io> wrote: > > Hi Donald, > > Thank you for your review! Please see inline. > > On 5/11/26 01:18, Donald Eastlake wrote: > > this is much more of an operations BCP than a security BCP. > [...] > > # Security > > > > I believe there are security threats addressed by this document but it seems to mostly focus on potential operational problems of "inconsistency" and "unexpected and confusing" behavior. It might be useful to give some examples of security problems that can be caused by ignoring these recommendations or, if you are sure, to state that there are none (which I doubt). How do these recommendations interact with the compromise of various of the parties in the RRR model or with an on-path attacker? > > draft-ietf-dnsop-cds-consistency (which is about to be published) is normatively referenced by the draft at hand, and contains an entire appendix [1] on what can go wrong if consistency requirements are not honored. > > The current document is supposed to give operational guidance without re-describing everything that has been said in other documents. It would otherwise be very long. :-) Folks from the WG have specifically pushed to keep this shorter, and to not repeat too many considerations. As an example of the WG discussion, see [2] (search for "RFC 6781" therein). > > While I'm of course open to adjusting text, I don't see how to do it without challenging the WP's consensus. As you also said "this is much more of an operations BCP than a security BCP" and nobody has brought up the concern before, I'm doing nothing about this for the moment, unless I hear objections. > > [1]: https://www.ietf.org/archive/id/draft-ietf-dnsop-cds-consistency-11.html#name-failure-scenarios-due-to-in > [2]: https://mailarchive.ietf.org/arch/msg/dnsop/5jVEyldeIuPOFu917_2A9V2jnuE/ OK, as long as it is covered elsewhere. > > # Minor > > > > Section 4.2.2, last paragraph: Wouldn't there be some advantage to lowering the TTL of the old DS RRset if you did so early enough before the DS update? > > No. An old revision [3] contained the following text (in an appendix on "Approaches not pursued", which the WG later decided to drop): > > OLD > It is not necessary to equally reduce the old DS RRset's TTL before > applying a change. If this were done, the rollover itself would have > to be delayed [for this extra step] without any apparent benefit. With the goal of > enabling timely withdrawal of a botched DS RRset, it is not equally > important for the previous (functional) DS RRset to be abandoned very > quickly. In fact, not reducing the old DS TTL has the advantage of > providing some resiliency against a botched DS update, as clients > would continue to use the previous DS RRset according to its normal > TTL, and the broken RRset could be withdrawn without some of them > ever seeing it. Wrong DS RRsets will then only gradually impact > clients, minimizing impact overall. > > [3]: https://www.ietf.org/archive/id/draft-ietf-dnsop-ds-automation-01.html#name-approaches-not-pursued OK. > > Section 4.2.3, last paragraph: I found this paragraph a little hard to understand. What exactly does "Child DNS operators are held responsible for publishing contradictory information" mean? Isn't it just that when a Child DNS operator publishes contradictory information, the parent rejects it? > > It's supposed to mean that Child DNS operators have the responsibility to publish consistent information across auths: if they don't, the parent won't second-guess what the intention could have been; it simply won't work. > > I agree that this sentence is not very clear, and applied a fix. In doing so, I've also swapped another sentence around for flow: > > OLD > If both RRsets are published, Parents are expected to verify > consistency between them by verifying that they refer to the same set > of keys [I-D.ietf-dnsop-cds-consistency]. The CDS digest field need > only be verified when the hash digest algorithm is designated as > "MUST" in the "Implement for DNSSEC Delegation" column of the "Digest > Algorithms" registry [DS-IANA], and may otherwise be ignored when the > digest type is unsupported. > > By rejecting the DS update if RRsets are found to be inconsistent, > Child DNS operators are held responsible when publishing > contradictory information. Note that this does not imply a > restriction to the hash digest types found in the CDS RRset: if no > inconsistencies are found, the parent can publish DS records with > whatever digest type(s) it prefers. > > NEW > If both RRsets are published, Parents are expected to verify > consistency between them by verifying that they refer to the same set > of keys [I-D.ietf-dnsop-cds-consistency]. By not second-guessing > inconsistencies (such as by RRset recency) and instead rejecting > them, responsibility to clearly express each update request is placed > on the Child DNS operator. > > The CDS digest field need only be verified when the hash digest > algorithm is designated as "MUST" in the "Implement for DNSSEC > Delegation" column of the "Digest Algorithms" registry [DS-IANA], and > may otherwise be ignored when the digest type is unsupported. Note > that this does not imply a restriction to the DS hash digest types: > if no inconsistencies are found, the parent can publish DS records > with whatever digest type(s) it prefers. OK. > > Also, doesn't a parent always have the power to publishes whatever DS or other records it wants? > > Yes, of course. > > > Section 5.1, point 3: Since there are specific recommendations in many other cases, can something specific be said rather than "unnecessarily frequently"? Like, for example, "a few times initially and once a day thereafter". > > On the other hand, Section 5.2, next to last paragraph says "no more than twice in in a row" so maybe that is what is meant. > > Registries expressed that this is not an interoperability requirement, and they would like notification details to be part of their business decisions. The exemplary guidance "no more than twice in in a row" is therefore given in the analysis (Section 5.2) but not the recommendation itself (Section 5.1). > > I can imagine that gTLD registries might eventually create some policy about this in the ICANN space, and perhaps it's better for this RFC to not stand in the way at that point. OK. > > Section 5.2, after the numbered points: Consistent with the tone of other parts of this document, I suggest "would be justified to attempt communicating" -> "SHOULD communicate" > > This a derivation of the recommendation and not the recommendation itself. The SHOULD in recommendations 5.1.1-5.1.3 is the conclusion of that derivation. OK. I guess the analysis/recommendation separation in this document is not that common in IETF BCPs. > > Section 7.1, point 1: "SHOULD" -> "MUST" ? > > Fair point. As this technically would change WG consensus, I'll leave this to the IESG. (Context: I believe there was no explicit discussion and I can imagine nobody feels strongly.) I guess we will see what the IESG does. > > Section 7.2.3, 1st paragraph: I understand the basis for saying DS flapping will only occur for a limited period of time. Is that the only basis for saying it will only be a minor nuisance? > > The main point is that even when there is DS flapping for some period of time, both variants of the DS RRset will be valid, so it doesn't matter. Quoting: > > lead to flapping of DS updates. However, it is not expected to be > harmful as either DS RRset will allow for the validation function to > continue to work, as ensured by Recommendation 1b of Section 4. The > effect subsides as the Child's state eventually becomes consistent > (roughly, within the child's replication delay); any flapping until > then will be a minor nuisance only. > > As you didn't make a suggestion and I believe the text says the thing you raised, I did not apply a change for now. OK. > > # Nits > > > > Section 3, 2nd paragraph, first sentence. Not grammatical. Simplest change would be to delete "as" but it is also too wordy. Suggest shortening to "Recommendations in this document optimize interoperability and safety." > > Done > > > Section 4.1 point 1a and Appendix A.1, point 1a: "ambigious" -> "ambiguous" > > Already fixed in -06 > > > Section 4.2.1, first line of last paragraph: perhaps the "may" should be "MAY". > > This previously was the case (before -05), but the normative language here was removed upon AD Review. OK. > > Section 6.2.2, last line: Some superfluous waffle wording here. "It therefore appears that DS initialization and rollovers should ..." -> "DS initialization and rollovers SHOULD ..." > > Done > > > Section 7.1, point 5: "has declared to be performing automated" -> "has declared it performs automated" > > Done (with "that" added), also in summary A.4. OK. > > Section 7.2.1, 1st paragraph, 2nd sentence: "the key used by for authentication" -> "the key used for authentication" > > Done > > > Section 7.2.2, 2nd paragraph: suggest "It is therefore advised to not follow this practice." -> "This practice is NOT RECOMMENDED." > > Done > > > Section 7.2.2, 4th paragraph: ends with a parenthetical where I believe the parens are not needed. Check for other cases of this in the document. > > Prefer to keep it, as otherwise it reads like a restriction whereas the parenthetical is for context only. OK. > > Section 11: Spell out SSAC on first use. > > Done. > > The combined diff of the above changes is here: https://github.com/desec-io/draft-ietf-dnsop-ds-automation/commit/0b89e97dde78126190453d833f8378c52f34f430 Thanks, Donald =============================== Donald E. Eastlake 3rd +1-508-333-2270 (cell) 2386 Panoramic Circle, Apopka, FL 32703 USA d3e3e3@gmail.com > Best, > Peter
- [DNSOP] Re: SECDIR IETF LC review of draft-ietf-d… Peter Thomassen
- [DNSOP] Re: SECDIR IETF LC review of draft-ietf-d… mohamed.boucadair
- [DNSOP] Re: SECDIR IETF LC review of draft-ietf-d… Donald Eastlake
- [DNSOP] Re: SECDIR IETF LC review of draft-ietf-d… mohamed.boucadair
- [DNSOP] Re: SECDIR IETF LC review of draft-ietf-d… Peter Thomassen