Re: [DNSOP] New draft on delegation revalidation
Gavin McCullagh <gmccullagh@gmail.com> Fri, 24 April 2020 22:21 UTC
Return-Path: <gmccullagh@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29C983A0E15 for <dnsop@ietfa.amsl.com>; Fri, 24 Apr 2020 15:21:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dr9x-EKBRZRp for <dnsop@ietfa.amsl.com>; Fri, 24 Apr 2020 15:21:52 -0700 (PDT)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16D6C3A0E14 for <dnsop@ietf.org>; Fri, 24 Apr 2020 15:21:52 -0700 (PDT)
Received: by mail-il1-x12c.google.com with SMTP id w6so10817910ilg.1 for <dnsop@ietf.org>; Fri, 24 Apr 2020 15:21:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b3LOm2s2xCF1azr7IkOHT+UD4KbcGZxr4cVWx9VmzMw=; b=otvKttyJhveQvloDqnzH0iscDuFWJqWC8NsKrMoeWyCOwHpIAfTclvbuuRKmyjUwxK +jjocOXaB3PXROxEHsSBzgVwsENknW1OfHvJkwpL5cG+qx8KUTKyzliApF1MJOMvfuGX bTocA+LWlybtT5fbJ0XMaxLqrx4PWmiDdTtdSZV3DmxsnwSb5Do2D+7ZKdN7wRHUr+Ui ldStobfCksOr0mivuZuWtgxB/woVZPr3Ua8DCliGH0o/Rq9AA3xYvXTc+GnkcUU78v2F Cz3U4Rf20/OEPjUUqZuILqE19YQle4mDyza2cCxTMYoSqrQCKsd332st1gqGyT0PWRbm ax0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b3LOm2s2xCF1azr7IkOHT+UD4KbcGZxr4cVWx9VmzMw=; b=RiAiEop7UWOx3BvkHZNo2xKLxHYpHJdIWEuobJssyYkcmJcaa47JIu5EABA2ScYi3i f72eL6QSzj7qE2yG0Y8pWHw/vHhfV3WFA5F/vP1kmV6CmdcUbMo/buq+sxHJnyS7fn60 3pmib2sCwU6fIs6n6O3uE2LMSkWGlvb5vBGOPDpJQerNRfEAZlsKI4Q10PWo1oZRjCgm 99ob7dBIMr8SxBccAcv/NUcOvuDk4ARS6suO1Yb4MBw0L4WuC29pqbLzW7rJL1UMr3Jm y4hmBUCOdfW8S6mkIjA6jOFlWBLL1qIAQW8mo51/iNfS4xJTBDH9tN14n1iioMpLMBQt +fAg==
X-Gm-Message-State: AGi0PuYlLHGW3TUPCLuH/cTOERVT5sv1QWH7R0eFLZvPTQvBwt/Wsce1 dHi0y8P/wb9jcPoGeEr4yan1DSdsmEwDTo5J1jE=
X-Google-Smtp-Source: APiQypLs6VvgyARI2HjBbHQrIIxJ3TBpN79j80VzOHEQL9vUENFd1vNu/w9ubCLKX1xFclxu5C+j9eyZc/UP7R2DIpI=
X-Received: by 2002:a92:5dc4:: with SMTP id e65mr11014509ilg.161.1587766911272; Fri, 24 Apr 2020 15:21:51 -0700 (PDT)
MIME-Version: 1.0
References: <CAHPuVdV9eSCLQOqMF0cq8fHcuSZs7nCgjhHMfMoaV5H=ekbtSA@mail.gmail.com> <CADyWQ+Gugw5ScSGDhDWLvrMQB-nNS+cOAcETQ9ssf2wPMFYq3w@mail.gmail.com> <CA+nkc8DkHaVR91koywh4KMx+-Pmw2gRR1KnuwUcP_j0G+k3S7A@mail.gmail.com> <CAHPuVdWSAX8Ha=djd_6qGC8NvaKAPjnNxu5UX8XW7fwZ6t_U_A@mail.gmail.com> <CA+nkc8DDHsocDkReb1GA1=6d_yau_jXLgwxZRhMFAfdJHaXMiw@mail.gmail.com> <CAHQ5LGpys=rDCDyvoBRW1_p4=V9XRCq+v5+cmqKaWHHbsCTNOA@mail.gmail.com> <CAHPuVdUEWQ+-OU8VTPwbZ8WDN8iTRk7dC0EASJNJVFr4FovaXA@mail.gmail.com>
In-Reply-To: <CAHPuVdUEWQ+-OU8VTPwbZ8WDN8iTRk7dC0EASJNJVFr4FovaXA@mail.gmail.com>
From: Gavin McCullagh <gmccullagh@gmail.com>
Date: Fri, 24 Apr 2020 15:21:39 -0700
Message-ID: <CAHQ5LGq91XKZ0Gxz2LLrXzGKEDAvg-U5A89s9b7pgGyO-25f5g@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: Bob Harold <rharolde@umich.edu>, Tim Wicinski <tjw.ietf@gmail.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb8acf05a410cad6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xplYf6_07kCF_niWYwpV6iyZ6iA>
Subject: Re: [DNSOP] New draft on delegation revalidation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 22:21:54 -0000
Hi Shumon, On Wed, Apr 22, 2020 at 12:32 PM Shumon Huque <shuque@gmail.com> wrote: But appreciating the subtleties of the DNS delegation mechanism involves a > lot of arcane details that are not easy to understand for anyone. If the > namespace is a tree, and zones are contiguous subtrees, how do you a > visualize a zone cut in this data structure? It doesn't cleanly intersect > any node or edge between nodes, but rather partitions the data sets located > at a node in a weird, inconsistent fashion. Most apex RRsets live > authoritatively at the node, but one has a copy in the parent zone, and one > is authoritative in the parent. It's all very complicated. > I agree these things are complicated (and if I'm honest I may be missing subtleties you aren't), but I don't think ordinary DNS users should need to understand that level of detail to be able to work with delegations. We seem to have a choice here between the user needing to understand "the parent must point at the child" versus understanding that "the parent must point at the child which (usually) must point at itself". Everyone I talk to outside the DNS community seems to leap to the former conclusion. I doubt that will change. > [a] seems like a definition which could be changed if it was so decided. >> DS records are totally parent centric for example. It seems like NS could >> be too if we declared the in-zone NS to be "informational only". [...] >> > > Changing (a) properly requires re-designing the DNS delegation mechanism, > and sounds like a much more ambitious undertaking to me. I am actually > interested in looking at that myself, because there are certainly > deficiencies that could be addressed. Since delegation records and glue > address records are unsigned, they can be spoofed, and DNSSEC should really > allow us to detect such spoofing once a resolver sees referral data. And > not (as it now is), after being sent on a wild goose chase to a set of > rogue servers, and subsequently determining that those servers cannot > present a DNSKEY RRset that matches the parent DS. Fixing this, requires > creating a new delegation record type that can be signed in the parent. And > the TTL issue and delegation revalidation would then have to be assessed by > looking at both the child NS set and this new delegation record (although > for secure delegations, the DS set could likely be used in place of the > latter). And then figuring out the large work of how to deploy it Internet > wide. > I may be missing some subtlety here, but parent-centric resolvers seem to use the NS records and DS records from the parent zone today just fine. The DS is signed by the parent and provided in the same response as the referring NS record. If the response was spoofed the DS rrsig wouldn't validate. If the referring NS record needs to be signed, surely that should be designed into DNSSEC. Are you saying you believe that parent-centric resolvers are insecure? > You are right that the TTL control issue primarily comes up at the TLD/SLD > level, but it is certainly not a corner case or that only affects a small > minority, in my estimation. > I didn't mean to suggest the TLD/SLD is a corner case, it obviously isn't. I was trying to point out that the non-registrar case is also not a corner case. Both are common. I suppose I am arguing that the case where: [we have a TLD/SLD managed by an expert DNS operator who understands how to (and is motivated to) manipulate child-centric resolvers to improve redelegation safety] is really a corner case. Perhaps not among the people on this list, but over all delegations in the world, I'd say it is a very tiny fraction. And I'd prefer to optimize to simplify the rest. There are two categories of unfortunate "surprises" we commonly see due to >> child centric resolvers. [...] >> > > I would hope that making resolver behavior consistent would address most > of this. If all resolvers locked on to the authoritative NS set, then most > of the surprises would disappear (hopefully). > Things will break more reliably, for sure. And I agree that consistency is better. But it likely won't make it any easier for non-DNS geeks to understand why. PS How truly intractible is the registry argument? It seems something like >> "When an NS change is made, TTL=3600 for the first N hours, then 2 days >> thereafter." would be a major step forward without drastically increasing >> complexity. >> > > Based on history to date, it seems to be rather intractable, but I would > love to be proven wrong. The interfaces that registrars use to update > delegation records in the registries don't even offer any TTL configuration > option that I've seen (even if the registries were willing to support it). > Does the EPP DNS mapping even support setting TTL? > That's one way to approach it. What I was thinking was, if the registries want to dictate the TTL, that seems understandable. But in so doing, they could have a process where they dictate a lowered TTL (of their choice) for a period after each change, then raise it back up to normal in order to reduce the impact of mistakes/problems. A "bake period" essentially. The timers would be argued about of course, like all magic numbers, but something conservative like an hour would seem like a major improvement on today. Hypothetically, would you consider that would improve your use case? Gavin
- Re: [DNSOP] New draft on delegation revalidation Mark Andrews
- [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Tim Wicinski
- Re: [DNSOP] New draft on delegation revalidation Brian Dickson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Stephane Bortzmeyer
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John Levine
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Puneet Sood
- Re: [DNSOP] New draft on delegation revalidation Ólafur Guðmundsson
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation John R Levine
- Re: [DNSOP] New draft on delegation revalidation Bob Harold
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Patrick Mevzek
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Vladimír Čunát
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Vladimír Čunát
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Masataka Ohta
- Re: [DNSOP] Privacy and DNSSEC Vittorio Bertola
- Re: [DNSOP] New draft on delegation revalidation Joe Abley
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- [DNSOP] Client Validation - filtering validation? Brian Dickson
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Mark Andrews
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] Client Validation - filtering validat… Vittorio Bertola
- Re: [DNSOP] Client Validation - filtering validat… Paul Wouters
- Re: [DNSOP] Client Validation - filtering validat… S Moonesamy
- Re: [DNSOP] Client Validation - filtering validat… John Levine
- Re: [DNSOP] Client Validation - filtering validat… Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Paul Wouters
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] Privacy and DNSSEC Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] Privacy and DNSSEC Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Daniel Migault
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Giovane C. M. Moura
- Re: [DNSOP] New draft on delegation revalidation Petr Špaček
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie
- Re: [DNSOP] New draft on delegation revalidation Gavin McCullagh
- Re: [DNSOP] New draft on delegation revalidation Shumon Huque
- Re: [DNSOP] New draft on delegation revalidation Paul Vixie