Re: [DNSOP] If DNSSEC signatures do not validate ...

Davey Song <songlinjian@gmail.com> Tue, 28 April 2020 13:48 UTC

Return-Path: <songlinjian@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EC413A154F for <dnsop@ietfa.amsl.com>; Tue, 28 Apr 2020 06:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VMqaBUuYlQLL for <dnsop@ietfa.amsl.com>; Tue, 28 Apr 2020 06:48:24 -0700 (PDT)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49A2B3A154E for <dnsop@ietf.org>; Tue, 28 Apr 2020 06:48:24 -0700 (PDT)
Received: by mail-qk1-x730.google.com with SMTP id t3so21809624qkg.1 for <dnsop@ietf.org>; Tue, 28 Apr 2020 06:48:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Y0vmCZ+/FTy51BQsq7R5DlHFePKM6O3g7EsCWTK3fLs=; b=tdpYXbWheHEdFB9o+3AwxSSjz3u2tUXuC/P2TcdysuaEyW7C6taK2cdsuwfVDPgtT6 0wli2Ye0S6UBwuLxDMseYasJ7lOx4HEpokFoB1bQ7nY3LsubTxwGMkXdQAYQI/x9+/az xI/Ej5ThtLMClh7yCDyfQw1ElfoZKLEuDMFC5zAklsp1iXeEU/1kAuhOKp/pos+b4qYr tMmH4pgF+G7MoidV1r6HnRaoLDmz3//RXEqa1jOe4DIZYfGmbt1uwiMbpQ6sjlXfroq5 IchjrvADgncbzl5wiaJ0nbASAuAxjXHDD5sIs9+1LMD3yjaIUqf+MeJiu8vd71wM8ogt MCaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Y0vmCZ+/FTy51BQsq7R5DlHFePKM6O3g7EsCWTK3fLs=; b=sBSnFqBEhr2iMy562Z3AdHOFw7NglpwvJ5YqWcgbUlkxqVgUkD4CXTNAhK5hHymxh7 prbHkxO+nD8fsxeWSAocjLIqtQNnPj2uN+Rc3IhLQkiyKxnwJIwIfTIdWtyPfbJHJ3u9 geqfXOw/a+cD7/A/XxwAELRNNmydaB83e9fFLWVPl6RGdTiQXsAmxH9TJWJlP9bgKlTD 9U3y1o/cKPmao2rf/XuBS8zPt5y1190/UnJfJ9Prs1sMZs8kxVvU6caWz62LRrhGzskI luq0HdGJPAKwQK4103qEL/RRdcvWTh0NYVAtNJmg/FSm2zx0uFau44SEp7zEt+qp+bKz VXwA==
X-Gm-Message-State: AGi0Pubg2JWx+Nf9tJ3Rp0cIfDEl1J/4FeeekV2HGF10W9xcGVQp2fwj JqsN53BWPtLz+EMrl+RGdwVIIhiK7klb1Jfi76OtxQuT
X-Google-Smtp-Source: APiQypJgpCwAKeq2Irm8f2+3D8NafRWOhHPcvCYfrEFZEFLzH8Obwb4w0SVQ15AxOkSEk8yuK5I+h/3q6rDXuRM+3ck=
X-Received: by 2002:a37:7002:: with SMTP id l2mr27889169qkc.372.1588081703387; Tue, 28 Apr 2020 06:48:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAAObRXL-hFZ1jFo8dW-+M+2SR8gJ7vypKLMaJNuQJBvCsdJ0Gg@mail.gmail.com> <alpine.LRH.2.21.2004280931470.18623@bofh.nohats.ca>
In-Reply-To: <alpine.LRH.2.21.2004280931470.18623@bofh.nohats.ca>
From: Davey Song <songlinjian@gmail.com>
Date: Tue, 28 Apr 2020 21:48:12 +0800
Message-ID: <CAAObRXJKf67Hv8i+fTUWcQMqpk-8hL6PPQ=iXtWnZ8yzk-wNWQ@mail.gmail.com>
To: Paul Wouters <paul@nohats.ca>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ce064905a45a1559"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/z3f49i9Ghz1JYfXlEssvQw4XrP4>
Subject: Re: [DNSOP] If DNSSEC signatures do not validate ...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 13:48:26 -0000

> I think you mean if you receive a BOGUS validation result (eg missing
> RRSIG records, or otherwise are not getting the records needed for proof
> of non-existance or signatures. In that case, I think the existing
> DNS protocol already tells you to try other servers?
>

According to RFC4035 section 5.5, there is  no retry to other servers.


> This looks exactly what the ADD working group is working on?


Thanks. I will check that.

The only
> difference is instead of prefering some more private mechanism, you
> only prefer the more private mechanism upon some failure case?


I prefer current infrastructure already deployed.

Davey