Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements

Daniel Migault <mglt.ietf@gmail.com> Thu, 07 May 2020 18:00 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D3603A0949; Thu, 7 May 2020 11:00:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c-r_0h2ceQeL; Thu, 7 May 2020 11:00:24 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 072673A0941; Thu, 7 May 2020 11:00:24 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id m24so3923457vsq.10; Thu, 07 May 2020 11:00:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9Ydd+3eRgxFE9gk/IXR7tYrRNpZ0VJ9clUnn1CkA1ZM=; b=HSx2zIFVjQuQfh2JIpWTrREx0fJDOdv6LJRV8hcp18eH7kc+cxyj4UZ3e/uDX7EIhl ytnZoAiM+8nlcWN84eYUaMvOdg6PLN8GpVjDHLp+++Q3XsqGQCzQxeBNGyI/IiTeKcYC SSzvRCq0JZ5jqwKWrmTveAPhmbXFAKRHC6AjC2THWq9qiZYe8/Vz09TXIITuYGb0B2/e U0KIli0XWwe9s7IBZ33f30dYny9PMQEqPFXcHD2V8/XMbWSbm8xwUd7r7HNb+HGIpivM O/x14aNcwscfqmCifz80Q005jKZtuOG+e2/tmEQXOshGoKABLI/S3UMUNwB49yCME/wZ jC0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9Ydd+3eRgxFE9gk/IXR7tYrRNpZ0VJ9clUnn1CkA1ZM=; b=qg0K877shWbBmVCGvoZknXnnlBiAm3KbDWTfsMLx2YshPlD4rRNLOl3X8Lz8wLs/Bv g1Dq61YNP/wa8pDy351QXY+R66jIC93eyElvUSEkJ4qP09o3K7XOSWrognxhC24Y4MXD 1UOYzfZYY/AUTc7QknjvfuPh7o8ixTYk0MV3M9k92r5S+9AbzFND40cD1FqrV25IHEaW RSXWWcQlrg7znRP+zTulwDyLCvibVEQYCRBe2yqffcFTCZDpNa43A/87NcremXYz8efb Ge4UdGTDN8yz3rhVWCs6o5icpsc7B6gdf5xaYsYMotIzzWZnLTtqk8uIjmCx3CkofU5o ypiQ==
X-Gm-Message-State: AGi0PubTaZY85HlL3oVv2u1KoHMqx3l8BszKAfqADXRCSb8m0SobSm++ V3n4B7bhbLbaOW7xmICC+ipUp1v8hgiHzSDT8dw=
X-Google-Smtp-Source: APiQypIvGJx89fEiZmVuK6qDAcuHIbeXASJ0rrb5d5cI4smxS1dUN9q/I6KQ3ChfH8PtimJLo/DnH4th+eoibvhPwy8=
X-Received: by 2002:a67:fc46:: with SMTP id p6mr14583740vsq.169.1588874423044; Thu, 07 May 2020 11:00:23 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+HTU92FYYFvogsur9jSZ+qj03PWPVNbiWSe4g_zCn=5wg@mail.gmail.com> <20200506084836.GA14813@nic.fr> <CAHPuVdULY19T3KD1u5xng_gSA54fY1wAB4xKV+PimAZyhZnh4g@mail.gmail.com> <CAHPuVdVOUPhY7dGzFOypr8qF4TNr41wq1N7nmvpfr9Exrt83gw@mail.gmail.com>
In-Reply-To: <CAHPuVdVOUPhY7dGzFOypr8qF4TNr41wq1N7nmvpfr9Exrt83gw@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Thu, 7 May 2020 14:00:11 -0400
Message-ID: <CADZyTknNg5scdYuu8xQ5Lpg2aLFwfBiHAy--DrDxq6Ht0p+jYw@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000940f4405a512a7ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zQOFlBC_yi-OLLRXsdTHSjxzU1k>
Subject: Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 18:00:28 -0000

Thanks for the feed back Shumon,

I agree that we should at least clarify where the responsibilities are so
the mechanisms become more focused on smoothing the edges rather that
compensating what the other party may not do.
I also agree that fixed values might be more appropriated and the RDO
should ensure time derivation will go beyond these values.

Yours,
Daniel

On Thu, May 7, 2020 at 8:50 AM Shumon Huque <shuque@gmail.com> wrote:

> On Thu, May 7, 2020 at 8:34 AM Shumon Huque <shuque@gmail.com> wrote:
>
>> On Wed, May 6, 2020 at 4:49 AM Stephane Bortzmeyer <bortzmeyer@nic.fr>
>> wrote:
>>
>> The draft apparently do not mention advices on expiration slack (such
>>> as val-sig-skew-min and val-sig-skew-max in Unbound). Is there a
>>> consensus on (I quote Unbound documentation) "The signature inception
>>> and expiration dates are allowed to be off by 10% of the signature
>>> lifetime"?
>>>
>>
>> RFC 6781 Section 4.4.2 (Signature Validity Periods) does mention having
>> a reasonable signature inception offset, but recommends no value. It does
>> not mention a signature expiration skew. It would be good to treat this
>> subject in the document. Personally, I would prefer a fixed value (~ 5 to
>> 10 minutes) rather than a percentage. Otherwise, the validator may be
>> using
>> a possibly unacceptably small or large skew values depending on the
>> validity
>> interval.
>>
>
> Just to quickly follow-up on my own post (sorry!), I realize this draft is
> only
> about  validator requirements, but RFC6781 describers signer
> recommendations.
>
> Still, the skew issue has come up for me recently in signer implementations
> too. One commercial DNSSEC implementation we were using was generating
> on-the-fly signatures with _no_ inception offset - which means if the
> validator's
> clock was off even slightly, and supported no skew, it would fail. It
> required
> some vigorous arguing with this vendor to get them to use an inception
> offset.
> So, the skew issue ideally needs to be addressed on both sides (and it
> might
> be reasonable to mention that in this draft).
>
> Shumon.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


-- 
Daniel Migault
Ericsson