Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements
Daniel Migault <mglt.ietf@gmail.com> Thu, 07 May 2020 18:00 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D3603A0949; Thu, 7 May 2020 11:00:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c-r_0h2ceQeL; Thu, 7 May 2020 11:00:24 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 072673A0941; Thu, 7 May 2020 11:00:24 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id m24so3923457vsq.10; Thu, 07 May 2020 11:00:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9Ydd+3eRgxFE9gk/IXR7tYrRNpZ0VJ9clUnn1CkA1ZM=; b=HSx2zIFVjQuQfh2JIpWTrREx0fJDOdv6LJRV8hcp18eH7kc+cxyj4UZ3e/uDX7EIhl ytnZoAiM+8nlcWN84eYUaMvOdg6PLN8GpVjDHLp+++Q3XsqGQCzQxeBNGyI/IiTeKcYC SSzvRCq0JZ5jqwKWrmTveAPhmbXFAKRHC6AjC2THWq9qiZYe8/Vz09TXIITuYGb0B2/e U0KIli0XWwe9s7IBZ33f30dYny9PMQEqPFXcHD2V8/XMbWSbm8xwUd7r7HNb+HGIpivM O/x14aNcwscfqmCifz80Q005jKZtuOG+e2/tmEQXOshGoKABLI/S3UMUNwB49yCME/wZ jC0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9Ydd+3eRgxFE9gk/IXR7tYrRNpZ0VJ9clUnn1CkA1ZM=; b=qg0K877shWbBmVCGvoZknXnnlBiAm3KbDWTfsMLx2YshPlD4rRNLOl3X8Lz8wLs/Bv g1Dq61YNP/wa8pDy351QXY+R66jIC93eyElvUSEkJ4qP09o3K7XOSWrognxhC24Y4MXD 1UOYzfZYY/AUTc7QknjvfuPh7o8ixTYk0MV3M9k92r5S+9AbzFND40cD1FqrV25IHEaW RSXWWcQlrg7znRP+zTulwDyLCvibVEQYCRBe2yqffcFTCZDpNa43A/87NcremXYz8efb Ge4UdGTDN8yz3rhVWCs6o5icpsc7B6gdf5xaYsYMotIzzWZnLTtqk8uIjmCx3CkofU5o ypiQ==
X-Gm-Message-State: AGi0PubTaZY85HlL3oVv2u1KoHMqx3l8BszKAfqADXRCSb8m0SobSm++ V3n4B7bhbLbaOW7xmICC+ipUp1v8hgiHzSDT8dw=
X-Google-Smtp-Source: APiQypIvGJx89fEiZmVuK6qDAcuHIbeXASJ0rrb5d5cI4smxS1dUN9q/I6KQ3ChfH8PtimJLo/DnH4th+eoibvhPwy8=
X-Received: by 2002:a67:fc46:: with SMTP id p6mr14583740vsq.169.1588874423044; Thu, 07 May 2020 11:00:23 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+HTU92FYYFvogsur9jSZ+qj03PWPVNbiWSe4g_zCn=5wg@mail.gmail.com> <20200506084836.GA14813@nic.fr> <CAHPuVdULY19T3KD1u5xng_gSA54fY1wAB4xKV+PimAZyhZnh4g@mail.gmail.com> <CAHPuVdVOUPhY7dGzFOypr8qF4TNr41wq1N7nmvpfr9Exrt83gw@mail.gmail.com>
In-Reply-To: <CAHPuVdVOUPhY7dGzFOypr8qF4TNr41wq1N7nmvpfr9Exrt83gw@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Thu, 07 May 2020 14:00:11 -0400
Message-ID: <CADZyTknNg5scdYuu8xQ5Lpg2aLFwfBiHAy--DrDxq6Ht0p+jYw@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: Stephane Bortzmeyer <bortzmeyer@nic.fr>, Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000940f4405a512a7ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zQOFlBC_yi-OLLRXsdTHSjxzU1k>
Subject: Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2020 18:00:28 -0000
Thanks for the feed back Shumon, I agree that we should at least clarify where the responsibilities are so the mechanisms become more focused on smoothing the edges rather that compensating what the other party may not do. I also agree that fixed values might be more appropriated and the RDO should ensure time derivation will go beyond these values. Yours, Daniel On Thu, May 7, 2020 at 8:50 AM Shumon Huque <shuque@gmail.com> wrote: > On Thu, May 7, 2020 at 8:34 AM Shumon Huque <shuque@gmail.com> wrote: > >> On Wed, May 6, 2020 at 4:49 AM Stephane Bortzmeyer <bortzmeyer@nic.fr> >> wrote: >> >> The draft apparently do not mention advices on expiration slack (such >>> as val-sig-skew-min and val-sig-skew-max in Unbound). Is there a >>> consensus on (I quote Unbound documentation) "The signature inception >>> and expiration dates are allowed to be off by 10% of the signature >>> lifetime"? >>> >> >> RFC 6781 Section 4.4.2 (Signature Validity Periods) does mention having >> a reasonable signature inception offset, but recommends no value. It does >> not mention a signature expiration skew. It would be good to treat this >> subject in the document. Personally, I would prefer a fixed value (~ 5 to >> 10 minutes) rather than a percentage. Otherwise, the validator may be >> using >> a possibly unacceptably small or large skew values depending on the >> validity >> interval. >> > > Just to quickly follow-up on my own post (sorry!), I realize this draft is > only > about validator requirements, but RFC6781 describers signer > recommendations. > > Still, the skew issue has come up for me recently in signer implementations > too. One commercial DNSSEC implementation we were using was generating > on-the-fly signatures with _no_ inception offset - which means if the > validator's > clock was off even slightly, and supported no skew, it would fail. It > required > some vigorous arguing with this vendor to get them to use an inception > offset. > So, the skew issue ideally needs to be addressed on both sides (and it > might > be reasonable to mention that in this draft). > > Shumon. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- Daniel Migault Ericsson
- [DNSOP] Call for Adoption: draft-mglt-dnsop-dnsse… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Stephane Bortzmeyer
- Re: [DNSOP] [EXT] Re: Call for Adoption: draft-mg… Jacques Latour
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] [EXT] Re: Call for Adoption: draft-mg… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Shumon Huque
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Shumon Huque
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Bob Harold
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Brian Dickson
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Joe Abley
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… sanjay.mishra
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Ralf Weber
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Daniel Migault
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Loganaden Velvindron
- Re: [DNSOP] Call for Adoption: draft-mglt-dnsop-d… Tim Wicinski