IETF Logo Mail Archive

[DNSOP] Re: Testbed for draft-ietf-dnsop-ns-revalidation "Delegation Revalidation by DNS Resolvers"

Petr Špaček <pspacek@isc.org> Fri, 27 June 2025 09:41 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EBCEC3A45CDE for <dnsop@mail2.ietf.org>; Fri, 27 Jun 2025 02:41:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="bnpRT2mz"; dkim=pass (1024-bit key) header.d=isc.org header.b="fsdQJiUj"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Az7WiykgSt4r for <dnsop@mail2.ietf.org>; Fri, 27 Jun 2025 02:41:52 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4164D3A45CD9 for <dnsop@ietf.org>; Fri, 27 Jun 2025 02:41:51 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 172083AB3BC; Fri, 27 Jun 2025 09:41:51 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org 172083AB3BC
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1751017311; cv=none; b=FcTApCyBG3c+2Yoecmy4cDqkoSFRywhK2SJ26/E8p1y6KvRxc3ieo0jctXx5ZJzGoj5jfdRy0B0C6svyi88lN8Md8HJgOLzr6t4mzqnlrqRp15l+9i0eBZDh50vpJWWjjn1gL3SNQ4lvF0VIuT8+bmUY67mjVUnlWzIcsvl3Hsk=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1751017311; c=relaxed/relaxed; bh=b0twAdGBS1X2FrtDxROkMYqGoHAPBRddB5mFTYy9LcI=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version: Subject:To:From; b=iBY2NswRz9Ixf1JYikFNCkYMWkP6m0l5y5pIO/uXdysM9qOi3hvL7O/hOKmP7PI86t6P2Gq5TF4RBB+CRZ0B25R9Kbs8KQw0tnx6S5FcPaXnvKRB1Pvat9yZmllDP5LJ6KfDUMUogrC9MSj9SZ6t2AMFvV2HFJ1BS48zLwMDKLc=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 172083AB3BC
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1751017311; bh=b0twAdGBS1X2FrtDxROkMYqGoHAPBRddB5mFTYy9LcI=; h=Date:Subject:To:References:From:In-Reply-To; b=bnpRT2mzf8/e9pjo/KENSrOH055w3wY8OhWWv4Wy7FD5YdS/49iBl8mXjKIc0hamp MWVvkpoFdLD1UmIqHhkhV2cNnkFXMQST+S9y+2Qnd2a3znTiAnbE5kCFOTGl8j1E2D ey7J8ChKFf4ukeY1oU9AnuJFtQSLYNZKpR2lMsp8=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id 0D60413C927D; Fri, 27 Jun 2025 09:41:51 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id D944013C927A; Fri, 27 Jun 2025 09:41:50 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org D944013C927A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1751017310; bh=b0twAdGBS1X2FrtDxROkMYqGoHAPBRddB5mFTYy9LcI=; h=Message-ID:Date:MIME-Version:To:From; b=fsdQJiUjY4LZOfC1TcMOLGy5OVR+2gH2p7Jld1dbya/34GnzBZfUx74+YSjb2lv0M QRGevAcq7ckDCkB8+JwsZ3ZXZw/yLF8cXWddb/m2/0qJyEgU3BjLEeuL/vVvgIHH/s gkA/UC0uJY9yL+JUDBOpEnjMptjUabbbZkcak8AI=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id BamdgJyH6ODn; Fri, 27 Jun 2025 09:41:50 +0000 (UTC)
Received: from [192.168.35.197] (ip-86-49-240-85.bb.vodafone.cz [86.49.240.85]) by zimbrang.isc.org (Postfix) with ESMTPSA id 4879F13C9275; Fri, 27 Jun 2025 09:41:50 +0000 (UTC)
Message-ID: <36e8d687-770d-4dd5-b433-d8a1d2cdd7d9@isc.org>
Date: Fri, 27 Jun 2025 11:41:48 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Willem Toorop <willem@nlnetlabs.nl>, dnsop <dnsop@ietf.org>
References: <9e50c67d-dcd6-42e9-b715-0d5a834b11f9@isc.org> <6d9b5551-12dd-4331-8040-0d2bef42687b@nlnetlabs.nl>
Content-Language: en-US
From: Petr Špaček <pspacek@isc.org>
Autocrypt: addr=pspacek@isc.org; keydata= xsFNBF/OJ/4BEAC0jP/EShRZtcI9KmzVK4IoD/GEDtcaNEEQzPt05G8xtC0P4uteXUwW8jaB CdcKIKR4eUJw3wdXXScLNlyh0i+gm5mIvKPrBYNAMOGGnkbAmMQOt9Q+TyGeTSSGiAjfvd/N nYg7L/KjVbG0sp6pAWVORMpR0oChHflzKSjvJITCGdpwagxSffU2HeWrLN7ePES6gPbtZ8HY KHUqjWZQsXLkMFw4yj8ZXuGarLwdBMB7V/9YHVkatJPjTsP8ZE723rV18iLiMvBqh4XtReEP 0vGQgiHnLnKs+reDiFy0cSOG0lpUWVGI50znu/gBuZRtTAE0LfMa0oAYaq997Y4k+na6JvHK hhaZMy82cD4YUa/xNnUPMXJjkJOBV4ghz/58GiT32lj4rdccjQO4zlvtjltjp9MTOFbRNI+I FCf9bykANotR+2BzttYKuCcred+Q7+wSDp9FQDdpUOiGnzT8oQukOuqiEh3J8hinHPGhtovH V22D0cU6T/u9mzvYoULhExPvXZglCLEuM0dACtjVsoyDkFVnTTupaPVuORgoW7nyNl0wDrII ILBqUBwzCdhQpYnyARSjx0gWSG1AQBKkk5SHQBqi1RAYC38M59SkpH0IKj+SaZbUJnuqshXh UIbY1GMHbW/GDhz7pNQFFYm2S4OPUBcmh/0O0Osma151/HjF7wARAQABzR9QZXRyIMWgcGHE jWVrIDxwc3BhY2VrQGlzYy5vcmc+wsGXBBMBCABBAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B AheAAhkBFiEEEVO2++xeDVoSYmDzq9WHzfBlga4FAmd7vqsFCQmG4S0ACgkQq9WHzfBlga5H dA//SNIJAXyYxpoIrQwtTSOded93J+CIYHd2ArxCsS+ZXzeaSkHcqp2QfneLY2yyiQwjeivu MfqEBIASNZ94T+4OjhEHAFaAUJQtYMY7qmH69Q5h1PQMk/HZX4QNEDB6dihjz4wunB2mRcac GnRziAQUAnlHSSZDU2EtTddmRYTCaeX9rU8O5ja0+qPBJket7PjS0yT8DQJF+aKRsQz17ywT 3rNR7NBgeKrkBud4/zE7VRoxSRCPkWkgixEog+AotZt22psgQTv+kWx89+7cTiFZaLMmtV6v Ws8QTpDRDM3hCJBCI6qk61k8SLuQ+5VuVWBM/ozoN1ON2J9anxVTrxhNsFM3RLHV/Qh9p/0y T4our7JxB6dsos3HtlRR2npXS1PMrrXt7ZnnfYao+9zbOrZHC7NRY3feaLhieLx1pKmdDRHT CAbqaGnqX22hYYemtYFzSAv7stCdqdncAEkZJy4HByjQwFVGn8A6rp7H1xV2LmlkNAMEoWrT GJ+wH8A+VA3qbZF9Ab8Ht2GRj3mQQ4h8NnRYjKyqecCQOI5Xmn4S61nQ9y+wOBUSTlAQ6a5n LmMpCVe2/D4pWFxpUxc1z8Hq+uEN95sPgbihiSdgBR50DRdqW57ulFHA9LKJ0AEnBtQfvVth qAkvG8iBYl+UpoX1xW+dbX2g6nI5Rbx8u+EojKXOwU0EX84n/gEQANARNXihDNc1fLNFZK5s O14Yg2TouK9eo9gGh4yLSrmZ3pjtnuJSpTWmGD4g0EYzhwWA/T+CqjUnrhsvzLQ1ECYVqLpM VqK2OJ9PhLRbx1ITd4SKO/0xvXFkUqDTIF6a5mUCXH5DzTQGSmJwcjoRv3ye+Z1lDzOKJ+Qr gDHM2WLGlSZAVGcUeD1S2Mp/FroNOjGzrFXsUhOBNMo8PSC4ap0ZgYeVBq5aiMaQex0r+uM4 45S1z5N2nkNRYlUARkfKirqQxJ4mtj5XPC/jtdaUiMzvnwcMmLAwPlDNYiU0kO5IqJFBdzmJ yjzomVk1zK9AYS/woeIxETs+s6o7qXtMGGIoMWr6pirpHk4Wgp4TS02BSTSmNzParrFxLpEU dFKq3M0IsBCVGvfNgWL2pKKQVq34fwuBhJFQAigR9B3O9mfaeejrqt73Crp0ng0+Q74+Llzj EIJLOHYTMISTJyxYzhMCQlgPkKoj+TSVkRzBZoYFkUt4OXvlFj73wkeqeF8Z1YWoOCIjwXH9 0u2lPEq0cRHHyK+KSeH1zQJ4xgj0QDGPmkvi81D13sRaaNu3uSfXEDrdYYc+TSZd2bVh2VCr xrcfzQ1uz9fsdC9NPdNd7/mHvcAaNc5e9IhNh67L54aMBkzlJi18d0sWXOOHkyLSvbHnC/OP wv7qCf69PUJmtoeHABEBAAHCwXwEGAEIACYCGwwWIQQRU7b77F4NWhJiYPOr1YfN8GWBrgUC Z3u+zwUJCYbhUQAKCRCr1YfN8GWBrmljD/45mvtqiWzATkikxkJjTlxfhJBGUFXUoPXqvo8l 8zACTTnn6/K7v1TcFmtSHtLqQiTGwwq1vGQSjEG+UFzdXohex9MTv+7JHr+fcQfxFtxYeVGn k9fSkRkIdtpUzuCnBC27VYbq5S+nk4+ophmjm7rFVWd4tz+XTFZkuHTRImWxbaF9EZ/fuWmm XaICw+lzGan9BteM1ZSLIjzSPd7LoG55SuoVtAV91J5oLPo6KDOzgPEffalm2LJo7+ZaAeW6 diQUXxQpvAAROR/l1D1DIIQ0OJOqv0QRFyHt/zBbKgWmGaTQqF5aNab4ukVAt0LMsCkCjA11 HhcUnUwrixHR4V8G3UlHTQsWReiXfPerv/BewTsPHSzIfmufNlrBDfS/uIYdwquZfhOSsK9Z DUJFkaHudJC6tRVQ5LBVFqjgtZDllpAj1cOG7WmlTwHblj/r2+LMpOVHApByNkehEOA2c4Bn tcQ/8qSeorJCyd1/5A5+bUFIfIAJbRz4Ja21JgH107oCMX3hsGEzMnuwplYTf9NP4Dq0FQhK vkXzdnDhhXef8nUqF7l32hj9x1BCLFZ4FFe6iuKD7Q9p83Ca1HDdxauIrsrXTsEr1bjg2o/A JXI4A3sUunmiIf/tu+3riXUhA10P1IG11yEQ4y9ogE6knvOraRBwZ8gvFT7J2YLXJrF5mQ==
In-Reply-To: <6d9b5551-12dd-4331-8040-0d2bef42687b@nlnetlabs.nl>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: DG4N72ASZQGBXGJOTUJQZYA74NAP5XBL
X-Message-ID-Hash: DG4N72ASZQGBXGJOTUJQZYA74NAP5XBL
X-MailFrom: pspacek@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Testbed for draft-ietf-dnsop-ns-revalidation "Delegation Revalidation by DNS Resolvers"
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zjACkLXpec-hgkjqyeOe743r8co>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On 25. 06. 25 11:42, Willem Toorop wrote:
> Hi Petr,
> 
> Thanks for this. This will also be very helpful implementing the / 
> scoped/ strict and opportunistic validation (on the roadmap for Unbound).
> 
> Would it be possible for you to provision the name servers for 
> testiscorg.ch (ns[1-4].as207960.net. ) to send along an agent domain 
> with an EDNS0 Report-Channel option, so we can test reporting of the 
> mismatch as well? (as described in the fourth paragraph of Section 3. 
> Upgrading NS RRset Credibility <https://www.ietf.org/archive/id/draft- 
> ietf-dnsop-ns-revalidation-10.html#name-upgrading-ns-rrset-credibil>)
 >> Would it also be possible for you to provision the name servers for the
> test domains to send along an agent domain with an EDNS0 Report-Channel 
> option? To also test reporting to the child domain (even though this is 
> optional in the draft).

Unfortunately these servers are not under our control, it is throw-away 
test domain.

I've poked at possibility of moving it on our own infrastructure but it 
would be more involved and ran out of time. Sorry!

> 
> I hope so,
> 
> Thanks!
> 
> -- Willem
> 
> Op 28-04-2025 om 18:16 schreef Petr Špaček:
>> Hello dnsop.
>>
>> Here's a little test bed to enable testing the running code (in 
>> Unbound) and to help evaluating the proposed protocol:
>>
>> child-bogus-a.nsreval.testiscorg.ch.
>> child-bogus-ns.nsreval.testiscorg.ch.
>> child-short-ttl.nsreval.testiscorg.ch.
>>
>> TXT RRs on apex will give you more details about each zone.
>>
>> Generally, parent and child zones disagree on either NS name or NS 
>> TTL. tcpdump usage is advisable to detect where queries are being sent 
>> and at what frequency.
>>
>> Please e-mail me in case it does not work or something is unclear. HTH!

v2.46.0 | Report a Bug | By Email | System Status