Hi Peter,
Dne 23. 06. 23 v 19:29 Peter Thomassen napsal(a):
On 6/23/23 17:21, libor.peltan wrote:
I would expect the combination of a nameserver not being reachable
and the other party being malicious to be quite a rare event.
A combination of a nameserver being unreachable and an other one
being misconfigured e.g. in the sense of Section 2.2.1 (in the -03
version of the doc) does not seem too inprobable to me.
My take is that the likelihoods multiply, so the combination is much
more unlikely than an isolated event of either type.
My concerns are based on following situation. Imagine that:
- two servers publish inconsistent CDNSKEY+CDS records for some
reason, e.g. misconfiguration. This is the exact thing that the draft
tries to address.
- this persists for quite some time, which is highly probable, as DNS
is usually a slowly-changing environment.
- the parent queries both servers and detects the inconsistency. So it
does nothing and tries later. It is the same. It tries again, but still
the same.
- it tries once more and it happens that some stumble on the network
causes that one of the queries/responses/connections times out and one
of the CDNSKEY+CDS scans fails.
- the parent concludes that one of the servers in unreachable and the
other one is consistent with itself, accepting his CDNSKEY+CDS. This is
the very thing that your draft is trying to defend against, but fails in
this case.
I would think about defining some form of "permanent unreachability" and
ignore the servers only in that case. Everything would become much more
complicated, but I think it is the right thing to do. And if not, it
should be argumented that the risk is reasonably acceptable.
Oh yeah, I agree. It's just that the section got longer and longer,
and I felt like it takes forever until the reader arrives at the
actual spec -- so I turned that section into an appendix.
All right! I overlooked the appendix, sry.
Cheers,
Peter
Please don't take his as if I tried to torpedo your draft. I'm trying to
improve it by constructive opposition ;)
Libor
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
