Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?

2018-05-15 Thread Paul Vixie



Mark Andrews wrote:

Underscore prefix names are entirely user convention the same way as
IN-ADDR.ARPA and IP6.ARPA are user convention.  There is NOTHING in
resolvers or name servers that treat these names as special in any
sort of way what so ever.

...


i think the ability to log warnings or generate errors if A/ owners 
or MX/NS targets are not RFC952-style "hostnames" (that is, if they have 
underscores in them) in BIND8 and BIND9, is a case of treating such 
names as if they are special.


"good? bad? i'm the one with the gun." --ash, in _army of darkness_

--
P Vixie

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?

2018-05-15 Thread Mark Andrews
Underscore prefix names are entirely user convention the same way as 
IN-ADDR.ARPA and IP6.ARPA are user convention.  There is NOTHING in resolvers 
or name servers that treat these names as special in any sort of way what so 
ever.

gethostbyname and getnameinfo just implement the user convention. 

ksk-sentinel requires validating recursive servers to have different code paths 
for names that start with these labels.  That makes them special.

As for nothing breaks if you don’t implement, that is true of most/all names in 
the special use registry to exactly the same extent as not implementing 
ksk-sentinel doesn’t break anything.


> On 16 May 2018, at 3:24 am, Ted Lemon  wrote:
> 
> Hm, well, the analogy I was making is that this is essentially a signal to an 
> application, which happens to be a caching name server.  "Other name servers 
> treat them as ordinary names" is not a reason not to list a special-use name 
> in the registry.   Ideally we want names like this to have as small an 
> implementation footprint as possible.   The reason I am objecting to the idea 
> that this is a special-use name is that it doesn't seem fundamentally 
> different to _tcp, aside from the detail of what software happens to consume 
> it.   Special-use names do generally require special treatment by the system, 
> even though we hope that the footprint will be as small as possible.   Right 
> now entries in the table are either not global names (which doesn't apply 
> here) or are intended for special purposes (e.g., example.com, invalid), or 
> require a protocol other than DNS to resolve (local, onion).
> 
> The case for handling this as a special-use name is that we'd want 
> implementors of naming software to find it in the registry so that they'd 
> know to do it, but I don't think that applies here—the downside to not doing 
> it is that you don't get the new feature, not that something breaks.   That's 
> very similar to the downside of not knowing what _tcp means.
> 
> On Tue, May 15, 2018 at 12:39 PM, Matthew Pounsett  wrote:
> 
> 
> On 15 May 2018 at 12:34, Tony Finch  wrote:
> Ted Lemon  wrote:
> 
> > It might be useful to compare this to labels like _tcp that appear in SRV
> > records and elsewhere.
> 
> The reason for listing a name in the RCF 6761 registry is because it needs
> special handling of some kind in DNS software. That isn't the case for the
> _underscore names, which (from the DNS point of view) are just ordinary
> domain names that have conventional uses in applications.
> 
> I'm going to suggest a modification to your first sentence.  The reason for 
> listing a name int he RFC 6761 registry is because it needs special handling 
> of some kind in DNS software that would otherwise be unaware of the special 
> handling required by that name.  In this case, the only name servers that 
> need to handle these names specially are the ones implementing the 
> technology.. all other name servers treat them as ordinary names.
> 
> 
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-15 Thread Viktor Dukhovni


> On May 15, 2018, at 3:57 PM, John Levine  wrote:
> 
> I think it's a swell idea to offer people DNSSEC testing services but
> it's hopeless to conflate it with key rotation.

I completely agree with you on key rotation, once the zone has already
been operating signed.  But the document also covers enrollment:

   This document describes a simple protocol that allows a third party
   DNS operator to: establish the initial chain of trust (bootstrap
---
   DNSSEC) for a delegation; update DS records for a delegation; and,
   
   remove DS records from a secure delegation.  The DNS operator may do
   these things in a trusted manner, without involving the Registrant
   for each operation.  This same protocol can be used by Registrants to
   maintain their own domains if they wish.

It is at the time of initial enrollment that I'd like to propose greater
due diligence.

-- 
Viktor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-15 Thread John Levine
In article <8e5d5d6c-6893-473d-a2fe-dcb0b46e7...@dukhovni.org> you write:
>Some of the more subtle, but still very important failure modes
>are not obvious unless *tested*.  It is would be a disservice to
>the ecosystem to blindly turn on only partly working DNSSEC which
>is actually broken in important ways.

I think it's a swell idea to offer people DNSSEC testing services but
it's hopeless to conflate it with key rotation.

R's,
John

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-15 Thread Viktor Dukhovni


> On May 15, 2018, at 2:29 PM, John Levine  wrote:
> 
> I think you will find that attempts to legislate against being stupid
> do not generally turn out well.  It makes sense to check for mistakes
> that might screw up the upper level name server like an invalid
> algorithm number, but if they want to shoot themselves in the foot,
> there's not much we can do about that.
> 
> There's no way to make a list of every possible stupid thing that
> someone might do, so I wouldn't try.

Some of the more subtle, but still very important failure modes
are not obvious unless *tested*.  It is would be a disservice to
the ecosystem to blindly turn on only partly working DNSSEC which
is actually broken in important ways.

Section 3.4 says:

   The Registration Entity, upon receiving a signal or detecting through
   polling that the child desires to have its delegation updated, SHOULD
   run a series of tests to ensure that updating the parent zone will
   not create or exacerbate any problems with the child zone.  The basic
   tests SHOULD include: [...]

And while we can't enumerate all possible breakage, there are clear
mistakes that are comparatively common now, and which would become
much more prevalent if enrollment is made easier with no due care to
ensure that we're not adding to the problems.

   * Incomplete NSEC chains that break denial of existence of
 the TLSA records of any explicit (or implicit zone apex)
 MX hosts.

   * SOA signatures that are invalid (typically modified after signing)

   * RRtype-based query filtering that drops TLSA/CAA/... queries.

   * ... and a few more ...

The above are not made-up hypotheticals, they are actually observed in
sufficient numbers to establish a pattern of likely failure modes that
need to be tested.  I have around ~200 samples that provide strong evidence
of the most common failure modes.

We can perhaps quibble over which failures might be ignored, but it
would be irresponsible and counter-productive to ignore them all.

-- 
-- 
Viktor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-15 Thread John Levine
In article <1d06889c-770f-4f92-bf06-a76338aeb...@dukhovni.org> you write:
>For example, nazwa.pl has recently signed a bunch of domains with lame
>wildcard NS records under the zone apex.  This breaks denial of existence
>for all child domains, including TLSA lookups, and therefore breaks email
>delivery to the newly signed domains.

I think you will find that attempts to legislate against being stupid
do not generally turn out well.  It makes sense to check for mistakes
that might screw up the upper level name server like an invalid
algorithm number, but if they want to shoot themselves in the foot,
there's not much we can do about that.

There's no way to make a list of every possible stupid thing that
someone might do, so I wouldn't try.

R's,
John

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?

2018-05-15 Thread Ted Lemon
Hm, well, the analogy I was making is that this is essentially a signal to
an application, which happens to be a caching name server.  "Other name
servers treat them as ordinary names" is not a reason not to list a
special-use name in the registry.   Ideally we want names like this to have
as small an implementation footprint as possible.   The reason I am
objecting to the idea that this is a special-use name is that it doesn't
seem fundamentally different to _tcp, aside from the detail of what
software happens to consume it.   Special-use names do generally require
special treatment by the system, even though we hope that the footprint
will be as small as possible.   Right now entries in the table are either
not global names (which doesn't apply here) or are intended for special
purposes (e.g., example.com, invalid), or require a protocol other than DNS
to resolve (local, onion).

The case for handling this as a special-use name is that we'd want
implementors of naming software to find it in the registry so that they'd
know to do it, but I don't think that applies here—the downside to not
doing it is that you don't get the new feature, not that something breaks.
  That's very similar to the downside of not knowing what _tcp means.

On Tue, May 15, 2018 at 12:39 PM, Matthew Pounsett 
wrote:

>
>
> On 15 May 2018 at 12:34, Tony Finch  wrote:
>
>> Ted Lemon  wrote:
>>
>> > It might be useful to compare this to labels like _tcp that appear in
>> SRV
>> > records and elsewhere.
>>
>> The reason for listing a name in the RCF 6761 registry is because it needs
>> special handling of some kind in DNS software. That isn't the case for the
>> _underscore names, which (from the DNS point of view) are just ordinary
>> domain names that have conventional uses in applications.
>>
>> I'm going to suggest a modification to your first sentence.  The reason
> for listing a name int he RFC 6761 registry is because it needs special
> handling of some kind in DNS software that would otherwise be unaware of
> the special handling required by that name.  In this case, the only name
> servers that need to handle these names specially are the ones implementing
> the technology.. all other name servers treat them as ordinary names.
>
>
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] Acceptance processing in draft-ietf-regext-dnsoperator-to-rrr-protocol-04 section 3.4

2018-05-15 Thread Viktor Dukhovni


> On Apr 28, 2018, at 1:28 AM, Viktor Dukhovni  wrote:
> 
> So at this point I think we understand each other, and the issue comes down 
> to whether it is appropriate for the registry to automatically turn on DS 
> records for the first time for a domain which is substantively operationally 
> deficient at the time its CDS records are encountered.
> 
> I think that garbage-in/garbage-out is not only a disservice to the domain's 
> owner, but more importantly it poisons the ecosystem for everyone else.
> 
> If turning on DNSSEC validation in your resolver stops email delivery to a 
> bunch of domains, or breaks all access to the domain's data, whom exactly is 
> the registry helping by enabling DNSSEC for a substantially broken domain.
> 
> Think of this as anti-pollution environmental regulation.

I see a new version -05, with (so far) the Section 3.4 acceptance text
unchanged. I strongly feel broken DNSSEC adoption is much worse than no
DNSSEC adoption, it not only has operational impact on the target domain,
but also creates strong disincentives to enabling validation in resolvers.

Therefore, if at all possible, broken implementations should not have their
DS records published, and all reasonable effort should be made to detect
known forms of breakage before inflicting such breakage on the world at
large.

For example, nazwa.pl has recently signed a bunch of domains with lame
wildcard NS records under the zone apex.  This breaks denial of existence
for all child domains, including TLSA lookups, and therefore breaks email
delivery to the newly signed domains.  This is easily detected, and such
detection should be part of acceptance criteria for having DS records
published.  Yes, some domains will introduce breakage after the fact,
but we can and should avoid it at inception.

$ grep nazwa broken | ... | xargs -n1 unbound-host -D -t tlsa
validation failure <_25._tcp.andyandmag.pl. TLSA IN>: nodata proof failed from 
85.128.129.10
validation failure <_25._tcp.fruty.pl. TLSA IN>: nodata proof failed from 
85.128.128.10
validation failure <_25._tcp.funit.com.pl. TLSA IN>: nodata proof failed from 
195.238.185.146
validation failure <_25._tcp.informica.org. TLSA IN>: nodata proof failed from 
195.238.185.146
validation failure <_25._tcp.vitacard.pl. TLSA IN>: nodata proof failed from 
85.128.129.10
validation failure <_25._tcp.sjedrzejewski.pl. TLSA IN>: nodata proof failed 
from 85.128.129.10
validation failure <_25._tcp.centrumuslugszklarskich.com. TLSA IN>: nodata 
proof failed from 85.128.129.10
validation failure <_25._tcp.ts3priv.pl. TLSA IN>: nodata proof failed from 
195.238.185.146

-- 
Viktor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] Publication has been requested for draft-ietf-dnsop-session-signal-07

2018-05-15 Thread Petr Špaček

On 15.5.2018 11:16, Tim Wicinski wrote:

Tim Wicinski has requested publication of draft-ietf-dnsop-session-signal-07 as 
Proposed Standard on behalf of the DNSOP working group.

Please verify the document's state at 
https://datatracker.ietf.org/doc/draft-ietf-dnsop-session-signal/


For the record I still object to moving this to Proposed Standard.

I believe this drafts adds way to many straws to Camel's back.

--
Petr Špaček  @  CZ.NIC

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?

2018-05-15 Thread Matthew Pounsett
On 15 May 2018 at 12:34, Tony Finch  wrote:

> Ted Lemon  wrote:
>
> > It might be useful to compare this to labels like _tcp that appear in SRV
> > records and elsewhere.
>
> The reason for listing a name in the RCF 6761 registry is because it needs
> special handling of some kind in DNS software. That isn't the case for the
> _underscore names, which (from the DNS point of view) are just ordinary
> domain names that have conventional uses in applications.
>
> I'm going to suggest a modification to your first sentence.  The reason
for listing a name int he RFC 6761 registry is because it needs special
handling of some kind in DNS software that would otherwise be unaware of
the special handling required by that name.  In this case, the only name
servers that need to handle these names specially are the ones implementing
the technology.. all other name servers treat them as ordinary names.
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?

2018-05-15 Thread Petr Špaček

On 14.5.2018 20:10, Warren Kumari wrote:

So, please,*clearly*  state if you think that this:
A: is a SUN
B: is not a SUN


B: is not a SUN. In my view special label is different kind of beast 
than SUN.


--
Petr Špaček  @  CZ.NIC

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?

2018-05-15 Thread Tony Finch
Ted Lemon  wrote:

> It might be useful to compare this to labels like _tcp that appear in SRV
> records and elsewhere.

The reason for listing a name in the RCF 6761 registry is because it needs
special handling of some kind in DNS software. That isn't the case for the
_underscore names, which (from the DNS point of view) are just ordinary
domain names that have conventional uses in applications.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
promote human rights and open government

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?

2018-05-15 Thread Matthew Pounsett
On 14 May 2018 at 14:10, Warren Kumari  wrote:

>
> So, please, *clearly* state if you think that this:
> A: is a SUN
> B: is not a SUN
>
>
> I think this is not a SUN.

6761 has a lot of opportunity in its text to refer to leftmost labels and
doesn't do that, not even in what could have been fairly obvious examples
(e.g. localhost.*).  Also, the SRV registry is not encapsulated in the SUDN
registry, and that seems to me to be the same issue.
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?

2018-05-15 Thread Ted Lemon
It might be useful to compare this to labels like _tcp that appear in SRV
records and elsewhere.   Those are not listed in the SUDN registry.   I
think that this also doesn't make sense to list there.   It's an
interesting question, of course, but I think we have a precedent that
answers is.

On Tue, May 15, 2018 at 5:53 AM, Tony Finch  wrote:

> Warren Kumari  wrote:
> >
> > The authors are in disagreement - RFC6761 talks about "Special-Use Domain
> > *Names*", not "Special-Use Domain *Labels*", but Stuart has said that it
> > wasn't intended to be only for TLDs / pseudo-TLDs / things starting at
> the
> > top of the tree.
>
> Hmm. I think that if RFC 6761 were supposed to cover arbitrary labels then
> it ought to have said something about localhost as a subdomain.
>
> > So, please, *clearly* state if you think that this:
> > A: is a SUN
> > B: is not a SUN
>
> KSK-sentinel feels like a new kind of thing, but I guess it has a lot in
> common with let-localhost-be-localhost. So I think our answer should be
> the same for both of them.
>
> My initial reaction was (B), but after I compared with localhost I think
> (A) is probably the right answer.
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/
> Humber, Thames, Dover, East Wight: Northerly 5 or 6. Slight or moderate.
> Fog
> patches. Moderate, occasionally very poor.
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


Re: [DNSOP] KSK-Sentinel -- "Walkin' on the SUN"?

2018-05-15 Thread Tony Finch
Warren Kumari  wrote:
>
> The authors are in disagreement - RFC6761 talks about "Special-Use Domain
> *Names*", not "Special-Use Domain *Labels*", but Stuart has said that it
> wasn't intended to be only for TLDs / pseudo-TLDs / things starting at the
> top of the tree.

Hmm. I think that if RFC 6761 were supposed to cover arbitrary labels then
it ought to have said something about localhost as a subdomain.

> So, please, *clearly* state if you think that this:
> A: is a SUN
> B: is not a SUN

KSK-sentinel feels like a new kind of thing, but I guess it has a lot in
common with let-localhost-be-localhost. So I think our answer should be
the same for both of them.

My initial reaction was (B), but after I compared with localhost I think
(A) is probably the right answer.

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Humber, Thames, Dover, East Wight: Northerly 5 or 6. Slight or moderate. Fog
patches. Moderate, occasionally very poor.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


[DNSOP] Publication has been requested for draft-ietf-dnsop-session-signal-07

2018-05-15 Thread Tim Wicinski
Tim Wicinski has requested publication of draft-ietf-dnsop-session-signal-07 as 
Proposed Standard on behalf of the DNSOP working group.

Please verify the document's state at 
https://datatracker.ietf.org/doc/draft-ietf-dnsop-session-signal/

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop