On 1/6/2020 12:13 PM, John Levine wrote:
In article <9952199f-9ea5-2d51-a5d2-6aaf80577...@nthpermutation.com> you write:
If a computer can't figure out what to do with a failed validation
absent human interaction then you might as well say:
"ZONEMD RRs may be safely ignored by all but the geekiest of DNS human
operators as there is no guidance on what to do if you see a zone that
appears to be incomplete due to ZONEMD RR validation as it might not
actually be incomplete"
Well, OK, here's a concrete example. I download the COM zone every
day from Verisign, and also a separate file with an MD5 hash of the
main file. Using RFC 2119 language, what do I do if the hash I get
doesn't match their hash?
For background, there are about 1600 people with passwords to download
the .com file, with a few dozen new passwords issued each month. I
can tell you what I do with the zone file, but I have no idea what the
other 1599 do. The downloads are by plain old FTP, since this was set
up a long time ago.
Ok - you've described half of this - the download and the validation.
Let's move on to the use. E.g. you now have a zone with a good ZONEMD
- you throw it into what application? Or you now have a zone with a
bad (unable to validate) ZONEMD, do you still throw it into the
application. Does the application check the ZONEMD or did you do that
manually? If you throw the zone into the application without
validation then what? Do you retry to download it? How often and how
long between tries?
If I'm downloading this and all I'm going to do with it is browse the
text - who cares? If I'm downloading this and the data is going to end
up serving infrastructure of some sort then what should I do before I
come to depend on the data?
Please provide a general rule for automated handling of failed
validations. That's all I'm asking. Of course humans will violate that
rule - not the point.
Later, Mike
R's,
John
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
