On 1/8/2020 2:07 PM, John R Levine wrote:
Could you give me a b) for each of these please?   E.g. How does ZONEMD make your life better in each of these and what would happen if you - in a future world - were getting ZONEMD data and validation failed?
Unless someone else says they find this level of anecdotal detail 
useful, I'll pass.
Thought so - OK.

Then let me try a "real world" example and give you a few different choices:

I'm running a private copy of the root zone for my organization. I (automated) check the SOA every so often, and arrange for a download of the zone when it changes.    I (automated) get a copy of the zone data, including an ZONEMD RR, everything validates DNSSEC wise, but the ZONEMD RR is invalid (hashes don't match). I do:
a) Discard the download, keep retrying until I get a valid ZONEMD RR, 
ignoring any changes in the DNSSEC validated data
b) Install what I've been able to validate DNSSEC wise, and delete 
anything not DNSSEC validated.  E.g. basically ignore the ZONEMD RR and 
install any validated changes.  Log the error. Schedule a download for 
next SOA change.
c) Yell for a human to make a decision.

d) (b) plus turn off ZONEMD RR processing in the future

e) anecdotal author's choice.


As I keep telling you, there is nothing new about dealing with invalid 
zones.  This is just another way to find that a zone is invalid, and 
it is hard to imagine how anyone who would use ZONEMD wouldn't already 
have experience dealing with other zone transfer or validation failures.
And I will note that zones are rarely invalid.  They can have extraneous 
data, or missing targets for things like CNAME.  They can have DNSSEC 
signature types you don't understand.  They can have missing data where 
DNSSEC says they should have data, and they can have data where DNSSEC 
says they shouldn't.   Those don't make the zone IN ITS ENTIRETY 
invalid, unlike what ZONEMD purports to do.
Later, Mike



Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to