On 1/8/2020 2:07 PM, John R Levine wrote:
Could you give me a b) for each of these please? E.g. How does
ZONEMD make your life better in each of these and what would happen
if you - in a future world - were getting ZONEMD data and validation
failed?
Unless someone else says they find this level of anecdotal detail
useful, I'll pass.
Thought so - OK.
Then let me try a "real world" example and give you a few different choices:
I'm running a private copy of the root zone for my organization. I
(automated) check the SOA every so often, and arrange for a download of
the zone when it changes. I (automated) get a copy of the zone data,
including an ZONEMD RR, everything validates DNSSEC wise, but the ZONEMD
RR is invalid (hashes don't match). I do:
a) Discard the download, keep retrying until I get a valid ZONEMD RR,
ignoring any changes in the DNSSEC validated data
b) Install what I've been able to validate DNSSEC wise, and delete
anything not DNSSEC validated. E.g. basically ignore the ZONEMD RR and
install any validated changes. Log the error. Schedule a download for
next SOA change.
c) Yell for a human to make a decision.
d) (b) plus turn off ZONEMD RR processing in the future
e) anecdotal author's choice.
As I keep telling you, there is nothing new about dealing with invalid
zones. This is just another way to find that a zone is invalid, and
it is hard to imagine how anyone who would use ZONEMD wouldn't already
have experience dealing with other zone transfer or validation failures.
And I will note that zones are rarely invalid. They can have extraneous
data, or missing targets for things like CNAME. They can have DNSSEC
signature types you don't understand. They can have missing data where
DNSSEC says they should have data, and they can have data where DNSSEC
says they shouldn't. Those don't make the zone IN ITS ENTIRETY
invalid, unlike what ZONEMD purports to do.
Later, Mike
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop