On 1/8/2020 2:07 PM, John R Levine wrote:
Could you give me a b) for each of these please?   E.g. How does ZONEMD make your life better in each of these and what would happen if you - in a future world - were getting ZONEMD data and validation failed?

Unless someone else says they find this level of anecdotal detail useful, I'll pass.

Thought so - OK.

Then let me try a "real world" example and give you a few different choices:

I'm running a private copy of the root zone for my organization. I (automated) check the SOA every so often, and arrange for a download of the zone when it changes.    I (automated) get a copy of the zone data, including an ZONEMD RR, everything validates DNSSEC wise, but the ZONEMD RR is invalid (hashes don't match). I do:

a) Discard the download, keep retrying until I get a valid ZONEMD RR, ignoring any changes in the DNSSEC validated data

b) Install what I've been able to validate DNSSEC wise, and delete anything not DNSSEC validated.  E.g. basically ignore the ZONEMD RR and install any validated changes.  Log the error. Schedule a download for next SOA change.

c) Yell for a human to make a decision.

d) (b) plus turn off ZONEMD RR processing in the future

e) anecdotal author's choice.



As I keep telling you, there is nothing new about dealing with invalid zones.  This is just another way to find that a zone is invalid, and it is hard to imagine how anyone who would use ZONEMD wouldn't already have experience dealing with other zone transfer or validation failures.

And I will note that zones are rarely invalid.  They can have extraneous data, or missing targets for things like CNAME.  They can have DNSSEC signature types you don't understand.  They can have missing data where DNSSEC says they should have data, and they can have data where DNSSEC says they shouldn't.   Those don't make the zone IN ITS ENTIRETY invalid, unlike what ZONEMD purports to do.

Later, Mike




Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to