Hi Mark,
On 19/07/2024 01:09, Mark Andrews wrote:
One can test if the zone is properly signed by installing trust anchors
in recursive servers you control and have your applications use them.
This is much less complicated than expecting validators to be updated to
soft fail on this/these new algorithm(s). They are already complicated
pieces of software that have to check lots of things. Adding more to
this will make them even more complicated. Remember answers come from
multiple zones and they depend on even more zones. DMARC is trivial
compared to DNSSEC validation.
The main concern with dry-run is DNSSEC adoption.
Now with DNS Error Reporting in place, this seems like the next logical
step. To have the ability to soft fail production (and report back) thus
the comparison with DMARC.
It is true that you can already test your signed zone before it goes to
production but that can fail miserably if you can't replicate production
in your testing. The recent example was the slack incident; and I was
happy to know that they stuck with their DNSSEC plans.
What does it mean if a parent zone turns on dry run?
I understand that you ask about the child in that case, if not let me know.
If the parent turns on dry-run and the parent was insecure before
dry-run, the child would not care. The child is insecure in the first
place. If dry-run DNSSEC fails for the parent, the validator will
fallback to insecure for the parent and continue with the child.
If the parent turns on dry-run (by putting the dry-run DSes next to the
real ones) and the parent was secure before dry-run, the child will
remain in the state that it was supposed to be.
If dry-run DNSSEC fails for the parent, the validator will fallback to
the real DSes and continue validation. The child will have the same
status as before dry-run.
People keep mentioning DMARC. That is trivial compared to this.
This indeed raises complexity in validators.
After implementing DNS Error Reporting I would like to test the waters
with prototyping dry-run and get some needed experience.
Best regards,
-- Yorgos
_______________________________________________
DNSOP mailing list -- dnsop@ietf.org
To unsubscribe send an email to dnsop-le...@ietf.org
