[DNSOP] Artart early review of draft-ietf-dnsop-domain-verification-techniques-01

Reviewer: Barry Leiba Review result: Ready with Nits This is short and reasonably sweet, easily digested. I have a few minor comments that I think will help make the document slightly clearer, and I hope you'll consider them: — Section 3.1 — I think this is generally understandable, but reuse o

[DNSOP] Meaning of lame delegation

Dear DNSOP, I am participating in an SSAC work party where we are writing about DNS delegations where a delegated name server might be available for registration, allowing an attacker to participate in the resolution for the domain. During report drafting we considered using the term "lame del

Re: [DNSOP] Meaning of lame delegation

> Dear DNSOP, > > I am participating in an SSAC work party where we are writing > about DNS delegations where a delegated name server might be > available for registration, allowing an attacker to participate in > the resolution for the domain. During report drafting we > considered using the ter

Re: [DNSOP] Meaning of lame delegation

On 03Apr23, Wessels, Duane apparently wrote: > Naturally, we turned to RFC 8499, DNS Terminology, but found the entry not > particularly helpful Having recently been involved in writing a tool to check delegations and report errors in a "call to action" way for generalist admins, I agree that t

Re: [DNSOP] DNSOPMeaning of lame delegation

"Wessels, Duane" writes: > We welcome the working group's thoughts whether "lame delegation" > encompasses these three possibilities. FYI, when working on the EDE draft [RFC8914] we discussed lame delegations some and actually did not document a particular error code related to it, as the meani

Re: [DNSOP] Meaning of lame delegation

>> There are three possible situations in which this might be >> considered a lame delegation: > > (4) What if NS.EXAMPLE.ORG does respond to EXAMPLE.NET queries > but claims that the correct name server is NS.EXAMPLE.COM? > > Does that make the delegation NS "lame" since resolvers > wi

Re: [DNSOP] Meaning of lame delegation

On Mon, 3 Apr 2023 20:02:16 + "Wessels, Duane" wrote: > (1) NS.EXAMPLE.ORG resolves to an IP address. Queries to the IP > address result in a REFUSED, SERVFAIL, upward referral, or some other > indication the name server is not configured to serve the zone. May be lame. I could imagine an

Re: [DNSOP] DNSOPMeaning of lame delegation

>> We welcome the working group's thoughts whether "lame delegation" >> encompasses these three possibilities. > > FYI, when working on the EDE draft [RFC8914] we discussed lame > delegations some and actually did not document a particular error code > related to it, as the meaning both uses impro

Re: [DNSOP] Meaning of lame delegation

Yes, I would consider it to be lame delegation in all three scenarios below of EXAMPLE.NET. There is a delegation (from NET) but there is no possible path the the contents of the EXAMPLE.NET zone. Mats --- Mats Dufberg mats.dufb...@internetstiftelsen.se

Re: [DNSOP] Meaning of lame delegation

On Mon, Apr 03, 2023 at 08:02:16PM +, Wessels, Duane wrote: > I am participating in an SSAC work party where we are writing about > DNS delegations where a delegated name server might be available for > registration, allowing an attacker to participate in the resolution > for the domain. Duri

Re: [DNSOP] Meaning of lame delegation

The shortest path out is to avoid use of the term and be explicit about the 3 (false trichotomy: there may be more) cases. If they lack labels, then number the bullet points or paragraphs and refer to them as RSSAC-.A.B.[C|D|E] instances until the name(s) settle. We're unlikely to terminate in a d

Re: [DNSOP] Meaning of lame delegation

(Incorporating but not quoting various other responses in this thread, implicitly, based on the dates they were sent.) On Mon, Apr 3, 2023 at 1:02 PM Wessels, Duane wrote: > Dear DNSOP, > > I am participating in an SSAC work party where we are writing about DNS > delegations where a delegated na

Re: [DNSOP] Meaning of lame delegation

On Mon, Apr 03, 2023 at 05:44:04PM -0400, Viktor Dukhovni wrote: > I believe that the most natural perspective is from the view point of a > resolver attempting to classify a (non?)response to a query sent to an > authoritative server. Another way of thinking about this perspective is that, e.g.,