Skip to content

Commit

Permalink
Add/discuss on-demand triggers (notifications)
Browse files Browse the repository at this point in the history
  • Loading branch information
@peterthomassen
peterthomassen committed Jan 19, 2024
1 parent 2b5e256 commit 1059c57
Show file tree
Hide file tree
Showing 3 changed files with 119 additions and 98 deletions.
36 changes: 23 additions & 13 deletions draft-ietf-dnsop-dnssec-bootstrapping-07.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1773,36 +1773,45 @@ <h3 id="name-triggers">
Child;<a href="#section-4.3-2.1.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-4.3-2.2">
<p id="section-4.3-2.2.1">The Parental Agent encounters a Signaling Record during a proactive,
opportunistic scan (e.g. daily queries of Signaling Records for some
or all of its delegations);<a href="#section-4.3-2.2.1" class="pilcrow"></a></p>
<p id="section-4.3-2.2.1">The Parental Agent receives a notification indicating that the Child
wishes to have its CDS/CDNSKEY RRset processed;<a href="#section-4.3-2.2.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-4.3-2.3">
<p id="section-4.3-2.3.1">The Parental Agent encounters a Signaling Record during an NSEC walk
or when parsing a Signaling Zone (e.g. when made available via AXFR
by the Child DNS Operator);<a href="#section-4.3-2.3.1" class="pilcrow"></a></p>
<p id="section-4.3-2.3.1">The Parental Agent encounters a Signaling Record during a proactive,
opportunistic scan (e.g. daily queries of Signaling Records for some
or all of its delegations);<a href="#section-4.3-2.3.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-4.3-2.4">
<p id="section-4.3-2.4.1">Any other condition as deemed appropriate by local policy.<a href="#section-4.3-2.4.1" class="pilcrow"></a></p>
<p id="section-4.3-2.4.1">The Parental Agent encounters a Signaling Record during an NSEC walk
or when parsing a Signaling Zone (e.g. when made available via AXFR
by the Child DNS Operator);<a href="#section-4.3-2.4.1" class="pilcrow"></a></p>
</li>
<li class="normal" id="section-4.3-2.5">
<p id="section-4.3-2.5.1">Any other condition as deemed appropriate by local policy.<a href="#section-4.3-2.5.1" class="pilcrow"></a></p>
</li>
</ul>
<p id="section-4.3-3">Most types of discovery (such as daily scans of delegations) are based
<p id="section-4.3-3">Timer-based trigger mechanisms (such as scans) exhibit undesirable
properties with respect to processing delay and scaling; on-demand
triggers (like notifications) are preferable. Whenever possible, Child
DNS Operators and Parental Agents are thus encouraged to use them,
reducing both delays and the amount of scanning traffic.<a href="#section-4.3-3" class="pilcrow"></a></p>
<p id="section-4.3-4">Most types of discovery (such as daily scans of delegations) are based
directly on the delegation's NS record set.
In this case, these NS names can be used as is by the bootstrapping
algorithm (<a href="#cds-auth" class="xref">Section 4.2</a>) for querying Signaling Records.<a href="#section-4.3-3" class="pilcrow"></a></p>
<p id="section-4.3-4">Some discovery methods, however, do not imply reliable knowledge of the
algorithm (<a href="#cds-auth" class="xref">Section 4.2</a>) for querying Signaling Records.<a href="#section-4.3-4" class="pilcrow"></a></p>
<p id="section-4.3-5">Some discovery methods, however, do not imply reliable knowledge of the
Child's NS record set.
For example, when discovering Signaling Names by performing an NSEC
walk or zone transfer of a Signaling Zone, the Parental Agent MUST NOT
assume that the nameserver(s) under whose Signaling Domain(s) a
Signaling Name appears is in fact authoritative for the corresponding
Child.<a href="#section-4.3-4" class="pilcrow"></a></p>
<p id="section-4.3-5">In this case (and in other cases alike where some list of
Child.<a href="#section-4.3-5" class="pilcrow"></a></p>
<p id="section-4.3-6">In this case (and in other cases alike where some list of
"bootstrappable domains" is retrieved from elsewhere), the Parental
Agent MUST ascertain that the Child's delegation actually contains the
nameserver hostname seen during discovery, and ensure that Signaling
Record queries are only made against the proper set of nameservers as
listed in the Child's delegation from the Parent.<a href="#section-4.3-5" class="pilcrow"></a></p>
listed in the Child's delegation from the Parent.<a href="#section-4.3-6" class="pilcrow"></a></p>
</section>
</div>
<div id="limitations">
Expand Down Expand Up @@ -2087,6 +2096,7 @@ <h2 id="name-change-history-to-be-remove">
<blockquote id="appendix-A-2">
<p id="appendix-A-2.1">Add Glauca registrar implementation<a href="#appendix-A-2.1" class="pilcrow"></a></p>
<p id="appendix-A-2.2">Editorial changes to Security Considerations<a href="#appendix-A-2.2" class="pilcrow"></a></p>
<p id="appendix-A-2.3">Add/discuss on-demand triggers (notifications)<a href="#appendix-A-2.3" class="pilcrow"></a></p>
</blockquote>
<ul class="normal">
<li class="normal" id="appendix-A-3.1">draft-ietf-dnsop-dnssec-bootstrapping-06<a href="#appendix-A-3.1" class="pilcrow"></a>
Expand Down
170 changes: 85 additions & 85 deletions draft-ietf-dnsop-dnssec-bootstrapping-07.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,10 +98,10 @@ Table of Contents
4.4. Limitations . . . . . . . . . . . . . . . . . . . . . . . 10
5. Operational Recommendations . . . . . . . . . . . . . . . . . 10
5.1. Child DNS Operator . . . . . . . . . . . . . . . . . . . 10
5.2. Parental Agent . . . . . . . . . . . . . . . . . . . . . 10
5.2. Parental Agent . . . . . . . . . . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
8. Implementation Status . . . . . . . . . . . . . . . . . . . . 11
8. Implementation Status . . . . . . . . . . . . . . . . . . . . 12
8.1. Child DNS Operator-side . . . . . . . . . . . . . . . . . 12
8.2. Parental Agent-side . . . . . . . . . . . . . . . . . . . 12
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
Expand Down Expand Up @@ -470,6 +470,9 @@ Internet-Draft dnssec-bootstrapping January 2024
* The Parental Agent receives a new or updated NS record set for a
Child;

* The Parental Agent receives a notification indicating that the
Child wishes to have its CDS/CDNSKEY RRset processed;

* The Parental Agent encounters a Signaling Record during a
proactive, opportunistic scan (e.g. daily queries of Signaling
Records for some or all of its delegations);
Expand All @@ -480,11 +483,29 @@ Internet-Draft dnssec-bootstrapping January 2024

* Any other condition as deemed appropriate by local policy.

Timer-based trigger mechanisms (such as scans) exhibit undesirable
properties with respect to processing delay and scaling; on-demand
triggers (like notifications) are preferable. Whenever possible,
Child DNS Operators and Parental Agents are thus encouraged to use
them, reducing both delays and the amount of scanning traffic.

Most types of discovery (such as daily scans of delegations) are
based directly on the delegation's NS record set. In this case,
these NS names can be used as is by the bootstrapping algorithm
(Section 4.2) for querying Signaling Records.








Thomassen & Wisiol Expires 22 July 2024 [Page 9]

Internet-Draft dnssec-bootstrapping January 2024


Some discovery methods, however, do not imply reliable knowledge of
the Child's NS record set. For example, when discovering Signaling
Names by performing an NSEC walk or zone transfer of a Signaling
Expand All @@ -499,13 +520,6 @@ Internet-Draft dnssec-bootstrapping January 2024
Signaling Record queries are only made against the proper set of
nameservers as listed in the Child's delegation from the Parent.



Thomassen & Wisiol Expires 22 July 2024 [Page 9]

Internet-Draft dnssec-bootstrapping January 2024


4.4. Limitations

As a consequence of Step 3 in Section 4.2, DS bootstrapping does not
Expand Down Expand Up @@ -539,6 +553,15 @@ Internet-Draft dnssec-bootstrapping January 2024
activities do not require modifications of the zone containing the
nameserver hostname.





Thomassen & Wisiol Expires 22 July 2024 [Page 10]

Internet-Draft dnssec-bootstrapping January 2024


To keep the size of the Signaling Zones minimal and bulk processing
efficient (such as via zone transfers), Child DNS Operators SHOULD
remove Signaling Records which are found to have been acted upon.
Expand All @@ -553,15 +576,6 @@ Internet-Draft dnssec-bootstrapping January 2024
cache does not need to get cleared in between queries pertaining to
different Children.)





Thomassen & Wisiol Expires 22 July 2024 [Page 10]

Internet-Draft dnssec-bootstrapping January 2024


6. Security Considerations

The DNSSEC bootstrapping method introduced in this document is based
Expand Down Expand Up @@ -592,6 +606,18 @@ Internet-Draft dnssec-bootstrapping January 2024
Per [RFC8552], IANA is requested to add the following entries to the
"Underscored and Globally Scoped DNS Node Names" registry:








Thomassen & Wisiol Expires 22 July 2024 [Page 11]

Internet-Draft dnssec-bootstrapping January 2024


+---------+------------+-----------------------------------------+
| RR Type | _NODE NAME | Reference |
+---------+------------+-----------------------------------------+
Expand All @@ -608,16 +634,6 @@ Internet-Draft dnssec-bootstrapping January 2024
by the community at https://github.com/oskar456/cds-updates
(https://github.com/oskar456/cds-updates).






Thomassen & Wisiol Expires 22 July 2024 [Page 11]

Internet-Draft dnssec-bootstrapping January 2024


8.1. Child DNS Operator-side

* Operator support:
Expand Down Expand Up @@ -651,6 +667,13 @@ Internet-Draft dnssec-bootstrapping January 2024

* gTLD:



Thomassen & Wisiol Expires 22 July 2024 [Page 12]

Internet-Draft dnssec-bootstrapping January 2024


- Knipp has implemented consumption of DNSSEC bootstrapping
records in its TANGO and CORE registry systems.

Expand All @@ -662,18 +685,6 @@ Internet-Draft dnssec-bootstrapping January 2024

- GoDaddy is working on an implementation.








Thomassen & Wisiol Expires 22 July 2024 [Page 12]

Internet-Draft dnssec-bootstrapping January 2024


* A tool to retrieve and process Signaling Records for bootstrapping
purposes, either directly or via zone walking, is available at
https://github.com/desec-io/dsbootstrap (https://github.com/desec-
Expand Down Expand Up @@ -712,6 +723,13 @@ Internet-Draft dnssec-bootstrapping January 2024
Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005,
<https://www.rfc-editor.org/info/rfc4035>.



Thomassen & Wisiol Expires 22 July 2024 [Page 13]

Internet-Draft dnssec-bootstrapping January 2024


[RFC7344] Kumari, W., Gudmundsson, O., and G. Barwood, "Automating
DNSSEC Delegation Trust Maintenance", RFC 7344,
DOI 10.17487/RFC7344, September 2014,
Expand All @@ -721,15 +739,6 @@ Internet-Draft dnssec-bootstrapping January 2024
RFC 7477, DOI 10.17487/RFC7477, March 2015,
<https://www.rfc-editor.org/info/rfc7477>.





Thomassen & Wisiol Expires 22 July 2024 [Page 13]

Internet-Draft dnssec-bootstrapping January 2024


[RFC8078] Gudmundsson, O. and P. Wouters, "Managing DS Records from
the Parent via CDS/CDNSKEY", RFC 8078,
DOI 10.17487/RFC8078, March 2017,
Expand Down Expand Up @@ -767,6 +776,15 @@ Appendix A. Change History (to be removed before publication)
| Add Glauca registrar implementation
|
| Editorial changes to Security Considerations
|
| Add/discuss on-demand triggers (notifications)



Thomassen & Wisiol Expires 22 July 2024 [Page 14]

Internet-Draft dnssec-bootstrapping January 2024


* draft-ietf-dnsop-dnssec-bootstrapping-06

Expand All @@ -778,14 +796,6 @@ Appendix A. Change History (to be removed before publication)

* draft-ietf-dnsop-dnssec-bootstrapping-05




Thomassen & Wisiol Expires 22 July 2024 [Page 14]

Internet-Draft dnssec-bootstrapping January 2024


| Editorial changes

* draft-ietf-dnsop-dnssec-bootstrapping-04
Expand Down Expand Up @@ -822,6 +832,16 @@ Internet-Draft dnssec-bootstrapping January 2024
|
| Turn loose Security Considerations points into coherent text.
|





Thomassen & Wisiol Expires 22 July 2024 [Page 15]

Internet-Draft dnssec-bootstrapping January 2024


| Do no longer suggest NSEC-walking Signaling Domains. (It does not
| work well due to the Signaling Type prefix. What's more, it's
| unclear who would do this: Parents know there delegations and can
Expand All @@ -834,14 +854,6 @@ Internet-Draft dnssec-bootstrapping January 2024
| Introduced Signaling Type prefix (_dsboot), renamed Signaling Name
| infix from _dsauth to _signal.




Thomassen & Wisiol Expires 22 July 2024 [Page 15]

Internet-Draft dnssec-bootstrapping January 2024


* draft-ietf-dnsop-dnssec-bootstrapping-00

| Editorial changes.
Expand Down Expand Up @@ -878,6 +890,14 @@ Internet-Draft dnssec-bootstrapping January 2024
| Add section on Triggers.
|
| Clarified title.



Thomassen & Wisiol Expires 22 July 2024 [Page 16]

Internet-Draft dnssec-bootstrapping January 2024


|
| Improved abstract.
|
Expand All @@ -890,14 +910,6 @@ Internet-Draft dnssec-bootstrapping January 2024
| Updated terminology (replace "Bootstrapping" by "Signaling").
|
| Added NSEC recommendation for Bootstrapping Zones.



Thomassen & Wisiol Expires 22 July 2024 [Page 16]

Internet-Draft dnssec-bootstrapping January 2024


|
| Added multi-signer use case.
|
Expand Down Expand Up @@ -929,18 +941,6 @@ Authors' Addresses


















Expand Down
Loading

0 comments on commit 1059c57

Please sign in to comment.