[dns-operations] 10% was Re: .mm ....

Matthäus Wander matthaeus.wander at uni-due.de
Sat Jan 19 20:28:25 UTC 2013


* Joe Abley [2013-01-19 03:31]:
> I'll assume (since I didn't see the original mail) that the proposal is to make validators tolerant by 10%, rather than to change anything on the authority server or on the signers. (If you want to extend the validity of a signature by 10% when you sign the zone you can already do that just by changing the parameters used by your signer.)
> 
> If the idea is "I'll tolerate an expired signature for 10% of the original validity period" (I didn't see the original mail) then you're just trading a failure today for a failure today + T. I don't think there's much practical difference between those outcomes. I don't see the point of the change.
> 
> If the idea is "I'll tolerate an expired signature for 10% of the original validity period and use that extra time to shout loudly about the fact that there is a failure" then I'd suggest just setting your monitoring systems to start the loud klaxons when you only have 10% validity remaining, and avoid the change too.

I think it's more like "I'll tolerate an expired signature for 10% of
the original validity period and use that extra time to let other people
notice and fix it".
Assuming that 1) the majority of validators do *not* tolerate expired
signatures and 2) most DNSSEC failures are fixed within that 10%, it is
a way to trade off reliability vs. security.

In this specific case it didn't really work out:
$ dig dnskey mm @unbound.odvr.dns-oarc.net
[...]
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11736
[...]

> I don't see much good, here.
> 
> I think the main things that are missing from the world are:
> 
>  - a pragmatic approach to setting signature validity periods in signers, mindful of operational considerations
> 
>  - people monitoring their own zones and getting early warnings when signer policy appears not to be reflected in the DNS

Sure.
But keep in mind that's not under control of the resolver operators.
It's not cool to be one of the few resolvers suffering from DNSSEC
configuration errors that other people caused, while all the
non-validating resolvers seem to work fine. The security benefit is
hardly noticed by users outside of the DNS community as long as
applications are not showing green DNSSEC icons or other gizmos.

Regards,
Matt

-- 
Universität Duisburg-Essen
Verteilte Systeme
Bismarckstr. 90 / BC 316
47057 Duisburg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5156 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130119/0640b8c6/attachment.bin>


More information about the dns-operations mailing list