Weigh RPKI test results in overall score

[baknu]

No description provided.

[baknu]

This would also be in line with the recente mandate for governments to implement RPKI: https://forumstandaardisatie.nl/nieuws/secured-internet-routing-dutch-government-end-2024

[baknu]

@dennisbaaten Could you check if all hosters in our HoF for Hosters are passing the RPKI test? And could you give the hosters in the list a headsup ons this upcoming change?

[mxsasha]

Did we make a decision on the degree of score impact? The math is quite opaque, but I have a working implementation for web where the total score impact is 87% when a domain fails RPKI validity for web and NS, succeeding all other (scoring) tests including RPKI existence. We can lower the score impact.

[AZ-DPC-OA-DNR]

Good to see progress on this improvement! RPKI and security.txt often fly under the radar, without any impact on the test scores.

Will the impact for a mailserver failing RPKI in the mail test be the same as for a webserver in the web test? If so, what will be the score if the nameservers do support RPKI correctly and other (scoring) tests are also ok?

JvB

[bwbroersma]

I noticed there is a wide understanding that a 100%-score on internet.nl means all Dutch government standard requirements are met. This was true before RPKI was made a 'streefbeeldafspraak'. I think this issue therefor this is a important issue to deploy the fix - PR #1003 soon.

@mxsasha: do I read 97d1249 correctly that this is an 0 or full score, not like with DNSSEC that RPKI not-found gives some points, right? (I thought it was 100 / number of test blocks, is RPKI the first exception on this or was it already not equally divided in terms of points?)

@AZ-DPC-OA-DNR: in general, the total points for a test block are divided by the number of sub tests, for RPKI there are 3 for e-mail, and 2 for web. If 13 points are to be divided, I think it would be 6.5 per sub test in the web test and 4.33 per sub test in the e-mail test.

[AZ-DPC-OA-DNR]

@bwbroersma Thanks for your explanation & efforts to get related PR #1003 deployed for RPKI.

I agree this is essential to improve compliancy with security standards on NL government domains, where RPKI is mandatory on all domains (and security.txt for web services).

JvB

[mxsasha]

Did we make a decision on the degree of score impact? The math is quite opaque, but I have a working implementation for web where the total score impact is 87% when a domain fails RPKI validity for web and NS, succeeding all other (scoring) tests. We can lower the score impact.

The score calculation is now documented: https://github.com/internetstandards/Internet.nl/blob/main/documentation/scoring.md

This is consistent with what I saw with #1003, though it does mean the impact can not be changed. The only variation we can make is whether individual subtests are more important than others, e.g. should validity count more than existence. But that applies within the RPKI category only - the impact of "all failed" vs "all success" is fixed. We can change "all existence failed, rest succeeded" vs "all validy failed, rest succeeded" a bit.

[mxsasha]

Decision: RPKI existence will count for HALF_WEIGHT_POINTS, RPKI validity for FULL_WEIGHT_POINTS.

[baknu]

Content:

• Remove "Requirement level: Recommended" in test explanation
• Link to https://github.com/internetstandards/Internet.nl/blob/main/documentation/scoring.md on https://internet.nl/faqs/report/

[mxsasha]

This is merged, but content still needs to be updated. That makes this content update a blocker for eventual 1.9

[baknu]

Note: Make sure to also update content on /faqs/report/.