Re: [dns-privacy] [Fwd: [EXT] New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-01.txt]

Hi Peter,

While I remain neutral as to whether or not ds-dot-signal-and-pin is a good idea overall, you can count me as one that thinks flags=257 is a bad idea.  I don't think anything in 403[345] say that flags can be interpreted differently depending on the algorithm or on the value of the Zone Signing column.  

The document uses the phrase "DNSKEY algorithm" very often but I think you really mean DNS Security Algorithm (or just algorithm).  For example, 

   more than one DS record with DNSKEY algorithm TBD

is better as just

   more than one DS record with algorithm TBD

DW

> On Jul 13, 2020, at 10:16 AM, Peter van Dijk <peter.van.dijk@powerdns.com> wrote:
> 
> Hello,
> 
> please find below revision -01 of our proposal for enabling DoT from
> resolver to authoritative.
> 
> New in this revision:
> 
> * a lot of clarifying text without changing the underlying protocol
> 
> * the DNSKEY flags field is now specified to be 257 instead of 0. We
> know that this goes against the explicit wishes of some of those who
> commented on -00, but we argue in the document that because our algo
> TBD will have 'Zone Signing=N' in the IANA DNSKEY algo registry, the
> flags do not mean 'ZONE' and 'SEP'. The value 257, meanwhile, is
> believed to go down with registries much easier.
> 
> * we added a 'Design considerations' section that explains how this
> protocol came to be, and why we did not go the TLSA route. You can
> click through to it directly via 
> https://secure-web.cisco.com/1547Nd7TUhQCx--6BXQ2V7Fe6OsN72FFOIoB6X79e4tCF2s3ZpnvtGzBeZ35b3VZublqmT2QWLNxBE-H4UuDLJnh3itcQpBUb6pvqqG91nLQIfZ6JfJk-0nXyuSFLvD9anUSvqQjNwa7usrKjP9E-9zoOj8_4YAfpeb5yetnz5zz6RafsBHm8OG4n_AdFMl89cKxMT7P4a9IwkKlAutHh5GjZM1CDogcPKO6FLJ6QgiE6IYhafhiHX3qtYL2Z_veABcJwEj5EI9_m4VdsUVb3gfMkZPh0RCerOSzBeJ00Eqk/https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-vandijk-dprive-ds-dot-signal-and-pin-01%23section-9
> 
> Furthermore, we have tried to do a review of this protocol against the
> requirements of the DPRIVE phase 2 document.  You can find this review
> (which might be updated outside of revisions of this draft or the phase
> 2 draft) via 
> https://secure-web.cisco.com/1A25tPS76irHgdA_csUZGhdQB7R1rIbrOg1TW6d07W694zX71PQw1tAqCq4W-Yy-5i2h9ujLnVA3gCvVmF1AQkb04kNBNapCJrd3AIAma9QbnSKK_h65nrwXbi62Ylrxwjlpuook_wYJpyVmdsE3gvLF0fupzhFzjV6ufEXcxtz5FLv5H7STGDYGhD6pmlkXs4s4Ne03z_NV7Y5lT1r-RooYejeWscUws5c7DkEBTF3L_pTOYu_NRH1SA1SAGABwE_uaOR1fq1Gj1BIsI4yBwQw/https%3A%2F%2Fgithub.com%2FPowerDNS%2Fparent-signals-dot%2Ftree%2Fmaster%2Fdraft-vandijk-dprive-ds-dot-signal-and-pin%2Fyardsticks
> 
> We'll be presenting the draft at the IETF108 dprive session.
> 
> Kind regards,
> Manu, Robin & Peter
> 
> -------- Forwarded Message --------
> From: internet-drafts@ietf.org
> To: Robin Geuze <robing@transip.nl>, Peter van Dijk <
> peter.van.dijk@powerdns.com>, Emmanuel Bretelle <chantra@fb.com>
> Subject: [EXT] New Version Notification for draft-vandijk-dprive-ds-
> dot-signal-and-pin-01.txt
> Date: Mon, 13 Jul 2020 01:47:10 -0700
> 
> A new version of I-D, draft-vandijk-dprive-ds-dot-signal-and-pin-01.txt
> has been successfully submitted by Peter van Dijk and posted to the
> IETF repository.
> 
> Name:		draft-vandijk-dprive-ds-dot-signal-and-pin
> Revision:	01
> Title:		Signalling Authoritative DoT support in DS records, with key pinning
> Document date:	2020-07-13
> Group:		Individual Submission
> Pages:		14
> URL:            https://secure-web.cisco.com/1DsK2MVevadXT3GdniFfbtgOI396AfHCVKwwaV2-vAgI7z9Dd0q8NsHHtR5-Yvr8yKxH_PsQUrwCjagVNwgqtbfFNBSLwggZdZvleOtsjhVoeUmEteo8hKdrw77dn5UNKta2PuxqVGaZXwtZvs-4DQaP4xGc7jPUy3_Rl9Vtv_nHj5nYYy0pJo9XXQX5rtZ6xX1eZb29S5H51GbUukAdUD8vkiLEdfM49HeyTI1UBukpyYtaF3GsqY0KDHV7wEEhE_7DCsOfkqajfAZNXedeMR1XYjo04sw1CHYXBLmmkRBg/https%3A%2F%2Fwww.ietf.org%2Finternet-drafts%2Fdraft-vandijk-dprive-ds-dot-signal-and-pin-01.txt
> Status:         https://secure-web.cisco.com/1lJ9HOKB3lcr0FYkKcTfMImWTawCKcgf31T_3MoPvTc9gMCdIA_ajbmqsJ4rIMbt424s-ph7cAAqmJvl7MVr3ebT547Uz7sP9gA7HUHq-Jx2RjBRUFvf_sL64ZKYdT15vGJxq7MpweDRIPtOdTKsKNv-7NgTI_zAHJaHlrnwE3rB6ex-YZqGLp-UKZEns5N_nBOxy5aA_nGhijjVJn4ekYBrw2ZJ2AYXki5uFYvUSkauqxifxZ84Bd__Ltjygp285gciA0joIcrkb8IFNsx7kzw/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-vandijk-dprive-ds-dot-signal-and-pin%2F
> Htmlized:       https://secure-web.cisco.com/1cFirxV4x2U2WbrlVzODCuwJ9pifdlZzpYB3Xq4t0hBEgNekIlAEC-Qthjgvz5EUvGHxGpLRuuJ0NL0AmSAMwJnYwkyUtIROhvZOTM45Ze3dx738rFrs2e_k-8D7glvhyQAD7w2Mjr1A3F3l2fjbaOmBsljJ1LJytf57_udaJAPOpJmsI6Ip1FR1kSyJo4jGWKohWGdfySdd04FQyHE_RzAkfHiIej1GUpf0sGSG1N6W1AGS0JqaP3n_z9B-8bpjygQQkaOVIplt3dkiTwRMmifie6zY8oHApoQ6Zt6MnNUs/https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-vandijk-dprive-ds-dot-signal-and-pin-01
> Htmlized:       https://secure-web.cisco.com/1qb7nne1k8JWZ9GEh-uAWdl-u6Mhi6O8_8Pzl8QXe9Dzj2fke3Yp3Lu3zG4n-UuoqspLdcytKXzf4Oir91tyZjbWWaD-cZsFk3_rIp96C0u0ZHmuKvRpjk_-4bnUomgVl6Qdcq2SIHDRccnLkyPGFTetYLTLPWDtU006kgMiJew7_CgzsFQaZkG2JhrlctuexOkV9g16YgQt1-ZrC5Jyflx8kTXzTP265IEMzVMHLh_zQfudmDvNJs1EN3Vny1D04m6_Np0nUD5OdugJIIAXobQ/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-vandijk-dprive-ds-dot-signal-and-pin
> Diff:           https://secure-web.cisco.com/1GFziADh6Ps303cC7no5h066e5QUtC3w3B9PhlbQogmsIsTEpjHoxBjjV5jI_xo-E7Ouq6_sRJQ3DFzxTfv2gu_gJhENy9HaMRJlTv4ZdjbRml8xqknYL8ikBI4v9cPljlio4g31kh0mowVjkt8OQL1SYALLNcfTUESDQJPW6sDn8xm6yLlq4lN2FZBRrBCWYdy6CfzELZj69Ct4DPKqc37F7qIY3ryJXputr1-Dxq-ZRW-FFbM5q5uNI53j2do3TkuIN-x1Drh_97kESsgmkj9v1JiEoETl1rZsdF_NkL18/https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-vandijk-dprive-ds-dot-signal-and-pin-01
> 
> Abstract:
>   This document specifies a way to signal the usage of DoT, and the
>   pinned keys for that DoT usage, in authoritative servers.  This
>   signal lives on the parent side of delegations, in DS records.  To
>   ensure easy deployment, the signal is defined in terms of (C)DNSKEY.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 
> 
> 
> 
> _______________________________________________
> dns-privacy mailing list
> dns-privacy@ietf.org
> https://secure-web.cisco.com/1elCUqFgvC0UgZ2a2VlikLcYh0tCisMp6IB7ahB5AEcXCueMnDkz3rd9BglCkM6x8gnDfs6wyU7CA3FvMFsH2Zx6VxDHYQTdLdov0FYXMKmVyBJbJa8_880H0UV7hUzEfPlk7tyOzvGdyvTD5NmPUXuoCS5kfdkP9JSVfROSk01NwBVn0YAtZTelH75b9bc3HzLhyW3weRLkX7gHuJk-0XBo1b1ZV0gzjjAyd8DA1-j4GfRtdbhABtGh16GSzG_m_gf3ocdjA8ncwIr9kB45GsQVQ_eS73Hss3wAI_M-Emgw/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdns-privacy
> 

Re: [dns-privacy] [Fwd: [EXT] New Version Notification for draft-vandijk-dprive-ds-dot-signal-and-pin-01.txt]

Attachment: smime.p7s