Re: [dnsdir] [DNSOP] Dnsdir early review of draft-ietf-dnsop-dnssec-validator-requirements-01
Daniel Migault <mglt.ietf@gmail.com> Fri, 25 November 2022 18:33 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsdir@ietfa.amsl.com
Delivered-To: dnsdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD266C14F6EC; Fri, 25 Nov 2022 10:33:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5nkLI7y6BcR; Fri, 25 Nov 2022 10:33:34 -0800 (PST)
Received: from mail-oa1-x2a.google.com (mail-oa1-x2a.google.com [IPv6:2001:4860:4864:20::2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BCD7C14EB1C; Fri, 25 Nov 2022 10:33:31 -0800 (PST)
Received: by mail-oa1-x2a.google.com with SMTP id 586e51a60fabf-13bd2aea61bso6119379fac.0; Fri, 25 Nov 2022 10:33:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3p3hTgsvlIdV8JrrkK5mq2vjSKqsy75NJATo8yqwVds=; b=ksF2U7Rc3Ja+SKawl1EbUdEa1Ni5pPp5+6jl7Zn0+cxKuTUr/dGfM/iPktTD6io28H bn1xo6XoOzKX0y3qGDFWs+1vHMiYTNkO40FRThISKI41CJMDdEI5fexCyxb+U/GXEfzl NDagftW7G2ZBRrgAwRGRjUwRYKCKEfMQiCCtzEeKnsux4ihTU+CkICn2gGP0GB4Q9MtL GdEqtw6nWraW90SoAUOQ7iHghdPEn9Nco4H4p5A1s4vQnQIjnBiFC1+8Ukvq5kSqnMHQ ZjckAdm8NaVfVWp/2WHQ4Hz4FHwexueTZ01n/Ek0uv/CpZdF10t/xj85pFGlWT57rgC4 DcmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3p3hTgsvlIdV8JrrkK5mq2vjSKqsy75NJATo8yqwVds=; b=fwDqCbaZv2ssOn1ARLUSGCnXUQV9WzW12fGHCq3zATkPf+ihD0Lkm3JQW3+r8D41jr YCFAvKDKyBaUyD09+Oi/HtmPB8pjN/alFnXsV/HZTFa42ROh9DLZ1kIzngyjIl/Lc24g 3Cf2IMbfrAkxTNYhFUwldhYcx5OyAAsE2jFFsyH/+7035rNtX7LJ/4faqrCAkEIonvIP y9O5E1YQVegb8dxNsTqGh+g858wWRh4hajJaVA+TX+GdJb7YEdj7ilMGBfOkzZ0Qq6J8 u7RCAKYVHzLTWyRuXGJjPzqMWsfKzKrvHXC5ToKk5PTLtG5dWnlB99ZOZo1/GNyBOkLX rONA==
X-Gm-Message-State: ANoB5plCwSMMDszCV+XZBa4t5plbt0E4FIq27pItzOBPJBJbGLXUW1CN 1dlh0Tm9VhFR0Wpx1GWw9hVHvVRdyomMix0fw/NNaCtMPck=
X-Google-Smtp-Source: AA0mqf509uP7GgjORZML/L4WwFBQ++BGfEN0ipYp8ltYfaMI0oo/vzE2qJA/hp8/Vq7s/6lAHrJZnXmppISikE6r99Y=
X-Received: by 2002:a05:6870:591:b0:13b:bbbb:1623 with SMTP id m17-20020a056870059100b0013bbbbb1623mr14696230oap.115.1669401209341; Fri, 25 Nov 2022 10:33:29 -0800 (PST)
MIME-Version: 1.0
References: <166927364007.46969.10243749372224772919@ietfa.amsl.com>
In-Reply-To: <166927364007.46969.10243749372224772919@ietfa.amsl.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Fri, 25 Nov 2022 13:33:17 -0500
Message-ID: <CADZyTk=YGdpZgqjgA9rUe9fDxdF66b1oTzAjJwOTdfjp9471LA@mail.gmail.com>
To: James Gannon <james@policywonk.xyz>
Cc: dnsdir@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-dnssec-validator-requirements.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000120cf905ee4fc206"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsdir/SW-4azBWjzbaAJkh4L_Z83SwCeo>
Subject: Re: [dnsdir] [DNSOP] Dnsdir early review of draft-ietf-dnsop-dnssec-validator-requirements-01
X-BeenThere: dnsdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Directorate <dnsdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsdir/>
List-Post: <mailto:dnsdir@ietf.org>
List-Help: <mailto:dnsdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 18:33:37 -0000
Hi James, Thanks for the review. Please see inline my responses as well as the changes below: https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/074ff71844b076b6e83ba8e0134a224b5f5617f9 Yours, Daniel On Thu, Nov 24, 2022 at 2:07 AM James Gannon via Datatracker < noreply@ietf.org> wrote: > Reviewer: James Gannon > Review result: On the Right Track > > Reviewer: James Gannon > Review Result: On the right track > > As this is an early review (And also my first ietf review so please feel > free > to offer feedback on its usefulness!) its a mix of general comments and > some > more detailed comments on sections that from a non-DRO operator perspective > dont seem to be overly logical. > > - The recommendations do not come with the same level of requirements > and > some are likely to be required. Other are optional and may be > followed by more advanced DROs. > > Suggestion to tighten up the language in this paragraph, if the authors > wish to > assign priority to the reccomendations then they should do so, however if > it is > up to the implementer to determine the applicability then state so clearly. > That is an interesting comment. In one part SHOULD / MUST are expected to provide some sort of priority. We could eventually as I think you are suggesting have our own way to prioritize the recommendations, but I am not sure we will be able to make it, so I am inclined to prefer staying with the maybe large categories created by SHOULD/MUST and let the operational team to select what is appropriated to them according to their deployments and policies. I propose to add the following sentence: It is up to the DRO to determine their applicability I think this addresses your concern. > - When these devices are re-plugged the initial time is set to January > 1 > 1970. > > As this is not universally true it is not valuable or required context and > should be considered for removal. > I think it describes pretty well what the problem is, so I think it might be preferred to indicate it as an example. I propose the following lines: With Raspberry Pi for example, when these devices are re-plugged their time is res et to some initial values like (January 1, 1970 for example) until they get re syn chronized via NTP. > -Because of this, it is recommended that implementations make the root > zone trust anchor obvious to the operator while still enabling > configuration of general trust points. > > If this is considered a RECCOMENDATION as per the document please use > consistent langugage and categorise it as with the other recs > > Current recommendations for DRO mostly describe how to handle the TA, but do not provide some recommendations regarding which TA should be trusted. I do see a slight difference between recommending how to operate the set of TA and recommending what should be trusted. The recommendation in question is also more addressed to implementers as DRO. As result, I agree that the use of normative language may be considered, but we probably do not want to issue a specific DRO recommendation. I propose to replace s/recommended/RECOMMENDED/. I hope this addresses your concern. -7.1.3. Configuration Generation > > The generation of a configuration file associated to the TA is > expected to be implementation independent. The necessity of tweaking > the data depending of the software implementer or eventually the > software version introduces a vector for configuration errors. > > No action for a DRO is associated with this section. Consider need of > section > or move to a general considerations section? > > Configuration Generation and DNSSEC Resolver Instantiation could be merged but I do think that it increases clarity of the purpose to have different sections. > Overall comment: The document is quite verbose and "wordy" I would suggest > for > a reccomendations document that the content is slimmed down to direct > reccomendations and any required context for implementors, rather than > extensive supporting information and general context > > The document is intended to be read to non DNSSEC experts and we believe the context being provided will be helpful to the target audience especially to help them balance the various trade-off. Overall comment: Considering that there are no actual requirements in the > draft > consider retitling it from -requirements to -reccomendations. > > Correct. There was only one word that has been changed. The name of the file cannot be changed, but I agree it would have been more appropriate. Initially we were targeting some requirements for implementations, and latter changed to recommendations for DRO which was what we are aiming at. > Overall comment: For the document to be valuable its critical that these > reccomendations are actually aligned with the needs and practices of DROs, > has > their input been considered in the drafting of these reccomendations. > > yes. We started this document as I was working for an ISP. Currently we are providing such guidance so MNO can deploy DNSSEC for some of our products. > Overall comment: I would suggest also requesting a review from a current > DRO > operator to gain some domain specific feedback that may catch some > operational > concerns that I may have overlooked. > We did have such reviews - of course more such reviews are welcome. I can only agree with you. > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- Daniel Migault Ericsson
- [dnsdir] Dnsdir early review of draft-ietf-dnsop-… James Gannon via Datatracker
- Re: [dnsdir] [DNSOP] Dnsdir early review of draft… Daniel Migault