Re: [dnsext] [Editorial Errata Reported] RFC6840 (4191)
Paul Hoffman <paul.hoffman@vpnc.org> Wed, 03 December 2014 16:38 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D31AF1A702F for <dnsext@ietfa.amsl.com>; Wed, 3 Dec 2014 08:38:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.647
X-Spam-Level:
X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iulh1tg5fcme for <dnsext@ietfa.amsl.com>; Wed, 3 Dec 2014 08:37:56 -0800 (PST)
Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73B511A1BA4 for <dnsext@ietf.org>; Wed, 3 Dec 2014 08:37:55 -0800 (PST)
Received: from [10.20.30.90] (142-254-17-119.dsl.dynamic.fusionbroadband.com [142.254.17.119]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id sB3GbrBg035991 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 3 Dec 2014 09:37:54 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 142-254-17-119.dsl.dynamic.fusionbroadband.com [142.254.17.119] claimed to be [10.20.30.90]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <547ECF19.5020006@sidn.nl>
Date: Wed, 03 Dec 2014 08:37:53 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <A29D5D72-1821-4E7C-BFA4-FFE84FACF6B1@vpnc.org>
References: <20141202163646.E4BFC18123F@rfc-editor.org> <547E1F3F.5040400@innovationslab.net> <547ECF19.5020006@sidn.nl>
To: Jelte Jansen <jelte.jansen@sidn.nl>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsext/-LND9-oFMezIqipiKqAIpZsuBgc
Cc: Brian Haberman <brian@innovationslab.net>, DNSEXT Group Working <dnsext@ietf.org>
Subject: Re: [dnsext] [Editorial Errata Reported] RFC6840 (4191)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 16:38:03 -0000
On Dec 3, 2014, at 12:51 AM, Jelte Jansen <jelte.jansen@sidn.nl> wrote: > I see a few pros and cons; yes the proposed text is correct and better > than the original. However, this is not the only place that 'signing the > zone' is used, and used with the meaning 'signing each authoritative > RRset within the zone' in the set of RFC4033-4035 (and possibly outside > of those as well). > > But I have had people ask me what 'signing the zone' actually means, > usually in the context of KSK vs ZSK (and hence, is the DNSKEY set part > of 'the zone'), not necesarily in the context of algorithm downgrade > protection. > > Then again, RFC4033 actually defines a 'signed zone' as 'A zone whose > RRsets are signed and ...'. So while signing full zones in AXFRs might > add confusion here, I do think it is stated correctly as it is. Just to drive the point home a bit further, since you brought up the definition in RFC 4033: Signed Zone: A zone whose RRsets are signed and that contains properly constructed DNSKEY, Resource Record Signature (RRSIG), Next Secure (NSEC), and (optionally) DS records. A developer asked me a few years ago "does that mean that all the RRsets are signed? What if just the A records are signed?" That's a valid question given the definition. It is only by reading the rest of the document do you get the feeling (but never the actual statement) that it means *all* of the RRsets in the zone. --Paul Hoffman
- [dnsext] [Editorial Errata Reported] RFC6840 (419… RFC Errata System
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Donald Eastlake
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Brian Haberman
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Olafur Gudmundsson
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Edward Lewis
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Samuel Weiler
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Warren Kumari
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … manning bill
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Blacka, David
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Jelte Jansen
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Jaap Akkerhuis
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Dave Lawrence
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Paul Hoffman
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Matthijs Mekking
- [dnsext] [Errata Rejected] RFC6840 (4191) RFC Errata System