IETF Logo Mail Archive

Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16

Edward Lewis <Ed.Lewis@neustar.biz> Fri, 20 January 2012 16:55 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC5D321F8646 for <dnsext@ietfa.amsl.com>; Fri, 20 Jan 2012 08:55:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.84
X-Spam-Level:
X-Spam-Status: No, score=-105.84 tagged_above=-999 required=5 tests=[AWL=0.759, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iveQ7xKNdzO4 for <dnsext@ietfa.amsl.com>; Fri, 20 Jan 2012 08:55:46 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id EA52621F863B for <dnsext@ietf.org>; Fri, 20 Jan 2012 08:55:45 -0800 (PST)
Received: from nmet-lt60.cis.neustar.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q0KGtgWw014881; Fri, 20 Jan 2012 11:55:43 -0500 (EST) (envelope-from Ed.Lewis@neustar.biz)
Received: from [192.168.129.98] by nmet-lt60.cis.neustar.com (PGP Universal service); Fri, 20 Jan 2012 11:55:43 -0500
X-PGP-Universal: processed; by nmet-lt60.cis.neustar.com on Fri, 20 Jan 2012 11:55:43 -0500
Mime-Version: 1.0
Message-Id: <a06240801cb3f4c060c50@[192.168.129.98]>
In-Reply-To: <20120120142243.GE4944@mail.yitter.info>
References: <20120120054939.GD4365@mail.yitter.info> <20120120142243.GE4944@mail.yitter.info>
Date: Fri, 20 Jan 2012 11:55:22 -0500
To: Andrew Sullivan <ajs@anvilwalrusden.com>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Cc: dnsext@ietf.org
Subject: Re: [dnsext] WGLC: draft-ietf-dnsext-dnssec-bis-updates-16
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jan 2012 16:55:46 -0000

Comments.

In 2005 it was too soon to publish, now it is not.  And at this point 
there may be more and more wrinkles in the DNSSEC specs, but we need 
to get out at least this (first) update.

Some comments:

Pressence has a presence in the document.  It shouldn't (the spelling, I mean).

5.9's title is misleading.  The content is good, it's about answering 
from cache in the face of a CD query.  But "always doing CD" only 
applies to elements that will do their own validation.

5.4 could optionally make the point that a validator that expects all 
signatures to be good and/or all chains to work is vulnerable to 
malicious insertions of gibberish-based signatures.  It's harder to 
construct a good chain than a false chain.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Vote for the word of the day:
"Papa"razzi - father that constantly takes photos of the baby
Corpureaucracy - The institution of corporate "red tape"

v2.39.1 | Report a Bug | By Email | System Status