Re: [dnsext] Publication request: draft-ietf-dnsext-dnssec-registry-fixes-07
Thomas Narten <narten@us.ibm.com> Wed, 13 April 2011 23:44 UTC
Return-Path: <narten@us.ibm.com>
X-Original-To: dnsext@ietfc.amsl.com
Delivered-To: dnsext@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id E21F1E0679 for <dnsext@ietfc.amsl.com>; Wed, 13 Apr 2011 16:44:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.864
X-Spam-Level:
X-Spam-Status: No, score=-105.864 tagged_above=-999 required=5 tests=[AWL=0.735, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cLp+mqo85yv for <dnsext@ietfc.amsl.com>; Wed, 13 Apr 2011 16:44:47 -0700 (PDT)
Received: from e6.ny.us.ibm.com (e6.ny.us.ibm.com [32.97.182.146]) by ietfc.amsl.com (Postfix) with ESMTP id 15056E061E for <dnsext@ietf.org>; Wed, 13 Apr 2011 16:44:47 -0700 (PDT)
Received: from d01dlp02.pok.ibm.com (d01dlp02.pok.ibm.com [9.56.224.85]) by e6.ny.us.ibm.com (8.14.4/8.13.1) with ESMTP id p3DNKVCD003723 for <dnsext@ietf.org>; Wed, 13 Apr 2011 19:20:31 -0400
Received: from d01relay03.pok.ibm.com (d01relay03.pok.ibm.com [9.56.227.235]) by d01dlp02.pok.ibm.com (Postfix) with ESMTP id 3F44E6E8036 for <dnsext@ietf.org>; Wed, 13 Apr 2011 19:44:46 -0400 (EDT)
Received: from d01av03.pok.ibm.com (d01av03.pok.ibm.com [9.56.224.217]) by d01relay03.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p3DNikLt337924 for <dnsext@ietf.org>; Wed, 13 Apr 2011 19:44:46 -0400
Received: from d01av03.pok.ibm.com (loopback [127.0.0.1]) by d01av03.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p3DNijUH015799 for <dnsext@ietf.org>; Wed, 13 Apr 2011 20:44:45 -0300
Received: from cichlid.raleigh.ibm.com (sig-9-65-250-36.mts.ibm.com [9.65.250.36]) by d01av03.pok.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id p3DNii6k015768 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 13 Apr 2011 20:44:45 -0300
Received: from cichlid.raleigh.ibm.com (cichlid.raleigh.ibm.com [127.0.0.1]) by cichlid.raleigh.ibm.com (8.14.4/8.12.5) with ESMTP id p3DNih4v013997; Wed, 13 Apr 2011 19:44:44 -0400
Message-Id: <201104132344.p3DNih4v013997@cichlid.raleigh.ibm.com>
To: Andrew Sullivan <ajs@shinkuro.com>
In-reply-to: <20110413151934.GL24471@shinkuro.com>
References: <20110413151934.GL24471@shinkuro.com>
Comments: In-reply-to Andrew Sullivan <ajs@shinkuro.com> message dated "Wed, 13 Apr 2011 11:19:35 -0400."
Date: Wed, 13 Apr 2011 19:44:43 -0400
From: Thomas Narten <narten@us.ibm.com>
X-Content-Scanned: Fidelis XPS MAILER
Cc: dnsext-ads@tools.ietf.org, dnsext@ietf.org
Subject: Re: [dnsext] Publication request: draft-ietf-dnsext-dnssec-registry-fixes-07
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2011 23:44:48 -0000
Based on the writeup, and this in particular: > The WG has been talking about this draft for some time. I believe it > has had adequate review, but it is a strange document. It is > basically a process document, and I therefore suspect that the only > time it will get the sort of attention it needs on that front is > during IETF-wide review. It should also be reviewed by IANA. I went and and reviewed the document (for the first time). > The draft uses a novel procedural trick to put something into a > registry that usually isn't in a registry, so I think this will > require careful review by IETF process wonks. I'm wondering if I fully understand the purpose of this document. >From the document's introduction: The original list of algorithm status is found in [RFC4034]. Other DNSSEC documents have added new algorithms or changed the status of algorithms in the registry. However, currently implementers must read through all the documents in order to discover which algorithms are considered wise to implement, which are not, and which algorithms may become widely used in the future. This compliance status indication is only to be considered for implementation, not deployment or operations. Operators are free to deploy any digital signature algorithm available in implementations or algorithms chosen by local security policies. This status is to measure compliance to this RFC only. Is the purpose of this document simply to add a column to the existing registry indicating what the IETF status of all the registered algorithms? Well, actually, not even that. E.g., what the IETF position currently is w.r.t. whether it should be implemented. a) This SHOULD/MUST be implemented, or b) something other than that? If so, I find that an odd thing to put in the registry. I don't know of other IANA registries that do that. Do we have examples? > There are those who have argued that what the document is doing -- > putting "implementation levels" into a registry -- is a bad idea. > This appears to have been a minority position. Well, one issue is that it's not clear that you can capture the proper information in a single column. What is the range of things that can go into this registry status? (The document seems to leave this pretty open, actually.) Let me ask the key question: by what action is the compliance column for a given entry changed/updated? Apparently (from the document): Adding a newly specified algorithm to the registry with a compliance status SHALL entail obsolescing this document and replacing the registry table (with the new algorithm entry). Altering the status column value of any existing algorithm in the registry SHALL entail obsolescing this document and replacing the registry table. This document cannot be updated, only made obsolete and replaced by a successor document. So, to change the status of any entry in the registry, you have to essentially reissue this document with a change? If so, then I don't get it. If you want to be clear about which algorithms the IETF recommends, it seems to me the best way is to issue a short document that says "here are the currently recommended algorithms". E.g., something like RFC 4307. Such a document can have sufficient context to give real guidance. E.g., "this algorithm is being phased out, but you probably still need to implement it for now", etc. And, if there were such a single (clear) document for DNSSEC, I don't immediately see the need for a new column in the IANA registry. Folk should just review the relevant BCP document. Sorry if this has all been discussed before, but I read the document for the first time and didn't pay attention to any of the discussion that led to it. Thomas
- [dnsext] Publication request: draft-ietf-dnsext-d… Andrew Sullivan
- Re: [dnsext] Publication request: draft-ietf-dnse… Thomas Narten
- Re: [dnsext] Publication request: draft-ietf-dnse… Paul Hoffman
- Re: [dnsext] Publication request: draft-ietf-dnse… Thomas Narten
- Re: [dnsext] Publication request: draft-ietf-dnse… Andrew Sullivan
- Re: [dnsext] Publication request: draft-ietf-dnse… Paul Hoffman
- Re: [dnsext] Publication request: draft-ietf-dnse… Thomas Narten
- Re: [dnsext] Publication request: draft-ietf-dnse… Paul Hoffman
- Re: [dnsext] Publication request: draft-ietf-dnse… Joe Abley
- Re: [dnsext] Publication request: draft-ietf-dnse… Andrew Sullivan
- Re: [dnsext] Publication request: draft-ietf-dnse… Edward Lewis