IETF Logo Mail Archive

Re: [dnsext] Design team report on dnssec-bis-updates and CD bit

Samuel Weiler <weiler@watson.org> Mon, 26 July 2010 07:48 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 898B23A6A77; Mon, 26 Jul 2010 00:48:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.265
X-Spam-Level:
X-Spam-Status: No, score=-0.265 tagged_above=-999 required=5 tests=[AWL=0.172, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OfUk9oz2XNvP; Mon, 26 Jul 2010 00:48:31 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C1BBD3A6A69; Mon, 26 Jul 2010 00:48:29 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OdILJ-000E78-FQ for namedroppers-data0@psg.com; Mon, 26 Jul 2010 07:43:21 +0000
Received: from [65.122.17.41] (helo=fledge.watson.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <weiler@watson.org>) id 1OdILG-000E6B-Vj for namedroppers@ops.ietf.org; Mon, 26 Jul 2010 07:43:19 +0000
Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id o6Q7hGJK070645; Mon, 26 Jul 2010 03:43:16 -0400 (EDT) (envelope-from weiler@watson.org)
Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id o6Q7hFSj070641; Mon, 26 Jul 2010 03:43:16 -0400 (EDT) (envelope-from weiler@watson.org)
X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs
Date: Mon, 26 Jul 2010 03:43:15 -0400
From: Samuel Weiler <weiler@watson.org>
To: Andrew Sullivan <ajs@shinkuro.com>
cc: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Design team report on dnssec-bis-updates and CD bit
In-Reply-To: <20100709142108.GA68527@shinkuro.com>
Message-ID: <alpine.BSF.2.00.1007260330570.56983@fledge.watson.org>
References: <20100709142108.GA68527@shinkuro.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Mon, 26 Jul 2010 03:43:16 -0400 (EDT)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

<editor hat off>

Colleagues,

Many thanks for putting this report together.  I appreciate the 
clarity.  Your descriptions of model 1 and 2 are complete, as best as 
I can tell.

I prefer "never set" (model 2).  It allows upstream caches to help 
out: if the local cache doesn't have a full set of trust anchors, 
maybe the upstream can validate answers in larger part of the 
namespace.  Similarly, if there are holes in the secure tree, perhaps 
the upstream has trust anchors for zones further down the tree.

I conur with Andrew's statement (on July 10th) about user experience. 
One model is best.  I'm happy for it to be a SHOULD; I can easily see 
the case where a validator would want to use model 1, perhaps as a 
configuration option.

-- Sam

v2.23.0 | Report a Bug | By Email