Re: [dnsext] [Editorial Errata Reported] RFC6840 (4191)
Edward Lewis <edward.lewis@icann.org> Tue, 02 December 2014 18:13 UTC
Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A3EB1A6FC8 for <dnsext@ietfa.amsl.com>; Tue, 2 Dec 2014 10:13:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wfs3xKuoSWQP for <dnsext@ietfa.amsl.com>; Tue, 2 Dec 2014 10:13:33 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 806C01A6FA9 for <dnsext@ietf.org>; Tue, 2 Dec 2014 10:11:48 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.847.32; Tue, 2 Dec 2014 10:11:46 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.0847.030; Tue, 2 Dec 2014 10:11:46 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: Donald Eastlake <d3e3e3@gmail.com>, RFC Errata System <rfc-editor@rfc-editor.org>
Thread-Topic: [dnsext] [Editorial Errata Reported] RFC6840 (4191)
Thread-Index: AQHQDlL1qlXfNw4PC0WJ/rKir6IeeJx8zH0A
Date: Tue, 02 Dec 2014 18:11:45 +0000
Message-ID: <D0A36905.76E6%edward.lewis@icann.org>
References: <20141202163646.E4BFC18123F@rfc-editor.org> <CAF4+nEFms4V6VOL=QmE=x9q7wZXog6KkDdu71DrmRbD-1vSp0Q@mail.gmail.com>
In-Reply-To: <CAF4+nEFms4V6VOL=QmE=x9q7wZXog6KkDdu71DrmRbD-1vSp0Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.6.141106
x-originating-ip: [192.0.47.235]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3500370702_8678210"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsext/sNWmFOrjBKJWYjWs88qabtX_ubM
X-Mailman-Approved-At: Tue, 02 Dec 2014 13:08:06 -0800
Cc: Brian Haberman <brian@innovationslab.net>, IETF DNSEXT WG <dnsext@ietf.org>, Ted Lemon <ted.lemon@nominum.com>, Ólafur Guðmundsson <ogud@ogud.com>
Subject: Re: [dnsext] [Editorial Errata Reported] RFC6840 (4191)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 18:13:43 -0000
That may be - but there’s currently yet another call for a SIG(AXFR), which to me is “signing the zone.” When I was reading the RFC (just to catch up) that was in the back of my mind. FWIW, I have corrected anyone who says they 'sign the zone’. Partly because that is not what is done in much of today’s operations - most of the signing is incremental (a few sets at a time). Implementations that assume they can do batch-style signing of zones never survive the testing phase (never the load test). On 12/2/14, 12:10, "Donald Eastlake" <d3e3e3@gmail.com> wrote: >While the new text is OK, I do not think the old text is wrong. >"signing a zone" is a well known term of art for signing the >authoritative RRsets in the zone. > >Thanks, >Donald >============================= > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 155 Beaver Street, Milford, MA 01757 USA > d3e3e3@gmail.com > > >On Tue, Dec 2, 2014 at 11:36 AM, RFC Errata System ><rfc-editor@rfc-editor.org> wrote: >> The following errata report has been submitted for RFC6840, >> "Clarifications and Implementation Notes for DNS Security (DNSSEC)". >> >> -------------------------------------- >> You may review the report below and at: >> http://www.rfc-editor.org/errata_search.php?rfc=6840&eid=4191 >> >> -------------------------------------- >> Type: Editorial >> Reported by: Edward Lewis <edward.lewis@icann.org> >> >> Section: 5.11 >> >> Original Text >> ------------- >> ... >> >> A signed zone MUST include a DNSKEY for each algorithm present in >> the zone's DS RRset and expected trust anchors for the zone. The >> zone MUST also be signed with each algorithm (though not each key) >> present in the DNSKEY RRset. >> >> Corrected Text >> -------------- >> A signed zone MUST include a DNSKEY for each algorithm present in >> the zone's DS RRset and expected trust anchors for the zone. Each >> authoritative RRset in the zone MUST be signed with each >> algorithm (though not each key) present in the DNSKEY RRset. >> >> Notes >> ----- >> Zones aren't signed (per se), the data sets within them are. But not >>cut point (NS) and glue. >> >> Instructions: >> ------------- >> This erratum is currently posted as "Reported". If necessary, please >> use "Reply All" to discuss whether it should be verified or >> rejected. When a decision is reached, the verifying party (IESG) >> can log in to change the status and edit the report, if necessary. >> >> -------------------------------------- >> RFC6840 (draft-ietf-dnsext-dnssec-bis-updates-20) >> -------------------------------------- >> Title : Clarifications and Implementation Notes for DNS >>Security (DNSSEC) >> Publication Date : February 2013 >> Author(s) : S. Weiler, Ed., D. Blacka, Ed. >> Category : PROPOSED STANDARD >> Source : DNS Extensions >> Area : Internet >> Stream : IETF >> Verifying Party : IESG >> >> _______________________________________________ >> dnsext mailing list >> dnsext@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] [Editorial Errata Reported] RFC6840 (419… RFC Errata System
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Donald Eastlake
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Brian Haberman
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Olafur Gudmundsson
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Edward Lewis
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Samuel Weiler
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Warren Kumari
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … manning bill
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Blacka, David
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Jelte Jansen
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Jaap Akkerhuis
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Dave Lawrence
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Paul Hoffman
- Re: [dnsext] [Editorial Errata Reported] RFC6840 … Matthijs Mekking
- [dnsext] [Errata Rejected] RFC6840 (4191) RFC Errata System