IETF Logo Mail Archive

Re: [dnsext] [Editorial Errata Reported] RFC6840 (4191)

Edward Lewis <edward.lewis@icann.org> Tue, 02 December 2014 18:13 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A3EB1A6FC8 for <dnsext@ietfa.amsl.com>; Tue, 2 Dec 2014 10:13:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wfs3xKuoSWQP for <dnsext@ietfa.amsl.com>; Tue, 2 Dec 2014 10:13:33 -0800 (PST)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 806C01A6FA9 for <dnsext@ietf.org>; Tue, 2 Dec 2014 10:11:48 -0800 (PST)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.847.32; Tue, 2 Dec 2014 10:11:46 -0800
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.0847.030; Tue, 2 Dec 2014 10:11:46 -0800
From: Edward Lewis <edward.lewis@icann.org>
To: Donald Eastlake <d3e3e3@gmail.com>, RFC Errata System <rfc-editor@rfc-editor.org>
Thread-Topic: [dnsext] [Editorial Errata Reported] RFC6840 (4191)
Thread-Index: AQHQDlL1qlXfNw4PC0WJ/rKir6IeeJx8zH0A
Date: Tue, 02 Dec 2014 18:11:45 +0000
Message-ID: <D0A36905.76E6%edward.lewis@icann.org>
References: <20141202163646.E4BFC18123F@rfc-editor.org> <CAF4+nEFms4V6VOL=QmE=x9q7wZXog6KkDdu71DrmRbD-1vSp0Q@mail.gmail.com>
In-Reply-To: <CAF4+nEFms4V6VOL=QmE=x9q7wZXog6KkDdu71DrmRbD-1vSp0Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.6.141106
x-originating-ip: [192.0.47.235]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3500370702_8678210"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsext/sNWmFOrjBKJWYjWs88qabtX_ubM
X-Mailman-Approved-At: Tue, 02 Dec 2014 13:08:06 -0800
Cc: Brian Haberman <brian@innovationslab.net>, IETF DNSEXT WG <dnsext@ietf.org>, Ted Lemon <ted.lemon@nominum.com>, Ólafur Guðmundsson <ogud@ogud.com>
Subject: Re: [dnsext] [Editorial Errata Reported] RFC6840 (4191)
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 18:13:43 -0000

That may be - but there’s currently yet another call for a SIG(AXFR),
which to me is “signing the zone.”  When I was reading the RFC (just to
catch up) that was in the back of my mind.

FWIW, I have corrected anyone who says they 'sign the zone’. Partly
because that is not what is done in much of today’s operations - most of
the signing is incremental (a few sets at a time).  Implementations that
assume they can do batch-style signing of zones never survive the testing
phase (never the load test).

On 12/2/14, 12:10, "Donald Eastlake" <d3e3e3@gmail.com> wrote:

>While the new text is OK, I do not think the old text is wrong.
>"signing a zone" is a well known term of art for signing the
>authoritative RRsets in the zone.
>
>Thanks,
>Donald
>=============================
> Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
> 155 Beaver Street, Milford, MA 01757 USA
> d3e3e3@gmail.com
>
>
>On Tue, Dec 2, 2014 at 11:36 AM, RFC Errata System
><rfc-editor@rfc-editor.org> wrote:
>> The following errata report has been submitted for RFC6840,
>> "Clarifications and Implementation Notes for DNS Security (DNSSEC)".
>>
>> --------------------------------------
>> You may review the report below and at:
>> http://www.rfc-editor.org/errata_search.php?rfc=6840&eid=4191
>>
>> --------------------------------------
>> Type: Editorial
>> Reported by: Edward Lewis <edward.lewis@icann.org>
>>
>> Section: 5.11
>>
>> Original Text
>> -------------
>> ...
>>
>> A signed zone MUST include a DNSKEY for each algorithm present in
>>       the zone's DS RRset and expected trust anchors for the zone.  The
>>       zone MUST also be signed with each algorithm (though not each key)
>>       present in the DNSKEY RRset.
>>
>> Corrected Text
>> --------------
>> A signed zone MUST include a DNSKEY for each algorithm present in
>>       the zone's DS RRset and expected trust anchors for the zone.  Each
>>       authoritative RRset in the zone MUST be signed with each
>>       algorithm (though not each key) present in the DNSKEY RRset.
>>
>> Notes
>> -----
>> Zones aren't signed (per se), the data sets within them are.  But not
>>cut point (NS) and glue.
>>
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party (IESG)
>> can log in to change the status and edit the report, if necessary.
>>
>> --------------------------------------
>> RFC6840 (draft-ietf-dnsext-dnssec-bis-updates-20)
>> --------------------------------------
>> Title               : Clarifications and Implementation Notes for DNS
>>Security (DNSSEC)
>> Publication Date    : February 2013
>> Author(s)           : S. Weiler, Ed., D. Blacka, Ed.
>> Category            : PROPOSED STANDARD
>> Source              : DNS Extensions
>> Area                : Internet
>> Stream              : IETF
>> Verifying Party     : IESG
>>
>> _______________________________________________
>> dnsext mailing list
>> dnsext@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email