Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec
Shumon Huque <shuque@gmail.com> Mon, 20 January 2020 20:21 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0499120825; Mon, 20 Jan 2020 12:21:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVTSm-Uk_2FH; Mon, 20 Jan 2020 12:21:53 -0800 (PST)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21893120828; Mon, 20 Jan 2020 12:21:53 -0800 (PST)
Received: by mail-oi1-x229.google.com with SMTP id z2so505917oih.6; Mon, 20 Jan 2020 12:21:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tl+KdBO+iFT7GWUkhVITLNgcsnmyXK0wSeIp7fIberQ=; b=bFdXJC8uVtEqW6/fYi2Fnd/t029L7wZ/nqMEiaUQt3o4Xt2FXr+2yV6aiqJH/VYwjI IqWJ1yV9KQbtA4lCE6okOGrMq2kGu7ZugvUiVCW0wMAu/GF+xaEvhmf9eXtKgC1bbmIU x+/EBCeeF9QGNLEg8cKY0pJN729RKSPssP7QSbk/q8AUj8OzRMpu9x1EGkuDA86SOnA3 54NwFKCGftox3PwYwVdm+3YzJMad2twJTYo8xK49JMv+LnkDis9ZCyUnoCbw/bo6x87b 7q7ojP191Pa8eTVLV/XcRw52mwNWtJpEjgBSOI33I24UQwPXqv8wqIDqBfKWsHj6fBDU PehQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tl+KdBO+iFT7GWUkhVITLNgcsnmyXK0wSeIp7fIberQ=; b=nYTP0USXUVVXDHcj7iwIle++f7EKfe+R/M9riRyUYN1M9rWNnvmA2NqkFifBX9apje 0P/EKxhlOlrozW51Q3QlklUeLMcU3w3KWRHXijO/XSqtqit7NwLnSDYWPAqY0Uibp0zf grcvogfh+vBzA4y1o1jnnQeCTzkmHzILXDjjb8NP435h/f8Vq45yJR3bR9tOkrk+29Dg 9kbs4RH5cimzJBuHmSdYN+Tu7iY/wX0F4GQ9CLjD+W7Ftui2vZfL68Q5yniGGHsSHSlc WOoTpSs80mv83TQjIkMxcZG1d5WN023x66LHV5RWAQG2J1z/75FfKOZ7NzhF9wIMqi2B uk3g==
X-Gm-Message-State: APjAAAUaEVsadJlIDUDkXiCZXV9rQPSx/s68eqvkuReWL2H8T8VL10yg 1spG6pRz3JVZrXewz90ENtv4oqI25/btPLdtWM0=
X-Google-Smtp-Source: APXvYqyRQV1xdukvDDW3Xx3lHX/GV+vXCmf7nYWVH2BftWgFzt3KjhaPdIyngU9vfu0HRk+TQnIMD0CAK6mT4nFG8A4=
X-Received: by 2002:a05:6808:8d0:: with SMTP id k16mr479326oij.68.1579551712331; Mon, 20 Jan 2020 12:21:52 -0800 (PST)
MIME-Version: 1.0
References: <CAHw9_iLFuSbdA2TFS4Qd2dAzDFJyJgfQGY1+T2c2JQZ3WTat_A@mail.gmail.com>
In-Reply-To: <CAHw9_iLFuSbdA2TFS4Qd2dAzDFJyJgfQGY1+T2c2JQZ3WTat_A@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 20 Jan 2020 15:21:40 -0500
Message-ID: <CAHPuVdUUeLx59B0SrzmFazd_rqUm1kU-ARG-LBEYa4jFQyaH3Q@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
Cc: draft-ietf-dnsop-multi-provider-dnssec@ietf.org, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b7ccd4059c980a2c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-PlkiB83_mo5hC_KrjpPXE4-lFc>
Subject: Re: [DNSOP] AD review of draft-ietf-dnsop-multi-provider-dnssec
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 20:21:55 -0000
On Sun, Jan 12, 2020 at 9:24 PM Warren Kumari <warren@kumari.net> wrote: > Hi there, > > Firstly, thank you for a well written and easy to understand document. > > I have some comments which I think should be addressed before I start > IETF LC, but they are small enough that if you'd much prefer you can > just address them after during / after LC (if changes are needed), or > during IESG review. > Please let me know LOUDLY which you'd prefer. > Hi Warren, Let's just address them now before IETF LC .. > 1: Section 3: 3. Validating Resolver Behavior > I think it would be very useful to mention that this document doesn't > require any changes to the behavior of validating resolvers > themselves. It might also be worth mentioning somewhere that this is > also largely true for authoritative servers - this isn't really a > protocol change, rather an operational / process set of changes. > Okay, we'll mention this. "largely true for authoritative servers" seems a bit imprecise. We could probably clarify that although there are no changes to behavior/protocol for authoritative servers, there is an operational change to how their DNSKEY/CDS/CDNSKEY record sets are provisioned and managed. 2: " Zone owners will want to deploy a DNS service that responds as > efficiently as possible with validatable answers only, and hence it > is important that the DNSKEY RRset at each provider is maintained > with the active ZSKs of all participating providers." > This is somewhat ambiguous - it sounds like the zone owner may want to > deploy a service that is only efficient with verifiable answers (and > might be inefficient with bogus ones :-)) > Fair enough. I will try to word this better. 3: A question -- "Authenticated Denial Considerations" > Some CDNs and similar do funny things with e.g CNAMEs, or may do > something like generate ACME records or similar. What happens if > provider A creates e.g _acme-challenge.example.com (or www.example.com > IN 600 CNAME some-long-account-number.cdn.net) and doesn't tell > provider B? I understand that the owner names *should* be consistent, > but I think it is worth adding some text here along the lines of "here > be dragons" or similar... > I'm not sure I see the dragons here - can you elaborate? It is the zone owner's responsibility to make sure that all data records (i.e. non DNSSEC metadata) in the zone are created identically on every DNS provider, so I don't think we would expect this situation to occur. That includes ACME challenge records. 4: The document uses one inceanse of RFC2119 language (RECOMMENDED) - > please either drop this, or add the 2119 / 8174 boilerplate. > Ok, I'm inclined to lowercase it, since we don't use 2119/8174 keywords anywhere else in this document. > > Again, I'm willing to start IETF LC, or wait till you've posted a new > version, but please let me know. > W Will work on a revision (but please elaborate on 3). Shumon.
- [DNSOP] AD review of draft-ietf-dnsop-multi-provi… Warren Kumari
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Warren Kumari
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Warren Kumari
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Steve Crocker
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Frederico A C Neves
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Matthijs Mekking
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Tony Finch
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Matthijs Mekking
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Shumon Huque
- Re: [DNSOP] AD review of draft-ietf-dnsop-multi-p… Warren Kumari