Re: [DNSOP] New Version Notification for draft-pounsett-transferring-automated-dnssec-zones-02.txt
Antoin Verschuren <ietf@antoin.nl> Sun, 13 November 2016 15:06 UTC
Return-Path: <ietf@antoin.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2272D129646 for <dnsop@ietfa.amsl.com>; Sun, 13 Nov 2016 07:06:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=antoin.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t7aeemr3rg-w for <dnsop@ietfa.amsl.com>; Sun, 13 Nov 2016 07:06:17 -0800 (PST)
Received: from walhalla.antoin.nl (walhalla.antoin.nl [88.159.164.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0B9A129568 for <dnsop@ietf.org>; Sun, 13 Nov 2016 07:06:16 -0800 (PST)
Received: from [192.168.0.114] (unknown [192.168.0.1]) by walhalla.antoin.nl (Postfix) with ESMTPSA id CE9DC280378; Sun, 13 Nov 2016 16:06:14 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=antoin.nl; s=walhalla; t=1479049574; bh=njS8i8Hgo32BXcGCyxRCUR7TUzHHlWaGeEqikYjNBhw=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=lhwvNrLAmK/WPP50ra5wUakqZ3pgx7GwKOlVfqes4vYvFHqbxQZW3e4m6finvHdaN RM0lPXN8enh7At4bIugLDks5IVdDBu2yE+SiOWRlDMzTY0skGrGAwxUXnIIfZcx05f kE1B85uvWa7+dTQoDmQguEPadgul2XwCiNrgvy0I=
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_56D496BA-C4AF-43D8-A9C3-641F5F58500A"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail
From: Antoin Verschuren <ietf@antoin.nl>
In-Reply-To: <CAAiTEH_iusi=CrAZGh+SFuM2T-4Y2j_mMxh_Kk3m5NU4z8uurA@mail.gmail.com>
Date: Sun, 13 Nov 2016 16:05:49 +0100
Message-Id: <747CCD9C-80EE-4A7A-B2B8-7D52184C1987@antoin.nl>
References: <147788457889.20732.6547170129744737547.idtracker@ietfa.amsl.com> <CAAiTEH-O5doOgOH=8VYDDkDaRcSUTzKADpf7AuvnPrqEFG6xjg@mail.gmail.com> <8ACA666F-7964-440D-A19D-084FD363F8A5@antoin.nl> <CAAiTEH_iusi=CrAZGh+SFuM2T-4Y2j_mMxh_Kk3m5NU4z8uurA@mail.gmail.com>
To: Matthew Pounsett <matt@conundrum.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-i255CYZ3jvqqXTMv50JEfhoSn0>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] New Version Notification for draft-pounsett-transferring-automated-dnssec-zones-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2016 15:06:20 -0000
Op 12 nov. 2016, om 03:14 heeft Matthew Pounsett <matt@conundrum.com> het volgende geschreven: Hi Matt, > I don't actually see the overlap. Although perhaps I'm just missing something. > > draft-pounsett-transferring-automated-dnssec-zones's basic assumptions are that the DNS operators are cooperating, and that the principle requirement for using the procedure is that they must publish the same zone throughout the procedure, which implies an active zone transfer (or an analogue) at every stage. > > It seems to be that these two drafts are attempting to solve different problems. Ok, I do see the differences now, and the overlap. draft-koch-dnsop-dnssec-operator-change describes the proces of synchronizing the minimum number of records needed between a gaining and lozing DNS-operator in order for the DNSSEC chain of trust to remain intact during a zone transition without exchanging private keys. It considers all other records that need to be synchronized for services to remain intact out of scope, as there is no difference in synchronizing them when the transition were to be done without DNSSEC. And in practice most of the time the purpose of a transition is because those records will change after the transition anyway. So it only describes the minimum that needs to be done so either zone data will not become insecure before, during or just after a transition, and how this process can be automated for every domain transition independent if other records change or not. It only prevents the domain from becoming unavailable due to validation errors. Your solution describes the process of keeping a maximum number of records synchronized, -including those records needed for the chain of trust to remain intact-, but also not exchanging private keys, assuming that the services for the domain do not change after the transition. Some records like SOA, NS, signatures and private keys always change during a transition though. So draft-koch-dnsop-dnssec-operator-change is a subset of your draft, only dealing with DNSSEC records, but includes text on how to automate the registration process for those minimum number of records to make it a common practice, and what to do when DNS operators are not cooperating to bail out of that process with as little damage as possible. > I'm brand new to the IPR issue, so these comments probably aren't well thought out. I noted when the IPR claim first appeared on my draft that the same patent application is used in a claim against RFC6781. I had thought that the RFC had gone ahead despite the claim, and therefore it wouldn't be a big problem for my draft, but having a closer look makes me think that IPR claim may have appeared after publication. Verisign claim that they have IPR on the process of changing a dns operator (called Hosting provider in the patent) for a DNSSEC zone while keeping the chain of trust intact. That includes your and our solution as well as any process that describes a transition under DNSSEC including supporting provisioning processes like EPP. They claim in their patent application (so not yet approved): -That they invented this process for the first time in 2011. -That this process is a novelty and not common sense. Since there is prior art from before 2011, and there is sufficient doubt that the process is more common sense for people that understand DNSSEC in stead of a novelty, the patent application has been rejected twice by the European Patent Office. But a patent application is a long-lasting process, and allows for appeal processes to rejections that can take years. During this appeal process it is unclear which (if any) of the claims is ever to be granted, and so no license terms are yet given by Verisign. As RFC 3979 says, it’s hard to give guidance to best current practices if no license terms are known for an IPR claim. That’s why there was hardly support for draft-koch-dnsop-dnssec-operator-change to be adopted by DNSOP 4 years ago, and why there is hesitation in REGEXT to making statements on why the standards track document draft-ietf-eppext-keyrelay should ignore the IPR claim. RFC6781 was already a DNSOP document before the IPR claim was submitted. - -- Antoin Verschuren Tweevoren 6, 5672 SB Nuenen, NL M: +31 6 37682392
- [DNSOP] Fwd: New Version Notification for draft-p… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-po… Antoin Verschuren
- Re: [DNSOP] New Version Notification for draft-po… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-po… Antoin Verschuren