IETF Logo Mail Archive

[DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis

Ben Schwartz <bemasc@meta.com> Wed, 03 July 2024 14:50 UTC

Return-Path: <prvs=2914b120fa=bemasc@meta.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA99C151985; Wed, 3 Jul 2024 07:50:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id imcuRgrmHWYK; Wed, 3 Jul 2024 07:50:52 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 968D2C14F6EC; Wed, 3 Jul 2024 07:50:52 -0700 (PDT)
Received: from pps.filterd (m0044012.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 463EPqNo014915; Wed, 3 Jul 2024 07:50:51 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from :to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=s2048-2021-q4; bh=2lBisxI2Wcw6q3h6 HL5wOZqPZLO+sIsCyqzzVZ30elU=; b=h3jv1Ud6SjmHLrufbR11TRP2c+7Nz9XY 1ccoF5QPzJqbAL/ycRtN5mArcvWqiCJ9ur1b9z9wr6z0JScUZtJYuotOucwF8g/Q 5atDctFj1+Mbqd0qSRI1wijiE4sBkhZvlVU+4BRvR3xCIyUGOwdeq2zucP0PCV6X wQn0ltORNnGkGaWv1aegpq6GnvaCUUAqc/glfR426e+MtIcvO2FcwAKTuKEpkkU0 EXqMzZcA63s1ApVHtsqdTpiPKDy3VjUkAuB5u4cq0uJ0tJeBb+d2skpkQ1fSoDdX rntgs8YPY4B9nMJsRcDy0wMnpq2Ka89Fk6Y2Hbh1iZHLdMk4fH3R+g==
Received: from nam04-dm6-obe.outbound.protection.outlook.com (mail-dm6nam04lp2041.outbound.protection.outlook.com [104.47.73.41]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 404jap7r4k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Jul 2024 07:50:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iAfesX9m05xPhvsNqW84dJizDtkrRFsM5NNVP6BXASMyKnbxKqs8krgz982LZOu/eSbhTlU5AsedNG8Gd6cMzNvLpUKdpnUMIplBy7XMtPEyvPJobkENvz86q1QcLUvGv8FGMVma7qhHPwlKZCgL5Uw1bwbPZnACSaT8Ekc5rNXBowp/UHLpV/MDrTf6MU7nm5pt46NnoFpVyg8cmNEzWMFNIE2+QmsUwU9k5QJfgbT98u1EumCjEGlPOvBbGb5iBgFfxq1AtIyon3VAjnWsn6yXbX25cXFJIzHTTOeG+jQLJBt6uzBTsMLCyq02YsppPkApiSRI4Xt3boXkRdnArQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BsmsP/7+gR1VYtZLZYSuluPZlbKYl38TIvejGR7OSKI=; b=DXFgFc0EAAPcXDQbz6iukwlK67VaEHFu/+XoYcrUF2ibmFtVjdvQmCTxj/3NYGhpVw5Pxau1ALUToQIbIJmHV9n13hRYjRzdmUDMKw5F1G/cxOWiqO31WISNLlUWSnvW4DgTvMlm/FGLiQga0bBB+pn220xnSU/TfTqeG+MZCsr40G7UUnKU3zWwfW7/RU6HfiXNDiTwFpOYv+Ltkjd2M01YDsGxBwbclpHBRGV1rHH7TeN//RdZek9aVUvlueCbMdKvZKgogHZXvez49ErQMT7jK6L7Q3/YRa/aHLdiNITdneVG12AZz4iBWA+XXSe2o42mVAR4ArDXROQPf7ltYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by IA1PR15MB6248.namprd15.prod.outlook.com (2603:10b6:208:44f::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7719.32; Wed, 3 Jul 2024 14:50:48 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%4]) with mapi id 15.20.7741.017; Wed, 3 Jul 2024 14:50:48 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Thread-Topic: [DNSOP] Working Group Last Call for draft-ietf-dnsop-rfc7958bis
Thread-Index: AQHawmaBJSJAe2XT4kWe6yZD/sDS8LHlKGVt
Date: Wed, 03 Jul 2024 14:50:47 +0000
Message-ID: <SA1PR15MB4370EF76BF8382726844137CB3DD2@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com>
In-Reply-To: <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|IA1PR15MB6248:EE_
x-ms-office365-filtering-correlation-id: 52d6b242-c097-40ad-0d56-08dc9b6f8684
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|38070700018;
x-microsoft-antispam-message-info: jiJPSm784bbcKMAEtv3U94KvOfon6GA6iGD5CE+pvUgXHFQ2bO+CGKWZZNeOY95FNnZv9WckQdywAs/Da3mAl3Oi/8S0wVs0bDKptCb6I61dRqWLV5gQqw/5yAGF6Nbzx42VN4oDClenCYGwKOa0tnjsSeEbxXt2JBNtNf8Xra41rTEs+MIEyM+XuTt7o1m8AvFELcnsXXz7J3nOMpPyKGdYTaW4dNqKt5cGnGv3zvkBp/eX/BWvB4AulodIaEn1MA3emonceuhaiDCmnjczfhTxnGXqvANRdZqADgU8gUlHNQ1w72h0i8R7hxnxlUHnIudyppOafmieYzu2IrEocYSmo7y7DVUoqaS9CgNaVWc1DItbmIMvMd7ryTQl5WFw6vW3/wtaSzx28Nr85cLbGf2hhccnigqAPbQZkiHBOYKdpNttBUT8EFOuiTQMsN17VER0y4a9pHDmo4hOKlOJiEEoPmoB3A5XYurJqH6siqjEpWnoMOvbIziaCRHvpW7qgg+WuvXY8nhOSNlURHWEMG62WVavjTZHEb5dDwz3yx12ShwOYy7h62pNWW7IpruaInL7933r9pYVZ1Vza0qsFYGHMEWssm6lpvpRlY5DMRJsZGkuKT/AOt6z076BzdKWapqi7Ch3AAZManamRdTT4YzMQXT3oAhCA/DZbWks8dFMdomGGUwebQHX/Hn6C57H+NYAVmZnskhFybTIwuZpkCY6q/MQCFe2kwo/PXiHLx6+oYDV7G1dEVvK4PsAEtccGbGApl3Q48mVhPPH9wNJxau1pBEpqOdrUGKbcNSqj0m2XuHUG8KC65uIYDdHjk4KEUVG0PGxhyBRA3Md7rT8ptsWgE15JvpCUD5yK52T/rpxgN8MvFgsJLwGdskUpYvZ6n/cYxODrI8o+vQWL/Tgr+U3AYTc9bQgnBslg0A6MQCaWUjREFQhXcQiQycYTOn/wdsw2mUS8KFbk194qnQtP3YRuKYwZSroJDPM6Y5Zpo9WE5pqz8GsrJpcatbEWL3B00K+gteAfXlJYwTrHZbhxQgW+hUalWTQ1EU783zpQDcTQK5fd2fTt3IgcoNFkPu1J7ruTGWYWBqfQUrGQ7uVxVR1GYukQIh9vumDsAxJspKB+V68FzHtwO66OZCpnNSGAc1loUgtvMPTukWvkT/GAXzjQAaNnte6eL+rjgtnCButLW8znbfNRuG0SAIBcT73mRbKmvhEZaPW8wwtdG130sIePVx4xlVH9X2ArCPUwP0Mhv98sSUofRhCpMJ8pC1cD/BJkEnfLwMo3EkLR/ydp/gEgpN9fvc8XwN5Mwp0pwHrefCQj6WlZhz93ttmDkpcQ7yUCEKI2jHRUx02tDK5FQ7TFRPdMsbzLvBhebnGi9E=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zgbB3iKUpGksAfXAVELXNH6C07EVwNHjaI+FO3mqH/hurAysNcOEdoa0Z3lgcaLI8gZbvGTHMUFxEW3R7hDv3+o/s4JRqV0Kwb6KJMQ3LT7v1Rapiuk9/sxwPVEulYtOESimw8Y9EVis9cS08PmQhBJD0C5nzMzKrUv1XonWSfocGdcRltCHihFbGNTBZcf+clEv2L2w+kdX+Qwp1LG3lc6yF81bqoUailQnhQEjIBgLwU022z57kXlcOKaqyIR7Xz9ipRyZ5kMIDMHMwrwhiKVldfkeaqb7VYUYEjxWItk5nnpX2VR4acyAkwPbUsKTNPPFYVpkDkZUBNl7mtJmOutfD9JlASwjWX3hHunxyvkLwegKkrwCOhXn5rc56BcJhqHhpmrazHntC0P7XJzv5RpJxNu91bDP9gDtilFUQWtNzFtKtEMSyttAbA9Cw2Q6gmuMkHF1A+a47xieyHlR+bBD0WMFEC7dacfA4qdIWexe5znrVVNLCg/H9lUymLrlTeLNBm//f8elVe8KrN6KFsRupXa9zvNqvJcoAAbsiuL+fPQsLX49PsluHUgbs0EjmeQ0Ejyl5qPrgIotEij9Nwmgj4d4ZpsutWYifd/3RmzonPBw4L+EWkez1ZhYkQzxALJVao/NQbzJN9VNzXOCJujuxRFQNMwxKPDQ2xRxwqqmEM/79qB3XOKk4mbCa0ucUSTQImOzypjCu2RTLDee48r3V2dJN51+9AHOFQJgvJRk0PyIO9r2J9UpodqtPz1/gCh9ZEOjahmDHuJhrqFJMfMMYPfDj4Z2zmBsQn4jBu9VGMISSo0zfH51pkVBhJoOC4o/8oPYbo28WhiDhz+iLs0Pljk1PxYLOCmITdMOByA+8Zu1xBjHzbGhjsXl2NG5gNENFsapk1rcVqjtF5IvXPFTlLVqH2nElflZi60sV4LfWNSkNhsCMriNOp92qMgiO+Ed/ohdQGsQphVdjxlKaayhPYbOXZfeG145PujGH//0jcEfWLRs5DG7VIUifrEZi1cBPn3JA1sWJJ9uXv+1JwMwL2E2xInBV6gQVnd2/3NMGj2klfvyeDAG5ra7u3a3rwDhU84Elxqo/LRohOfF8BxHALG+Xk5V4dWZPoQUQhcdd+QId44IrvY9MZRdN+m60MptslJJQNHOCRaD2cXc5m5LVJc+MUdBJJBm0Sd547vzy2VNIJ8QTYnETQvPOVCGbl74KWprM3lNrR0Lws6WMKWywZ4Exs9ts789K4o1xClRC4YCAzo0XSsa7ZOHCQ1Qra9eY8uWh9NkH1+w6irSr9r62ZAnH6fedeMUqtNvdKliQ/janAsGtET7a+AHtMkLfR8W5zC5Q3RLCUMqwnc52xU5/25/65IQHBnS/9bBfpO3LrSqmiQS400cIi7Wg6NBr0gmAFkR8qUHKa+pCHgcU+dp64CkTu7LaloSQqFzYGWPJVgkTu2viKMuJHRH1peWFs1NpsgilvnP5N+j25DozYSj4S1M56kfsxFFFi2Y01BDgplpVhmlQtQ4/X0jcqts4hCRzuIpoKU8J0vJvwHPXhLLenv+OyU6eHcfdBzbdC+iFfwZ8A/7nwCSkEN6LiuKDxwyglLj4Bx9MBslexQ3LUrMqH3N1GX7y/lrkWi2xWI=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370EF76BF8382726844137CB3DD2SA1PR15MB4370namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 52d6b242-c097-40ad-0d56-08dc9b6f8684
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2024 14:50:47.9701 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CKAPl/3Cv9MUaRhtScuyBRPZx0sU1mcvsJc1hHwR31zl78GxfNVqY5DX4zbL4O58
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR15MB6248
X-Proofpoint-ORIG-GUID: HuXerG0MHwskVAaio4nFQfvu0353ZcE_
X-Proofpoint-GUID: HuXerG0MHwskVAaio4nFQfvu0353ZcE_
X-Proofpoint-UnRewURL: 4 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-03_10,2024-07-03_01,2024-05-17_01
Message-ID-Hash: Y2AVA3JUDIZZISIXPKRGY3XS5XOFJQ72
X-Message-ID-Hash: Y2AVA3JUDIZZISIXPKRGY3XS5XOFJQ72
X-MailFrom: prvs=2914b120fa=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop-chairs <dnsop-chairs@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-yAx2z7cKdkiusOZtaBTtnBLYdc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

I think this document is ready for publication with some nits.

Section 1.1

I like the "assumed and not derived" notion for a "trust anchor", but it's tricky and bears a bit more explanation.  Rather than repeating it in the following sentence, perhaps you could say "the decision to trust this entity is made outside of the system that relies on it".  My point is that "assumed and not derived" requires a certain sort of "horizon" comprising a single "system"; expand the horizon and it is indeed derived.  For example, trust in these DNSKEYs can be derived from the CMS signature, making the ICANN CA the trust anchor, but that process is outside of DNSSEC, so from DNSSEC's perspective the root key is the trust anchor.

Section 3.1

The existence of a protocol called "HTTPS" is controversial in the HTTP world.  I recommend checking with the HTTPBIS chairs or other relevant experts on this point of style.

Section 3.3

This section says "cryptographic assurance for the contents of the trust anchor now comes from the web PKI as described in Section 3.2", but Section 3.2 outlines two ways to verify the contents: an attached signature or TLS.  The TLS case looks like the Web PKI, especially since it is not guaranteed to chain to any particular root CA,  but the attached signature does not seem to represent a dependency on the Web PKI.

--Ben Schwartz

________________________________
From: Tim Wicinski <tjw.ietf@gmail.com>
Sent: Wednesday, June 19, 2024 12:32 PM
To: dnsop <dnsop@ietf.org>
Cc: dnsop-chairs <dnsop-chairs@ietf.org>
Subject: [DNSOP] Working Group Last Call for draft-ietf-dnsop-rfc7958bis

All The authors have updated the document based on some early reviews.   Since this is an update from the original RFC7958, I urge folks to take a look at the diff from the original: https: //author-tools. ietf. org/iddiff?url1=rfc7958&url2=draft-ietf-dnsop-rfc7958bis-02&difftype=--htmlThis
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender

ZjQcmQRYFpfptBannerEnd

All

The authors have updated the document based on some early reviews.  Since this is an update from the original RFC7958, I urge folks to take a look at the diff from the original:


https://author-tools.ietf.org/iddiff?url1=rfc7958&url2=draft-ietf-dnsop-rfc7958bis-02&difftype=--html<https://author-tools.ietf.org/iddiff?url1=rfc7958&url2=draft-ietf-dnsop-rfc7958bis-02&difftype=--html>



This starts a Working Group Last Call for: draft-ietf-dnsop-rfc7958bis
"DNSSEC Trust Anchor Publication for the Root Zone"

Current versions of the draft is available here:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/<https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/>

The Current Intended Status of this document is: Informational

Benno will be the document shepherd

Please review the draft and offer relevant comments.

For WGLC, we need positive support and constructive comments; lack of objection is not enough.
So if you think this draft should be published as an RFC, please say so.

If you feel the document is *not* ready for publication, please speak out with your reasons.


This starts a two week Working Group Last Call process, and ends on: July 3rd, 2024

thanks


tim

v2.37.1 | Report a Bug | By Email | System Status