IETF Logo Mail Archive

Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>

Richard Lamb <richard.lamb@icann.org> Sat, 31 October 2015 18:36 UTC

Return-Path: <richard.lamb@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0F481A6F9D for <dnsop@ietfa.amsl.com>; Sat, 31 Oct 2015 11:36:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.431
X-Spam-Level:
X-Spam-Status: No, score=-3.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id InaVXxlM2R4Z for <dnsop@ietfa.amsl.com>; Sat, 31 Oct 2015 11:36:14 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-1.pexch112.icann.org [64.78.40.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C8071A8943 for <dnsop@ietf.org>; Sat, 31 Oct 2015 11:36:14 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Sat, 31 Oct 2015 11:36:11 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1044.021; Sat, 31 Oct 2015 11:36:12 -0700
From: Richard Lamb <richard.lamb@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
Thread-Index: AQHQ+uOs5dFmRxFvI0qeZhMj8Aqbjp5Y2ToAgANDioCAAAdjgIABNFYAgAAE+gCAAAaUgIAAAe8AgAADvgCAAAYKgIAAWeMAgAAKVACAAAiBAIAABLiAgAAEfYCAAAFRAIAABgQAgAC7R4CAJ3XHMA==
Date: Sat, 31 Oct 2015 18:36:11 +0000
Message-ID: <245f584f55824d1cb3a804fc84f5eaba@PMBX112-W1-CA-1.PEXCH112.ICANN.ORG>
References: <20150928114202.823.19868.idtracker@ietfa.amsl.com> <20150928155325.GA63874@gaon.net> <20150929095301.32c3e6a3@casual> <13F1D87F-1C07-40EB-86B0-564C4109C9B0@virtualized.org> <1973252D-924F-4EF1-A38F-5EC01AD331F6@gmail.com> <FDD04DCC-59C5-41F5-8CAF-1EF31CD65A34@virtualized.org> <63E1E01E-C172-4A0F-B434-F796546BB657@gmail.com> <C4FA9FA6-76E3-4FF3-862B-C5C0DF75C761@kirei.se> <D1C15986-603E-4932-B551-0497638D9849@vpnc.org> <02869F43-87A4-4797-8FD3-276C02DF665D@kirei.se> <EEA946B1-8BF3-4AB7-99D2-4C8CDCCF0EC0@vpnc.org> <F412CE02-C0BA-425E-BBF9-3A40B2B5FEA7@vpnc.org> <9F52E6FC-E503-4E3A-9998-363BF514CC1A@hopcount.ca> <D2C7120E-D13A-4372-8A8D-FE16DDDB5AEA@vpnc.org> <6CE2A233-0CD3-4490-BDDE-A0E82B305F05@hopcount.ca> <97AFB21E-9233-4753-8F89-A6AC6C6B079B@vpnc.org> <A1B41B27-AFB0-4B42-9F46-AA1D8D5D00F6@hopcount.ca> <D3A29F92-2A24-4CEC-93CF-164BD2497C1E@vpnc.org> <BFB819A9-9C50-4049-A5F0-5054CD86EC94@hopcount.ca> <70FA923D-C067-492E-A1EA-7B88754C2D5B@gmail.com> <56138BDB.60709@nlnetlabs.nl>
In-Reply-To: <56138BDB.60709@nlnetlabs.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/0l4-dpxXEfyWiypIeISzvj8t0cU>
Subject: Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2015 18:36:15 -0000

Given that there are least three implementations based on this draft in widespread use, IMHO, I believe this draft should move forward as is.  As mentioned below, a stable reference would be useful for implementers like myself. -Rick


-----Original Message-----
From: DNSOP [mailto:dnsop-bounces@ietf.org] On Behalf Of W.C.A. Wijngaards
Sent: Tuesday, October 6, 2015 1:53 AM
To: dnsop@ietf.org
Subject: Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 05/10/15 23:42, Suzanne Woolf wrote:
> All,
> 
> First, thanks to the engaging on this.
> 
> On Oct 5, 2015, at 5:20 PM, "Joe Abley" <jabley@hopcount.ca>
> wrote:
>> 
>> Perhaps it's time to sit back and wait for others here to express an 
>> opinion.
> 
> I'd like to hear opinions from others in the WG with an operational 
> interest in the DNSSEC root trust anchor.

It documents a procedure we implemented, and a stable reference would be a good thing.

> Does this document meet a need you have? If so, how well does it meet 
> the need, and what would it take (if anything) for the document to 
> meet that need more effectively?

Unbound implements the draft in open source, in its own command-line tool 'unbound-anchor'.  It combines a compiled-in root-anchor, with
RFC5011 rollover and this draft.  At the first start it has failover over from the initial anchor to the next option, and this draft is the fallback.  On subsequent invocations it keeps state, a rolling anchor that it keeps track of.  If RFC5011 tracking fails, it uses this draft to fetch the xml file with the new key.  The tool is organisation-agnostic and can also be configured to perform the same mechanics in another environment (eg. test environments).

Best regards, Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWE4vbAAoJEJ9vHC1+BF+NxPMQAIAmFaUaF6ZKQvzMLZ+yAuDm
66MaTO2i68q6LH3ZHCEl6dXMz3sGL+8RaKCN1IK6EyvXUIoCaulkJdbem4MeFsGk
/w1Bxxfybgao5+pBPd3Ciz6caYfMHrfkqFL7broBsCLNBlfwVUEUPBJpfYQbF8i+
TQaqyGm/oH2VPtFq03HL/o/CJUgbZNQWT1CKdzEEuoyrmyotzXQkfsnXrW79t/hW
tt8Aeq5VSHpBbkSlrq8EYDunhjwQKgJwhx/YUVpqF/JrjO7KDqzO7QabYY4i1h95
LTdcZmrWUfKSPnzN0lD3MSmSvJMMgz18VBXQLO2cHj0QDaDFd9pe0mud0em9gIPz
hLhyWvbxeNasT8CbH5vwJ77p/6xmhMsYT4C2EHtJacPmG9Y4BfUDyo1d0hec0eF5
uLmpbp+TCicd3dHNNcIPWjDcxyCT7lTNOLPS78fSOhdju2khijn9b7RPnTqjtmUV
Wf8IIYnN0fIapymNsiNXqarV3uC8ly7XhnqK+XQ6z7KgArh/OkrFcGiJAcHn1wlr
mSkSKeeGpF8snSlbnMX9+Y9TvBCFrNOP+awzDvKqBnV3yS5Cu2bPottH9Yp/xs96
E36eMwX35WUuh7uOCKR4IswpjChds0jSW75oJ6GYb9ItLfy6ehuGbyUFD2AW130y
SrOmADZfr8SG6aGxUokH
=4snr
-----END PGP SIGNATURE-----

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email