IETF Logo Mail Archive

Re: [DNSOP] [internet-drafts@ietf.org] New Version Notification for draft-hardaker-dnsop-intentionally-temporary-insec-00.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 25 February 2021 20:04 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D737F3A1F44 for <dnsop@ietfa.amsl.com>; Thu, 25 Feb 2021 12:04:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sKHUQhfRmvap for <dnsop@ietfa.amsl.com>; Thu, 25 Feb 2021 12:04:11 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3973A3A1F0E for <dnsop@ietf.org>; Thu, 25 Feb 2021 12:04:11 -0800 (PST)
Received: from [192.168.1.177] (unknown [192.168.1.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 2A728C1557 for <dnsop@ietf.org>; Thu, 25 Feb 2021 15:04:10 -0500 (EST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAHbrMsDTi6NCVfVr6HqnN6Z3nHo6qkWohkR8YaU1JyEjrYtdOA@mail.gmail.com>
Date: Thu, 25 Feb 2021 18:04:09 -0200
Content-Transfer-Encoding: quoted-printable
Reply-To: dnsop@ietf.org
Message-Id: <D207DF62-74C8-4E70-9B9B-36FF647B15F5@dukhovni.org>
References: <yblzgzxceqt.fsf@w7.hardakers.net> <e6cf46e1-b88f-e5c1-d30e-ed8045ec76fe@nic.cz> <CAHbrMsBAZEL7_E8rJ8wWQ17679xJeeHaJkk-POEbELNT55=UOw@mail.gmail.com> <yblpn0o9eck.fsf@w7.hardakers.net> <CAHbrMsDTi6NCVfVr6HqnN6Z3nHo6qkWohkR8YaU1JyEjrYtdOA@mail.gmail.com>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1iNTX-m4rrldjsXtBtt0BEtLA2M>
Subject: Re: [DNSOP] [internet-drafts@ietf.org] New Version Notification for draft-hardaker-dnsop-intentionally-temporary-insec-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 20:04:13 -0000

> On Feb 25, 2021, at 5:13 PM, Ben Schwartz <bemasc@google.com> wrote:
> 
> The most interesting informational element, in my view, would be guidance on how to detect buggy implementations that will create this problem.  (Set up a test zone and a test resolver and ...?).  I think the best practice is probably to migrate to a better implementation before rolling the algorithm.

The sentiment is certainly noble, but it is not infrequently far
from the reality imposed by the concrete tools that, for better
or worse, are the ones at many users' disposal.

For example, ietf.org is signed manually once a year!  This is
done via some homebrew combination of scripts.  And much as it
may be nice to tell them to upgrade to BIND 9.16 and turn on a
key management policy that takes care of al the little details
automatically,

  https://dilbert.com/strip/1995-06-24

there may well be reasons why that may not be in the cars for
some time.

So I don't think that just sweeping the problem under the rug
is realistic.  I think "informational" is a reasonable choice.

-- 
	Viktor.

v2.2.1 | Report a Bug | By Email