Re: [DNSOP] Last Call: <draft-ietf-dnsop-negative-trust-anchors-10.txt> (Definition and Use of DNSSEC Negative Trust Anchors) to Informational RFC

Warren Kumari <warren@kumari.net> Tue, 09 June 2015 17:35 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B2BA1B2DAE for <dnsop@ietfa.amsl.com>; Tue, 9 Jun 2015 10:35:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95RkGFWURTi5 for <dnsop@ietfa.amsl.com>; Tue, 9 Jun 2015 10:35:49 -0700 (PDT)
Received: from mail-oi0-f47.google.com (mail-oi0-f47.google.com [209.85.218.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 381E91B2D9E for <dnsop@ietf.org>; Tue, 9 Jun 2015 10:35:21 -0700 (PDT)
Received: by oiha141 with SMTP id a141so16523933oih.0 for <dnsop@ietf.org>; Tue, 09 Jun 2015 10:35:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=7R1siGZLNESrDT7vXQp4LaGv+urbmNdSOZCj2Kpx500=; b=fVf9lYdrUVi+oRnjN0qG5e8WDDC+CmO/igPRRPI2tdma67ydRFpanC0/uOqWMDZ8k3 tRGuuJrDANsLMMvILE54UV/xpLI/Y/8eijT/2wIYO9MJB55qHkErAWbvyMlJMfOC+HJM Kn99XAC0Ft8teHBexPzgo6xTsDmNxa3dALJRfzWOhdK2khC+zq3hgY71kbd3EjUHRsOX xKVLtAuXNmmq/VTrXiE8yk2TVSYiX5wpQc4RA33WxLP0kr7MejQeGyoQXUGb+MeXpDXR xGspwi87ChPJjxNtsE2MiqvwiD0rm6V92Dqco/RyST7QeHElSUbXmiH0/U76HIenDsCW KjEA==
X-Gm-Message-State: ALoCoQkL5Bz8qSUZO6UFlRFpRJqrtY0zI9enp3MKS81qDC2hOIPCLj/wyrH2kr5uOXlA/Tq9/Azb
MIME-Version: 1.0
X-Received: by 10.182.133.3 with SMTP id oy3mr20613011obb.86.1433871319414; Tue, 09 Jun 2015 10:35:19 -0700 (PDT)
Received: by 10.202.196.75 with HTTP; Tue, 9 Jun 2015 10:35:19 -0700 (PDT)
In-Reply-To: <BE1C09F7-B143-48E3-B6D5-A291B1BEE0E6@hopcount.ca>
References: <20150609125826.2862.7677.idtracker@ietfa.amsl.com> <BE1C09F7-B143-48E3-B6D5-A291B1BEE0E6@hopcount.ca>
Date: Tue, 09 Jun 2015 13:35:19 -0400
Message-ID: <CAHw9_iJKvdgpgztHxxB7joFWuKFSDQcN=Ysy-uqKPcJXOXKOOg@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Joe Abley <jabley@hopcount.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/1vSpgL8V3ZTtEhYUcnw941l7HBk>
Cc: dnsop <dnsop@ietf.org>, "ietf@ietf.org Disgust" <ietf@ietf.org>, IETF-Announce <ietf-announce@ietf.org>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-negative-trust-anchors-10.txt> (Definition and Use of DNSSEC Negative Trust Anchors) to Informational RFC
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2015 17:35:51 -0000

On Tue, Jun 9, 2015 at 11:29 AM, Joe Abley <jabley@hopcount.ca> wrote:
> On 9 Jun 2015, at 8:58, The IESG wrote:
>
>> The IESG has received a request from the Domain Name System Operations WG
>> (dnsop) to consider the following document:
>> - 'Definition and Use of DNSSEC Negative Trust Anchors'
>> <draft-ietf-dnsop-negative-trust-anchors-10.txt> as Informational RFC
>
> I have read this document. The topic under discussion is a useful one, it is described clearly and well, and I support this document proceeding. I have some minor suggestions for improvement, but nothing substantial.

Whoohoo!


>
> In section 1, the document uses normative-sounding language ("should not") and seems to direct the IANA not to do something. The normative-sounding direction is further extended to all other organisations. I understand the intent here, but the advice seems a little jarring; any IETF document can provide advice and recommendations without enforcement (informational documents arguably more so). Perhaps this could be rephrased to make it clear that the document is providing recommendations about how to implement and manage negative trust anchors rather than laying down the law.


I had a hard time trying to figure out how to address this. I changed:
"Negative Trust Anchors are intended to be temporary, and should not
be distributed by IANA or any other organization outside of the
administrative boundary of the organization locally implementing a
Negative Trust Anchor."
to:
"Negative Trust Anchors are intended to be temporary, and should only
be implemented by the organization requiring a Negative Trust Anchor
(and not distributed by any organizations outside of the
administrative boundary)."

I think that that changes the tone and doesn't sound as prescriptive /
jarring - does this address your concern?
I also skimmed the rest and didn't really find anywhere else to fix.

>
> In section 1.2 the document refers to a "domain administrator", when in the context of DNSSEC I think it means a "zone administrator".
>

Nice. Done. Thanks.

> In section 7 the document refers to "dnscheck", which I understand is no longer being maintained and has been replaced with "zonemaster". See <http://www.zonemaster.fr>, for example.

I replaced dnscheck with zonemaster. Initially I was just going to add
zonemaster (and leave dnscheck there), but seeing as .se is involved
in both projects I decided it was not impolite to remove their older
tool...


New version (with your suggested edits) pushed to github -
https://github.com/wkumari/draft-livingood-dnsop-negative-trust-anchors


Thank for your comments,
W

>
>
> Joe



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf