Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
"Paul Hoffman" <paul.hoffman@vpnc.org> Mon, 05 October 2015 20:43 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B84B21B4FE9 for <dnsop@ietfa.amsl.com>; Mon, 5 Oct 2015 13:43:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s2NRb3ZzUhUo for <dnsop@ietfa.amsl.com>; Mon, 5 Oct 2015 13:43:25 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE15A1B4FE2 for <dnsop@ietf.org>; Mon, 5 Oct 2015 13:43:17 -0700 (PDT)
Received: from [10.47.60.19] ([207.164.135.98]) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t95KhD9H060678 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 5 Oct 2015 13:43:14 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host [207.164.135.98] claimed to be [10.47.60.19]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: Joe Abley <jabley@hopcount.ca>
Date: Mon, 05 Oct 2015 16:43:14 -0400
Message-ID: <97AFB21E-9233-4753-8F89-A6AC6C6B079B@vpnc.org>
In-Reply-To: <6CE2A233-0CD3-4490-BDDE-A0E82B305F05@hopcount.ca>
References: <20150928114202.823.19868.idtracker@ietfa.amsl.com> <0E4AA958-7740-4602-A3CF-D2E481DBC15E@hopcount.ca> <20150928155325.GA63874@gaon.net> <20150929095301.32c3e6a3@casual> <13F1D87F-1C07-40EB-86B0-564C4109C9B0@virtualized.org> <1973252D-924F-4EF1-A38F-5EC01AD331F6@gmail.com> <FDD04DCC-59C5-41F5-8CAF-1EF31CD65A34@virtualized.org> <63E1E01E-C172-4A0F-B434-F796546BB657@gmail.com> <C4FA9FA6-76E3-4FF3-862B-C5C0DF75C761@kirei.se> <D1C15986-603E-4932-B551-0497638D9849@vpnc.org> <02869F43-87A4-4797-8FD3-276C02DF665D@kirei.se> <EEA946B1-8BF3-4AB7-99D2-4C8CDCCF0EC0@vpnc.org> <F412CE02-C0BA-425E-BBF9-3A40B2B5FEA7@vpnc.org> <9F52E6FC-E503-4E3A-9998-363BF514CC1A@hopcount.ca> <D2C7120E-D13A-4372-8A8D-FE16DDDB5AEA@vpnc.org> <6CE2A233-0CD3-4490-BDDE-A0E82B305F05@hopcount.ca>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/2DXqYn2iFwZLIak0MuO-nc-wrL4>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 20:43:26 -0000
On 5 Oct 2015, at 16:12, Joe Abley wrote: > Hi Paul, > > On 5 Oct 2015, at 15:35, Paul Hoffman wrote: > >> A document called "DNSSEC Trust Anchor Publication for the Root Zone" >> that says nothing about the most common KSK publication practice, >> that is, by resolver software developers, is woefully incomplete. > > I am confused by that. The KSK maintainer publishes trust anchors for > the root zone. Software developers produce code that consumes those > trust anchors. Perhaps we are missing a shared understanding of the > word "publish" here, but I don't see what common KSK publication > practice you're referring to. Hrm. I'm pretty sure that most people would agree that software is published, and that config comes with that published software. The KSK is often part of that config. Of course "the KSK maintainer publishes trust anchors for the root zone". So do other organizations. It seems like many people who say they want this document published want this document to be how ICANN/IANA publishes the trust anchors. > >> If instead the document is supposed to be about current ICANN >> publication only, then the document should be retitled, given a >> better abstract, and give the actual URLs for the current KSK and >> describe the formats used for the current data. It should not make >> speculation about other URLs nor about other format options. > > I don't understand the comment about the title or the abstract (see > above). Maybe you are thinking that only ICANN can publish the trust anchor? If so, I would certainly disagree. Anyone can publish it, and that's a feature. > I fully agree that the document should use actual URLs for the current > KSK. As far as I can see, all the URLs mentioned in the document are > URLs that work today, and have been stable since 2010. I don't see any > speculation about other URLs. > > Can you explain more fully what problem you see? The URL for retrieving the CSR is <http://data.iana.org/root-anchors/ key-label.csr>, with "key-label" replaced by the key label of the corresponding KSK. The URL for retrieving a signed X.509 certificate is <http:// data.iana.org/root-anchors/key-label.crt>, with "key-label" again replaced as described above. Those are templates, not URLs. ICANN does not publish anything at http://data.iana.org/root-anchors/key-label.csr (unless you consider giving a 404 to be publishing...). Templates are speculative: you can plug in different values that change over time. That is not what ICANN publishes. Yes, you designed it to be a template, but that is not what ICANN publishes. If this document is going to be published by anyone, it should state exactly how ICANN publishes things, not how it might it different future circumstances. >> It should not talk about the publication of possible future KSKs >> because that is not what ICANN is doing now. > > I don't understand that, either. The scheme developed at ICANN in > 2009/2010 was designed to facilitate publication of multiple trust > anchors, specifically to allow future KSK rolls. You're saying we > shouldn't document that because a KSK roll hasn't happened, yet? There is a difference between "how ICANN publishes the KSK" and "how ICANN might publish the KSK". Please pick the one you want so that the WG can decide if that's what they want you to publish. Mixing those two ideas up will not help anyone who is reading the published document. --Paul Hoffman
- [DNSOP] Fwd: Expiration impending: <draft-jabley-… Joe Abley
- Re: [DNSOP] Fwd: Expiration impending: <draft-jab… Shane Kerr
- Re: [DNSOP] Fwd: Expiration impending: <draft-jab… Andras Salamon
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Fwd: Expiration impending: <draft-jab… Shane Kerr
- Re: [DNSOP] Expiration impending: <draft-jabley-d… David Conrad
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… David Conrad
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… David Conrad
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Jakob Schlyter
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Jakob Schlyter
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Tim Wicinski
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… George Michaelson
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… George Michaelson
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Richard Lamb
- Re: [DNSOP] Expiration impending: <draft-jabley-d… George Michaelson
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Edward Lewis
- Re: [DNSOP] Expiration impending: <draft-jabley-d… manning
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Mark Andrews
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Ralf Weber
- Re: [DNSOP] Expiration impending: <draft-jabley-d… manning
- Re: [DNSOP] Expiration impending: <draft-jabley-d… W.C.A. Wijngaards
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Andrew Sullivan
- Re: [DNSOP] Expiration impending: <draft-jabley-d… David Conrad
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Andrew Sullivan
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Paul Hoffman
- Re: [DNSOP] Expiration impending: <draft-jabley-d… manning
- Re: [DNSOP] Expiration impending: <draft-jabley-d… John Levine
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… David Conrad
- Re: [DNSOP] Expiration impending: <draft-jabley-d… manning
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… manning
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Joe Abley
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Andrew Sullivan
- [DNSOP] Pity (was Re: Expiration impending: <draf… Andrew Sullivan
- Re: [DNSOP] Pity (was Re: Expiration impending: <… Paul Vixie
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Suzanne Woolf
- Re: [DNSOP] Pity (was Re: Expiration impending: <… Suzanne Woolf
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Richard Lamb
- Re: [DNSOP] Expiration impending: <draft-jabley-d… Mehmet Akcin