IETF Logo Mail Archive

[DNSOP] Re: [Ext] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis

Paul Hoffman <paul.hoffman@icann.org> Mon, 08 July 2024 18:36 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8E4CC22998E for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2024 11:36:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mK-ryMHXQYrE for <dnsop@ietfa.amsl.com>; Mon, 8 Jul 2024 11:36:32 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7BEFC06ECAE for <dnsop@ietf.org>; Mon, 8 Jul 2024 11:36:32 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.7]) by ppa3.lax.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 468IaQKp003961 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 8 Jul 2024 18:36:26 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Mon, 8 Jul 2024 11:36:25 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.034; Mon, 8 Jul 2024 11:36:25 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Peter Thomassen <peter@desec.io>
Thread-Topic: [Ext] [DNSOP] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
Thread-Index: AQHay+H+PHJdJ7/7u0SDW1yqFbDBGrHtoVcAgAADeQCAAAQ+gA==
Date: Mon, 08 Jul 2024 18:36:25 +0000
Message-ID: <5AEC88BA-BAF4-4001-AA7E-B211B6100036@icann.org>
References: <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com> <7c3c263e-7b41-4258-9620-82c44f59eb62@desec.io> <81CE86B9-8237-47B1-8762-DF147660E139@icann.org> <82505b09-c5c9-4afc-879a-0bf07d665c1b@desec.io>
In-Reply-To: <82505b09-c5c9-4afc-879a-0bf07d665c1b@desec.io>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <B435EF816046294C8840B09C9756EFC2@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-08_09,2024-07-05_01,2024-05-17_01
Message-ID-Hash: G6XYCNMG5A3OQE4MHI6VMBLW4ZSWCYPQ
X-Message-ID-Hash: G6XYCNMG5A3OQE4MHI6VMBLW4ZSWCYPQ
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Re: Working Group Last Call for draft-ietf-dnsop-rfc7958bis
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3799GNi4JtnRzzY82MFvCO0yYOo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Thanks for the quick responses!

On Jul 8, 2024, at 11:21, Peter Thomassen <peter@desec.io> wrote:
> 
> On 7/8/24 20:08, Paul Hoffman wrote:
>>> OLD
>>>   The Zone element in the TrustAnchor element states to which DNS zone
>>>   this container applies.  The root zone is indicated by a single
>>>   period (.) character without any quotation marks.
>>> 
>>> This is underspecified w.r.t. to format, for labels containing dots.
>>> 
>>> But, the whole document is about the root (it's even in the title), and I wonder why the Zone element is there in the first place.
>>> 
>>> Instead of fixing the Zone element format, why not just drop the whole Zone element?
>> The zone element is there in case someone other than the root operator wants to use the format. Dropping it might cause some current users of the format to fail, so we are leaving it in.
> 
> So it remains underspecified for labels containing dots. (I'm OK with that, just spelling it out.)

It is indeed unspecified, which seems fine because we also haven't seen any strong use case for it.

> 
>>> OLD
>>>   The id attribute in the KeyDigest element is an opaque string that
>>>   identifies the hash.
>>> 
>>> Is the id attribute expected to be unique within the XML file?
> [...]
>> The spec says it is "an opaque string". Your proposal is to extend that and make it unique. This could cause a serious problem in the future if IANA does not change the id string for some reason. We are leaving it as just opaque.
> 
> That's fine. However, the attribute name "id" suggests uniqueness,

Without any definition of uniqueness in the document, it shouldn't. For example, in your earlier message, you suggested a few different ways this could be unique. Without such a definition, a reader can't assume they know what kind of uniqueness to infer.

> because that's how IDs usually work. I suggest something like "opaque (but not necessarily unique)", or renaming it to something else, to prevent this misinterpretation.

Changing the name of an attribute for a widely-used protocol seems incredibly dangerous. Adding "(but not necessarily unique)" doesn't make sense because "opaque" doesn't imply uniqueness.

> 
>>> OLD
>>>   If a system
>>>   retrieving the trust anchors trusts the CA that IANA uses for the
>>>   "data.iana.org" web server, HTTPS SHOULD be used instead of HTTP in
>>>   order to have assurance of data origin.
>>> 
>>> Does this really mean that if I don't trust the CA, then I should be using HTTP?
>> Yes.
>>> How does that make things any better?
>> It does not, but the text doesn't indicate that it makes anything better.
> 
> I wonder then why we need the "if" clause in that sentence. I'd remove it, but I don't feel strongly.

Without the clause, it sounds like the document is telling the reader they SHOULD trust the CA that IANA uses. Given that IANA gets to choose its CA based on its own risk assessment, and even large CAs seem to become untrusted for other reasons, I wouldn't want to do that.

--Paul Hoffman

v2.39.1 | Report a Bug | By Email | System Status