Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07

Warren Kumari <warren@kumari.net> Fri, 23 March 2018 12:14 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16D4112D870 for <dnsop@ietfa.amsl.com>; Fri, 23 Mar 2018 05:14:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gmcOkbWBIhzZ for <dnsop@ietfa.amsl.com>; Fri, 23 Mar 2018 05:14:29 -0700 (PDT)
Received: from mail-wr0-x229.google.com (mail-wr0-x229.google.com [IPv6:2a00:1450:400c:c0c::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C561612D7F7 for <dnsop@ietf.org>; Fri, 23 Mar 2018 05:14:28 -0700 (PDT)
Received: by mail-wr0-x229.google.com with SMTP id o8so11906548wra.1 for <dnsop@ietf.org>; Fri, 23 Mar 2018 05:14:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=XXjvp+8vfD0pkyMzlSRPfvLQlDRWpRIqddL3It9VZps=; b=bl+ZxZB1SEMiORg5j8o7V74acLZ10Q9zVEhpHPmpk2QdzPvf+J1aa6D8jGVH1ZufGr VyamSP47QjKeqAuZu2k10CpNjVptgy5MDaKWHqCkSKPbocqCF/qpy+UaJVA/zt3vJrhL uOqWlOEobIH4rayCLmIyEwNgvwBAzZZYoBweP2nSY1aed4/pH8BPUFxpn6k0YEFyd6uX wW4+SY5IoKv3TV8qvOY//NmL1Y4c/SFFP6BFn4pJoIvT3vh2vQFefg/vQGrQtjiJ5vRS pHwaHP/Oz7QJjjlTeKfQ02Zb1AWOYBNcH0WXIDZZnp7dTu/P9YE1VgCZ3kiKkxgxhNse SzDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=XXjvp+8vfD0pkyMzlSRPfvLQlDRWpRIqddL3It9VZps=; b=Jb68LVb/SwOpL0VExUvLNRSYzYMYaJOu3zFWZh3Ew85NHezSpVLbb+ew/blriSofKV v7CETyZuucNluCDn2MvtGPSOV/swsfmDEavDanyde4WritNlb1l9IGl52hFpei1o01QI +Jc14yr4M5AYIaVi2oesqP90trk8cA4yQV5hwKSFX0K+DzW9xwUVoNnb9pUOhKfJgxt+ czxuSzTJlpFQXzT/CwREgXiWZ5jbCS8+cY/N6FRFVZWXKLnw5WUvbLEXx1pjrAxgceut UbdrNR/azrA/9L6Co53arWt+9IDNXMvaJ91EjIBxdYC1TglQ7vJy/oOxJkMHaIsmpyNN zCGA==
X-Gm-Message-State: AElRT7EnXtXqR+097G0z/qjDbJfN5lmTT/rk6NPl6EWg0mMg/YqBGwzQ Lo/BxmbjwpXGxjobbfjcxhGunEREd64qGr8qbW7vUa9HSY4=
X-Google-Smtp-Source: AG47ELtT+gF5+GLs0UMG9b5GiSArJeZgSbUmb+weesSFCudQ6O6si0NcuTFaLK05gkJHlwHgRUoUg0EETRCyTs8rjDk=
X-Received: by 10.223.182.76 with SMTP id i12mr4048383wre.24.1521807266636; Fri, 23 Mar 2018 05:14:26 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.226.76 with HTTP; Fri, 23 Mar 2018 05:13:45 -0700 (PDT)
In-Reply-To: <936585F3-9471-40F9-9D11-E9BBAAF90B4A@isc.org>
References: <83786E94-ABCA-43F9-A038-F8F61C93E797@isc.org> <783C0A50-0DC5-4BC6-A105-F19D2BEF98E4@apnic.net> <C771B8F7-E9D4-4CAC-9277-EAE3AC74CC62@isc.org> <CAHw9_iJM4nZyoytk7xgY_OzU9c7BCEpO4O+Jex9g6A58XYREGw@mail.gmail.com> <936585F3-9471-40F9-9D11-E9BBAAF90B4A@isc.org>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 23 Mar 2018 12:13:45 +0000
Message-ID: <CAHw9_i++HAh5ZeOYB2MNHn6sQu2+ixY-aHnHDOGODu0Tq=bKyA@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Geoff Huston <gih@apnic.net>, dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/50LShneWmXatNJEaORJqo45Bydw>
Subject: Re: [DNSOP] draft-ietf-dnsop-kskroll-sentinel-07
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 12:14:31 -0000

On Fri, Mar 23, 2018 at 11:47 AM, Mark Andrews <marka@isc.org>; wrote:
>
>> On 23 Mar 2018, at 10:08 pm, Warren Kumari <warren@kumari.net>; wrote:
>>
>> On Fri, Mar 23, 2018 at 10:07 AM, Mark Andrews <marka@isc.org>; wrote:
>>> Geoff you are wrong. Titles should tell you what you are about
>>> to read especially technical documents. There are WAY TOO MANY
>>> RFC TO READ EVERYONE ON THEM.
>>
>> ... you lack ambition :-P
>>
>>>
>>> If I had a TA for andrews.wattle.id.au the current title would
>>> indicate that I could test resolvers to see if there is a TA
>>> installed for it.
>>>
>>> The current draft *is not* generic.  It is root TA specific.
>>> That needs to be reflected in the title.
>>>
>>> As for the label it can be used for more than rolling KSKs.
>>> It can be used to see what resolvers are supporting new TA
>>> *when you are not rolling keys*.  The current name reflects
>>> *one* use, not all uses.
>>
>> True, it does reflect one use case, not all -- however, we have
>> already changed the name multiple times and implementers are
>> (understandably) becoming annoyed, and supporting N different labels
>> for the tester is also annoying [0].
>
> As an implementer I say TOUGH!  The job of the working group is to
> put out good specifications not to take short cuts just because
> something has been implemented based on a draft.

... and the job of the authors is to document what the WG wants.

Dear DNSOP,

Please clearly express a preference for:
1: Keeping the current label -- kskroll-sentinel-is-ta-20326.example.com
2: Changing it to the new label -- root-key-sentinal-is-ta-20326.example.com


This is (obviously) a trivial change for us to make (sed
's/kskroll-sentinel-/root-key-sentinal-/g), but not sure what y'all
would like.

W


> This is the expected
> cost of implementing on a draft.  I’ve re-written plenty of code to
> follow draft changes.
>
> I’ve got code to implement this.  Some corner cases are currently
> undefined. Changing the label name will cause me to have to re-write
> parts of what I have already written.
> I know this but I’m still
> calling for the changes.  Not only will the specific labels change
> but potentially configuration arguments and with that documentation.
>
>> How about a compromise - we update the draft name, but keep the label
>> the same - the only people who likely care about the label are
>> implementers and testers - once someone sees the name they will read
>> the doc and quickly discover how it can be used.
>>
>> W
>>
>>
>>
>>>
>>> Mark
>>>
>>>> On 23 Mar 2018, at 8:21 pm, Geoff Huston <gih@apnic.net>; wrote:
>>>>
>>>>
>>>>
>>>>> On 23 Mar 2018, at 12:55 am, Mark Andrews <marka@isc.org>; wrote:
>>>>>
>>>>> This title of this document DOES NOT match reality.
>>>>>
>>>>> "A Sentinel for Detecting Trusted Keys in DNSSEC” should be
>>>>> replaced by “A Root Key Trust Anchor Sentinel for DNSSEC”.
>>>>>
>>>>> kskroll-sentinel-<what>-<id> really needs something other
>>>>> than “kskroll” as the first field.  “root-key-sentinal-<what>-<id>”
>>>>> really more clearly matches what it does.
>>>>>
>>>>> Any other changes that follow from these two changes”
>>>>>
>>>>
>>>> I personally think this is getting into bike shedding at this point.
>>>>
>>>> The title of the document is an adequate description of the content
>>>> and folk who want to know more should read the document, not guess
>>>> from the title!
>>>>
>>>> The label is a piece of syntactic convenience and is entirely
>>>> arbitrary. We could start an almost infinite discussion thread
>>>> over which label is better, but in the end its just a label.
>>>>
>>>>
>>>> regards,
>>>>
>>>>   Geoff
>>>>
>>>>
>>>>
>>>
>>> --
>>> Mark Andrews, ISC
>>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>>> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>>>
>>> _______________________________________________
>>> DNSOP mailing list
>>> DNSOP@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>>
>>
>> --
>> I don't think the execution is relevant when it was obviously a bad
>> idea in the first place.
>> This is like putting rabid weasels in your pants, and later expressing
>> regret at having chosen those particular rabid weasels and that pair
>> of pants.
>>   ---maf
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org
>



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf