Re: [DNSOP] The DNSOP WG has placed draft-ogud-dnsop-maintain-ds in state "Candidate for WG Adoption"

[Olafur Gudmundsson <ogud@ogud.com>]

> On Nov 5, 2015, at 9:55 PM, Shane Kerr <shane@time-travellers.org> wrote:
> 
> Dear dnsop working group,
> 
> On Thu, 05 Nov 2015 17:20:18 -0800
> IETF Secretariat <ietf-secretariat-reply@ietf.org> wrote:
> 
>> The DNSOP WG has placed draft-ogud-dnsop-maintain-ds in state 
>> Candidate for WG Adoption (entered by Tim Wicinski)
>> 
>> The document is available at
>> https://datatracker.ietf.org/doc/draft-ogud-dnsop-maintain-ds/
> 
> First, I definitely think that this should be a working group document.
> 
> Second, some comments about the draft (with the hope that it does get
> adopted):
> 
> * I think "all 0" CDS/CDNSKEY indicating desire for deletion is fine.
>  Defining a DNSKEY algorithm that does not actually define a DNSKEY
>  algorithm is a bit weird.
> 
> * Perhaps a paragraph clarifying behavior when there is the "all 0"
>  CDS/CDNSKEY AND another CDS/CDNSKEY record is a good idea?
>  Something like:
> 
>    If any other CDS/CDNSKEY record is present in a zone, then the
>    CDS/CDNSKEY records indicating deletion MUST be ignored.   
> 

Shane, 
good suggestion we will adopt it, maybe with some rewording. 

> * The acceptance criteria for new CDS records seem less like a protocol
>  definition and more like an exploration of possible approaches.
>  Probably this is because that is what they are? :P Does it make sense
>  to define more detail? I kind of think "yes", but since there is no
>  deployment experience it's likely that it would all be incorrect.
> 

You are right it is a protocol exploration as we have nothing but what has shown to be difficult to deploy. 
And hopefully you are also wrong on if this advise will be ignored, I hope it will become the bases
of many operations. 

> * I don't see much motivation for "Acceptance policy via authenticated
>  channel". It seems like if you have access to such a channel you may
>  as well just provide the DS record? Or is the idea that you make it so
>  that the administrator for a zone doesn't need to cut/paste DS
>  information but can just check a "delegate this" box?

Well the idea is a that a DNS operator can Identify the request that the CDS/CDNSKEY processing by parent is started. 
possibly even handing over the expected records. 
In my employers case the acceptance policy is we give the people that are willing to work with us the list of keys we will sign with, 
because that is a short list. 

> 
> * Perhaps "Accept with challenge" should provide some advice on how
>  this works. For example, a TXT record with a unique key for each zone
>  (or customer) seems like a good recommendation. It might also make
>  sense if each child domain (or customer) has a unique ownername to
>  look for, to prevent 3rd parties from detecting such bootstrapping.
>  (Yes a 3rd party can see the CDS update followed by the DS update,
>  but they won't know the verification used.) Also to note that after
>  the trust is established that the challenge record should no longer
>  be necessary and can be removed.
> 

There are many different ways to do this
a) generate a random name with a  <type>  record with defined content 
b) put a <type> record at a fixed name with random content 
c) require resigning the CDS/CDNSKEY record with defined expiration time 
etc. it is just a question of imagination what people come up with. 
If the working group wants to recommend one standard way, that is fine. 
Text welcome 


> Sayōnara!
> 
> —
> Shane

Olafur