Re: [DNSOP] Fwd: New Version Notification for draft-thomassen-dnsop-dnssec-bootstrapping-02.txt
Peter Thomassen <peter@desec.io> Tue, 30 November 2021 00:31 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E32AC3A0BC5; Mon, 29 Nov 2021 16:31:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.551
X-Spam-Level:
X-Spam-Status: No, score=-3.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=a4a.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KnNu7q2NNjIe; Mon, 29 Nov 2021 16:31:20 -0800 (PST)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EAD63A0BC9; Mon, 29 Nov 2021 16:31:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version :Date:Message-ID:Subject:From:References:Cc:To:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sGKmwu/Wl5JDpwLGitXUYAmb5+v9xMOLnf8Yub6I2CQ=; b=jvEvwL16X3bRlRRKLFM7YwvfFz MnZqycYoXnrNnv0n4POIM+pTcmQQKnBYluFC8AmXkPMcMzunR5CrVNm/Cpzi0iXJ3ekOVj8T3GS/Y 55YRik/fszSFJKkZ7dmM24uegzWYEe6BEVHnLPr1YsByFr1ou8gJAx7B6XhgFH6T8oM+ENbZ7efj5 BnnuAiOoxZuwSp8YzuN4yL0gZTOavyz7fm7ZvGNIpZwJKsuDAPQqcbfEuZyTwAB3eELBRMCdpEi3F bM19GWzw02uCDr5KOn4GC+Lue8Zc+zZoxQIBzXplYese7ai+sWG6ZeQrMcTY9mgSoWfa3+TnwPyZx yZjjB1sQ==;
Received: from ip5f5aec68.dynamic.kabel-deutschland.de ([95.90.236.104] helo=[192.168.1.171]) by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <peter@desec.io>) id 1mrr3F-00078t-4t; Tue, 30 Nov 2021 01:31:17 +0100
To: Paul Wouters <paul@nohats.ca>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, dnssec-bootstrapping@ietf.org
References: <163520620129.17275.16274772439094875607@ietfa.amsl.com> <91154628-0ca3-15d8-c6bd-b71232b2e64b@desec.io> <8d3b2ae-70e3-74b4-40a0-70e848acc4aa@nohats.ca>
From: Peter Thomassen <peter@desec.io>
Message-ID: <3cf6abca-c2cd-0b2c-1fde-bd70c687660c@desec.io>
Date: Tue, 30 Nov 2021 01:31:16 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <8d3b2ae-70e3-74b4-40a0-70e848acc4aa@nohats.ca>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: de-DE
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5xJ7fSVa8aPveM-8hhTB-erduKc>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-thomassen-dnsop-dnssec-bootstrapping-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 00:31:25 -0000
On 11/5/21 1:07 AM, Paul Wouters wrote: > In general, the problem is that we need to make it easier for the DNS > hoster to enable DNSSEC when their customers are non-technical. I think > this draft does properly extend RFC 8078 and even think this document > could deprecate the "Accept after wait" method. I took a shot at that in -03. > However, I do think it > should still impose a minimum length of publication before accepting, > so that mistakes similar to the recent slack.com outage can be > prevented. So change "accept after wait" to "verify, then accept after > wait". Sure. The draft currently says in Section 3.2: | If the above steps succeed without error, the CDS/CDNSKEY records are | successfully validated, and the Parental Agent can proceed with the | publication of the DS record set under the precautions described in | [RFC8078], Section 5. ... and there, it says: | A parent SHOULD [...] ensure | that the zone validates correctly if the parent publishes the DS | record. A parent zone might also consider sending an email to its | contact addresses to give the child zone a warning that security will | be enabled after a certain amount of wait time -- thus allowing a | child administrator to cancel the request. I think that from a technical perspective, that covers the policy you're proposing. Or did you really mean to *impose* a minimum delay, as in: it is forbidden to deploy more quickly? Another approach would be to re-state explicitly what's in RFC 8078 Section 5 (but I don't know if text duplication between RFCs is welcome?). Best, Peter
- [DNSOP] Fwd: New Version Notification for draft-t… Peter Thomassen
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… John Levine
- Re: [DNSOP] Fwd: New Version Notification for dra… Peter Thomassen
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Peter Thomassen
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Nils Wisiol
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Paul Wouters
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Peter Thomassen
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Paul Wouters
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Christian Elmerot
- Re: [DNSOP] Fwd: New Version Notification for dra… Peter Thomassen
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Peter Thomassen
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Bob Harold
- Re: [DNSOP] [DNSSEC-Bootstrapping] Fwd: New Versi… Peter Thomassen