Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by ietfa.amsl.com (Postfix) with ESMTP id 0D2D7C1E590E
	for <dnsop@ietfa.amsl.com>; Mon,  8 Jul 2024 11:08:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level: 
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001,
	SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01]
	autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194])
	by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Z5Ie1-aP47Am for <dnsop@ietfa.amsl.com>;
	Mon,  8 Jul 2024 11:08:52 -0700 (PDT)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ietfa.amsl.com (Postfix) with ESMTPS id 0F266C1F6C94
	for <dnsop@ietf.org>; Mon,  8 Jul 2024 11:08:43 -0700 (PDT)
Received: from MBX112-E2-CO-1.pexch112.icann.org (out.mail.icann.org
 [64.78.33.7])
	by ppa2.lax.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 468I8ga1022830
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <dnsop@ietf.org>; Mon, 8 Jul 2024 18:08:42 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by
 MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1258.34; Mon, 8 Jul 2024 11:08:41 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by
 MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id
 15.02.1258.034; Mon, 8 Jul 2024 11:08:41 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: James Mitchell <james.mitchell@iana.org>
Thread-Topic: [DNSOP] [Ext] Working Group Last Call for
 draft-ietf-dnsop-rfc7958bis
Thread-Index: AQHa0WHcaQLIb4UUdUKxOHnKFX7uJQ==
Date: Mon, 8 Jul 2024 18:08:41 +0000
Message-ID: <A8A97850-6AF6-4780-96ED-E65B5BE70782@icann.org>
References: 
 <CADyWQ+EGh2N8tssBRskH=PVXV1e1eON4z=8E1JWPypNUyZVwLg@mail.gmail.com>
 <879F4E56-9939-4C57-A597-9BB113F92C0D@iana.org>
In-Reply-To: <879F4E56-9939-4C57-A597-9BB113F92C0D@iana.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <18D26DB9870FD94EB9ADCB427FB31142@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-07-08_09,2024-07-05_01,2024-05-17_01
Message-ID-Hash: 2K7NNP6MABHWOMUNDNELQUSVEONC2IPI
X-Message-ID-Hash: 2K7NNP6MABHWOMUNDNELQUSVEONC2IPI
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: =?utf-8?q?=5BDNSOP=5D_Re=3A_=5BExt=5D_Working_Group_Last_Call_for_draft-ietf?=
 =?utf-8?q?-dnsop-rfc7958bis?=
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/dnsop/6wJeeczC2_mdsnwyJHVjA1PIEZY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Thanks for the comments. They are all addressed in the revised draft coming=
 out shortly.

--Paul Hoffman

> On Jun 26, 2024, at 13:31, James Mitchell <james.mitchell@iana.org> wrote=
:
>=20
> All,
>  Please find my comments below.
>  The draft introduces a new optional field PublicKey without providing a =
versioning mechanism - both current and new formats are retrieved from the =
same path. I have reviewed a few publicly available parsers and did not ide=
ntify any obvious issues that could arise following the addition of the Pub=
licKey element (implementations appear to key of element/tag names, concern=
s if any, could be memory management with the larger and unused PublicKey C=
DATA). I do not believe versioning is required on the understanding that IA=
NA may revert to the previous version if necessary - there appear to be a f=
ew clients with operational dependencies on the file.
>  Looking ahead to the addition of the PublicKey element, we discussed whe=
ther to publish the PublicKey element for historical TAs and whether we wou=
ld remove the PublicKey for future-historical TAs. While we have not formal=
ized plans, can we assume these are operational decisions to be made by IAN=
A? If so, does the draft require text to clarify that the PublicKey may be =
present for some KeyDigests and that the element may be removed if previous=
ly present?
>    A few editorial comments:
>  The introduction says:
> This document describes the formats and distribution methods of DNSSEC tr=
ust anchors that have been used by IANA for the root zone of the DNS since =
2010.
> This is not quite true given a format with the publicKey element was not =
possible back in 2010.
>    The following sentence is difficult to read:
> If the relying party is using a trust anchor that has a KeyDigest element=
 that does not have a validUntil attribute, it can change to a trust anchor=
 with a KeyDigest element that does have a validUntil attribute, as long as=
 that trust anchor's validUntil attribute is in the future and the DNSKEY e=
lements of the KeyDigest are the same as the previous trust anchor.
>  I think it can be removed entirely - text regarding duration of use is c=
overed in a prior sentence - and I'm not sure what it adds. My problems wit=
h this are: 1) one does not "change to a trust anchor" following the additi=
on of a (future?) validUntil attribute - it is the same trust anchor; 2) th=
e "it" in "it can change" is difficult to understand, in part because of th=
e prior issue and because it is the validUntil that is changing; 3) DNSKEY =
elements is not defined - it should not be the (optional) PublicKey which i=
s most definitely a DNSKEY element.
>    Section 2.4 Converting to DNSKEY records - A DNSKEY constructed from t=
he KeyDigest will fail to match a published DNSKEY when the REVOKE bit is s=
et - this doesn't create an issue for this protocol but may cause confusion=
 during a rollover. It might be clearer to say something to the effect of t=
he file does not provide values for DNSKEY protocol or flags - for the purp=
ose of this mechanism, clients can assume valid trust anchors will be for p=
rotocol 3 and that the ZONE and SEP flag bits will be set.
>   Thanks,
> James Mitchell
> Director IANA Technical Services