IETF Logo Mail Archive

Re: [DNSOP] new dnsop related draft: RFC5011 security considerations

Wes Hardaker <wjhns1@hardakers.net> Mon, 01 August 2016 22:54 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59089120727 for <dnsop@ietfa.amsl.com>; Mon, 1 Aug 2016 15:54:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level:
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5EdWiX42r2h for <dnsop@ietfa.amsl.com>; Mon, 1 Aug 2016 15:54:03 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.236.43]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F29A812D0A5 for <dnsop@ietf.org>; Mon, 1 Aug 2016 15:54:02 -0700 (PDT)
Received: from localhost (50-1-20-198.dsl.static.fusionbroadband.com [50.1.20.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id 640F3218BA; Mon, 1 Aug 2016 15:54:02 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: "Wessels, Duane" <dwessels@verisign.com>
References: <0lfuqoqhd7.fsf@wjh.hardakers.net> <414228DF-9C59-467A-8DA0-0EE98B03BDFD@verisign.com>
Date: Mon, 01 Aug 2016 15:54:01 -0700
In-Reply-To: <414228DF-9C59-467A-8DA0-0EE98B03BDFD@verisign.com> (Duane Wessels's message of "Mon, 1 Aug 2016 22:29:51 +0000")
Message-ID: <0lwpk0p0c6.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/797kAX9we1jN4U15DVYuHkC-u_Y>
Cc: "wkumari@google.com" <wkumari@google.com>, dnsop <dnsop@ietf.org>, Wes Hardaker <wjhns1@hardakers.net>
Subject: Re: [DNSOP] new dnsop related draft: RFC5011 security considerations
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2016 22:54:04 -0000

"Wessels, Duane" <dwessels@verisign.com> writes:

>>    RRSIG Signature Validity  10 days
>
> Here I think you probably want to say DNSKEY RRSIG signature validity,
> because thats the only RRset whose validity period matters, right?

Very good point.  Changed for our next publication.

>>  Zone Maintainer  The owner of a zone intending to publish a new Key-
>>     Signing-Keys (KSKs) that will become a trust anchor by validators
>>     following the RFC5011  process.
>
> Could I convince you to use another term?  Maybe just Zone Owner?  I
> worry that when people read Zone Maintainer they would subconsciously
> put "Root" in front of it and your abstract notes that this isn't
> really a concern for (current) root zone plans.

Sure.  Though there is always an issue with coming up with terms to
describe who controls various bits of a zone these days.  It's not the
content owner, as that's often separated from the security dude that
signs the content (as you well know).  We need a suitable term for that
role generally.  I particularly like a suggestion by thesaurus.com, and
sadly it's actually the better of many of the choices: "zone right-hand
person".

Any other suggestions?
-- 
Wes Hardaker
Parsons

v2.23.0 | Report a Bug | By Email