Re: [DNSOP] New Version Notification for draft-pounsett-transferring-automated-dnssec-zones-02.txt
Antoin Verschuren <ietf@antoin.nl> Wed, 09 November 2016 14:03 UTC
Return-Path: <ietf@antoin.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8CD3129499 for <dnsop@ietfa.amsl.com>; Wed, 9 Nov 2016 06:03:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.497, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=antoin.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ezDwE5U4ZCfL for <dnsop@ietfa.amsl.com>; Wed, 9 Nov 2016 06:03:08 -0800 (PST)
Received: from walhalla.antoin.nl (walhalla.antoin.nl [IPv6:2a01:670:6aa4:da00::6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFA23129490 for <dnsop@ietf.org>; Wed, 9 Nov 2016 06:03:07 -0800 (PST)
Received: from [IPv6:2a01:670:6aa4:da00:462a:60ff:fef4:e7f2] (unknown [IPv6:2a01:670:6aa4:da00:462a:60ff:fef4:e7f2]) by walhalla.antoin.nl (Postfix) with ESMTPSA id 3AD1A28024D; Wed, 9 Nov 2016 15:03:05 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=antoin.nl; s=walhalla; t=1478700185; bh=7fUI7O9xiOZQ2G7T2AXzEtujG6f8l6mRA86wE5EwCTk=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=iNISspDNVOJ3GenAc89THIwBngA1AjoYqEe07tqt3jtwnN5KqEKIasN6oMo5RWzx4 V9BeTDMt3HKk/LooiAwwi1T+AvSf3Cfqye91QCEiLowD2ohSHcpLQDFKW1saqfaTcp ZS4jGgFthq6utWbknVGEHEtSsFgMZwpYszw5cBSE=
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_3E728EA7-0D4F-4FF1-857B-B6EFBAF1EC89"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail
From: Antoin Verschuren <ietf@antoin.nl>
In-Reply-To: <CAAiTEH-O5doOgOH=8VYDDkDaRcSUTzKADpf7AuvnPrqEFG6xjg@mail.gmail.com>
Date: Wed, 09 Nov 2016 15:03:00 +0100
Message-Id: <8ACA666F-7964-440D-A19D-084FD363F8A5@antoin.nl>
References: <147788457889.20732.6547170129744737547.idtracker@ietfa.amsl.com> <CAAiTEH-O5doOgOH=8VYDDkDaRcSUTzKADpf7AuvnPrqEFG6xjg@mail.gmail.com>
To: Matthew Pounsett <matt@conundrum.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9E1BQT_KDh_41eW0xI_NCiKQpKo>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] New Version Notification for draft-pounsett-transferring-automated-dnssec-zones-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2016 14:03:10 -0000
Hi Matt, I cannot help noticing that draft-pounsett-transferring-automated-dnssec-zones is providing the same solution as an earlier draft draft-koch-dnsop-dnssec-operator-change. This draft has already gone through a review process, and is considered to be done content wise by the authors. The reason why draft-koch-dnsop-dnssec-operator-change has never made it to WG adoption in DNSOPS is because of IPR that is now also targeting your draft. There is currently discussion on this IPR on the REGEXT mailinglist because draft-ietf-eppext-keyrelay, which is the standardization of the provisioning parameters for this secure operator change concept is stalled for a long time as well because of this IPR. Can I ask you how your draft is different from draft-koch-dnsop-dnssec-operator-change to justify a new attempt? Wouldn’t the IPR pose the same adoption issues as draft-koch-dnsop-dnssec-operator-change? The authors of draft-koch-dnsop-dnssec-operator-change are willing to revive the draft and ask for WG adoption by DNSOPS as well. As co-author of that draft and the original inventor of the secure dns-operator change method, I’m open to see how that draft can be improved by your attempt, and see if we could work together to get this concept described in an Informational RFC. draft-ietf-eppext-keyrelay is stalled in IESG review for 328 days now, and I wouldn’t want the DNSOPS WG to waste the same time while the IPR issue is not resolved. Instead, I think it would be wise to jointly address both the Informational concept description and provisioning solution and if members of DNSOPS have any input to the IPR discussion on the REGEXT mailinglist, I would invite them to contribute. - -- Antoin Verschuren Tweevoren 6, 5672 SB Nuenen, NL M: +31 6 37682392 Op 31 okt. 2016, om 04:49 heeft Matthew Pounsett <matt@conundrum.com> het volgende geschreven: > Hi all. > > I've submitted an update for the below draft which I'd like the working group to eventually consider for adoption. If there's time in the agenda, I'd like to ask the chairs for some time to discuss this in Seoul. > > As with the previous version, I'm looking for some specific feedback on a few things. > > 1) I believe this draft represents operational experience that could be added to RFC6781. While it doesn't (intentionally) change anything in 6781, I think the additional operator change procedure justifies the "updates" meta-data in the draft. With the increase in gTLDs and the expected future increase in gTLD transfers I think it's important to put this information in front of operators searching for advice, which makes having it appear as a link from the 6781 meta-data important. I'd like to get the group's feeling on that. > > 2) RFC 6781 does not explicitly describe the timings of each step in the operator change procedure, leaving that as an exercise for the reader to obtain by reading earlier sections of the RFC. The -01 version of this draft followed that style for a couple of reasons: first, so as not to unnecessarily duplicate any information; second, to avoid unintentionally introducing any ambiguity or update to the information in 6781. I've been of two minds on that, however. I felt that the aim of this draft–to provide advice to inexperienced operators–was not well served by leaving a prose description of the procedure out. With the recent publication of errata for § 4.1.2, my opinion has tipped slightly the other way, and so I've added text to describe the steps and their timings. > > 3) I don't believe this draft raises any *new* security considerations, so I've done my best to incorporate by reference the security considerations from 6781. I'd like to know your thoughts on this as well. > > > ---------- Forwarded message ---------- > From: <internet-drafts@ietf.org> > Date: 30 October 2016 at 23:29 > Subject: New Version Notification for draft-pounsett-transferring-automated-dnssec-zones-02.txt > To: Matthew Pounsett <matt@conundrum.com> > > > > A new version of I-D, draft-pounsett-transferring-automated-dnssec-zones-02.txt > has been successfully submitted by Matthew Pounsett and posted to the > IETF repository. > > Name: draft-pounsett-transferring-automated-dnssec-zones > Revision: 02 > Title: Change of Operator Procedures for Automatically Published DNSSEC Zones > Document date: 2016-10-31 > Group: Individual Submission > Pages: 7 > URL: https://www.ietf.org/internet-drafts/draft-pounsett-transferring-automated-dnssec-zones-02.txt > Status: https://datatracker.ietf.org/doc/draft-pounsett-transferring-automated-dnssec-zones/ > Htmlized: https://tools.ietf.org/html/draft-pounsett-transferring-automated-dnssec-zones-02 > Diff: https://www.ietf.org/rfcdiff?url2=draft-pounsett-transferring-automated-dnssec-zones-02 > > Abstract: > Section 4.3.5.1 of [RFC6781] "DNSSEC Operational Practices, version > 2" describes a procedure for transitioning a DNSSEC signed zone from > one (cooperative) operator to another. The procedure works well in > many situations, but makes the assumption that it is feasible for the > two operators to simultaneously publish slightly different versions > of the zone being transferred. In some cases, such as with TLD > registries, operational considerations require both operators to > publish identical versions of the zone for the duration of the > transition. This document describes a modified transition procedure > which can be used in these cases. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Fwd: New Version Notification for draft-p… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-po… Antoin Verschuren
- Re: [DNSOP] New Version Notification for draft-po… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-po… Antoin Verschuren