[DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-bootstrap-validator-00.txt

Joe Abley <jabley@hopcount.ca> Mon, 19 March 2018 15:14 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 6A5B3127863 for <dnsop@ietfa.amsl.com>; Mon, 19 Mar 2018 08:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Ed9GjEV5df48 for <dnsop@ietfa.amsl.com>; Mon, 19 Mar 2018 08:14:42 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7246B1270AB for <dnsop@ietf.org>; Mon, 19 Mar 2018 08:14:42 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id l9so6750215wmh.2 for <dnsop@ietf.org>; Mon, 19 Mar 2018 08:14:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:mime-version:subject:message-id:references:to:date; bh=jU/E1YhtQD+OfDejNG8KmGSESb6di6CEElgo/oMuUzo=; b=WUsrRFo6NgH2pftO6XGzJ2W4+ql7ncQahaPS8nmIYjYcb4SDC3pgpkbqFaVU4wny6G cfRvAvPm5TyGYtTDiMH9jcUX81bjzYrybHTT6nouu7FgysFt2jZmI4uimyftkv++/QDT 0g/W8/Zd8vA9pY7C7UiDRiltPVaIeuD8GJwAE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:references :to:date; bh=jU/E1YhtQD+OfDejNG8KmGSESb6di6CEElgo/oMuUzo=; b=Dx4jCSbmmT5tiYKeab5rsO493wFx9priIY9WJU4sVPVAiU6t3LhoWfHnurt/IS1HFv miB1YDLhMRo2eRmPiv8MI2+fBArSgKrv41qTzIP3PrWb6c8PgsIrSv+nGYhwwpP2upsQ jZgtlDTbmys6zya/eMr0bKQy6A4MgqM7n0glYEA9f5p5Dy8JsefQ0oOFnDd3PgVZlccJ j9Tv7vvitdWuon7t8pTfR15o24ANHR23svUYiLorO6AMRJ/UfHhG3r6gFBXjsrhO/jEU FgP9jYd/1hnmZfO/vRAfeFHGRaVDXvldKWa7Ok0fvAgxRrl48hWhDzetV3pytOwgEdxx W8pg==
X-Gm-Message-State: AElRT7HcFPrST6ZyXRfIJk6Dbt/2p6iIGXqsgTXKxki7zX8hNSQN6RWj HEbn5FrM99SaxRUBIdsmLqfaoJDaK6E=
X-Google-Smtp-Source: AG47ELv07ktUylS5Qt1pxykHDbMZIRUANcw8+K3OynGzCr2fV+vfJPJA0jCDD45jiyB2AdY8W8LXLw==
X-Received: by with SMTP id a84mr4714777wmi.138.1521472479591; Mon, 19 Mar 2018 08:14:39 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:6157:35e9:f1ac:7826? ([2001:67c:370:128:6157:35e9:f1ac:7826]) by smtp.gmail.com with ESMTPSA id u143sm778473wmd.46.2018. for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Mar 2018 08:14:38 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5E076C9C-C408-461E-9136-24F3A5E9D14E"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Message-Id: <B47F59A1-10B0-46AC-90D1-7C5EF4E4688F@hopcount.ca>
References: <152147159373.24266.10589533262224690425.idtracker@ietfa.amsl.com>
To: dnsop <dnsop@ietf.org>
Date: Mon, 19 Mar 2018 15:14:37 +0000
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9WdvbqWFpKbcZ_Fd-LsXnSIg4-8>
Subject: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-bootstrap-validator-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 15:14:44 -0000

Hi all,

This draft from 2011 emerged blinking into the sunlight from the grave where it expired, growling something about KSK rollovers and brains. Dave and I promptly wrestled it to the ground and locked it in the datatracker where we can safely poke sticks at it through the reinforced metal bars.

The original draft contained this prescient language:
   The possibility remains, however, that [RFC5011] signalling will not
   be available to a validator: e.g. certain classes of emergency KSK
   rollover may require a compromised KSK to be discarded more quickly
   than [RFC5011] specifies, or a validator might be off-line over the
   whole key-roll event.

   This document provides guidance on how DNSSEC Validators might
   determine an appropriate set of trust anchors to use at start-up, or
   when other mechanisms intended to allow key rollover to be tolerated
   gracefully are not available.
Dave and I imagine this kind of thinking might be relevant and timely. Tim and Suz have kindly tolerated my increasingly frantic handwaving on this subject and have offered me some minutes in the dnsop meeting tomorrow, where I intend to suggest that a specification along these lines is necessary and that the working group should take this on.


> Begin forwarded message:
> From: internet-drafts@ietf.org
> Subject: New Version Notification for draft-jabley-dnsop-bootstrap-validator-00.txt
> Date: 19 March 2018 at 14:59:53 GMT
> To: "Joe Abley" <jabley@afilias.info>;, "Dave Knight" <dave.knight@team.neustar>;
> A new version of I-D, draft-jabley-dnsop-bootstrap-validator-00.txt
> has been successfully submitted by Joe Abley and posted to the
> IETF repository.
> Name:		draft-jabley-dnsop-bootstrap-validator
> Revision:	00
> Title:		Establishing an Appropriate Root Zone DNSSEC Trust Anchor at Startup
> Document date:	2018-03-19
> Group:		Individual Submission
> Pages:		9
> URL:            https://www.ietf.org/internet-drafts/draft-jabley-dnsop-bootstrap-validator-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-jabley-dnsop-bootstrap-validator/
> Htmlized:       https://tools.ietf.org/html/draft-jabley-dnsop-bootstrap-validator-00
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-jabley-dnsop-bootstrap-validator
> Abstract:
>   Domain Name System Security Extensions (DNSSEC) allow cryptographic
>   signatures to be used to validate responses received from the Domain
>   Name System (DNS).  A DNS client which validates such signatures is
>   known as a validator.
>   The choice of appropriate root zone trust anchor for a validator is
>   expected to vary over time as the corresponding cryptographic keys
>   used in DNSSEC are changed.
>   This document provides guidance on how validators might determine an
>   appropriate trust anchor for the root zone to use at start-up, or
>   when other mechanisms intended to allow key rollover to be tolerated
>   gracefully are not available.
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> The IETF Secretariat