Re: [DNSOP] draft-wallstrom-dnsop-dns-delegation-requirements-03
joel jaeggli <joelja@bogus.com> Sat, 12 November 2016 22:09 UTC
Return-Path: <joelja@bogus.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C106812952E for <dnsop@ietfa.amsl.com>; Sat, 12 Nov 2016 14:09:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.397
X-Spam-Level:
X-Spam-Status: No, score=-8.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4o36PLWJdN2j for <dnsop@ietfa.amsl.com>; Sat, 12 Nov 2016 14:09:09 -0800 (PST)
Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 439A71296A2 for <dnsop@ietf.org>; Sat, 12 Nov 2016 14:08:51 -0800 (PST)
Received: from dhcp-96cc.meeting.ietf.org ([IPv6:2001:67c:370:144:4565:4c3e:bd31:596f]) (authenticated bits=0) by nagasaki.bogus.com (8.15.2/8.15.2) with ESMTPSA id uACM8OOS006059 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Sat, 12 Nov 2016 22:08:28 GMT (envelope-from joelja@bogus.com)
X-Authentication-Warning: nagasaki.bogus.com: Host [IPv6:2001:67c:370:144:4565:4c3e:bd31:596f] claimed to be dhcp-96cc.meeting.ietf.org
To: Edward Lewis <edward.lewis@icann.org>, "dnsop@ietf.org" <dnsop@ietf.org>
References: <ED2B34F2-0C3C-4139-8F04-5246407B675E@icann.org>
From: joel jaeggli <joelja@bogus.com>
Message-ID: <550b7991-8e79-4482-2327-36f55d22a8ca@bogus.com>
Date: Sun, 13 Nov 2016 07:08:14 +0900
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Thunderbird/50.0
MIME-Version: 1.0
In-Reply-To: <ED2B34F2-0C3C-4139-8F04-5246407B675E@icann.org>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="XMDt628W60to0N0oSQEvERP5qN1DSVkOS"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/A82S2PwqS7O7wGw8SvJnL5cgOL4>
Subject: Re: [DNSOP] draft-wallstrom-dnsop-dns-delegation-requirements-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Nov 2016 22:09:21 -0000
On 11/13/16 6:16 AM, Edward Lewis wrote: > I read through the document and had a lot of comments, so maybe I need to "back up a bit." > > I'm conflicted over documents that define good operational practices over top of a standard protocol. There's much evidence we need this, for example, just to pick one, the number of TLD zones with very large DNSKEY sets. On the other hand, confusing operations and protocol can impair efforts to improve the protocol, such as how round-robin made DNSSEC more difficult in needing to define a canonical order of the resource records within an RR set. > > I'd support this document but it has to state up front that it has a limited scope, which needs to be properly defined. traditionally we would call that an applicability statement. I think that's quite useful particularly if there are cases where it should not be be employed. > The origin of my comment is section 2.1 which says that a delegations' name must be a hostname (a'la RFC 1123) and further that registered names are generally good for this. I know that there's no need for a delegation's name to be "printable" in general, the only delegation I can't make work (with DNSSEC) is '*'. > > E.g., there's no reason I can't have "\007.mylab.mydept.myorg.example" in my zone. Of course, that would not be very easy to access via a web browser location bar. > > Contrary to that, I had few "problems" with section 3 because it states up front "the public Internet DNS hierarchy" as the application domain. Section 2 and earlier didn't scope the work. > > What I can't find is a definition for, what is called in section 8, a "fully functional" delegation. Again, that is tied to the lack of scope. > > And, (as this dives deeper than I intended to mention), in section 8.2 there is this: > > "Any DNSKEY algorithm number used for in a zone MUST be assigned by IANA." > > Does that include PRIVATEDNS (253)? (To pick nits, it's not DNSKEY algorithm number, it's the registry of DNS Security Algorithm Numbers.) If someone uses that "IANA assigned" number they won't be "fully functional" for some interpretation of "fully functional." And ... I think IANA "assigned" is the wrong verbage, perhaps IANA registered. By now I've gone far into the weeds. > > I'd like to see the document state or define what kind of delegations it is covering. I think it is fine to define a kind of something more generic and apply rules to that. Much in the same way that IDNA defines rules for IDNA-aware applications while not altering the basic protocol definition. > > Bottom line - there ought to be a way to provide operational guidance to participants on the global public Internet while allowing for continued permission-less innovation. Guidance is needed but don't give it in a way that can be used to stop anyone from trying other things in their sandboxes. sure > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] draft-wallstrom-dnsop-dns-delegation-requ… Edward Lewis
- Re: [DNSOP] draft-wallstrom-dnsop-dns-delegation-… joel jaeggli