IETF Logo Mail Archive

Re: [DNSOP] [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)

Peter Thomassen <peter@desec.io> Sat, 20 April 2024 10:13 UTC

Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E41EDC14F71D for <dnsop@ietfa.amsl.com>; Sat, 20 Apr 2024 03:13:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dg-WKMlt5u3K for <dnsop@ietfa.amsl.com>; Sat, 20 Apr 2024 03:13:25 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36187C14F708 for <dnsop@ietf.org>; Sat, 20 Apr 2024 03:13:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:Cc:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=PvYR3GoG8NpEaGzhu/sAD6+B/xf5Jxf69QQVtbrccdo=; b=h/MmCT1sehahXpa1sXDV6jiVn/ zpyesElq57ph8etKsxatKiokwRVkEYaHpzsCT3xRxNtNElJRJ6aApA5DBQSSv6CftM+lfGdysjxAh KJk9yBKPPbbgMZXPcDAAkbIbpPmzT4rIeKgiygQbS+qi6MPiEsrSSxZiVuUtU+3oJRLdbvVc2xypS 6J4a3a4AOrnEAWHSI6KFTwrpTjImB35eMtJIvnxAigcebA+nT4QOCTo4oqlumm3QjKZ7ohT6Enyxk mzsQ1sTscdwadEZcEZgOMYeXL1vLzB6JyIhBYwKNI+Jz3reoiMKNG4FfoswDdNXF8GOKgX+7JPwhl 1oNmHYdQ==;
Received: from [2a02:8109:9283:8800:5675:726f:a65f:b3ca] by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1ry7ie-0055Xr-Gx; Sat, 20 Apr 2024 12:13:16 +0200
Message-ID: <1cb4663f-9502-47db-a099-ce5147bb733e@desec.io>
Date: Sat, 20 Apr 2024 12:13:15 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Paul Wouters <paul@nohats.ca>, drafts-expert-review-comment@iana.org
Cc: nils@desec.io, dnsop@ietf.org, Oli Schacher <oli.schacher@switch.ch>, Q Misell <q@as207960.net>, Christian Elmerot <christian@elmerot.se>, Daniel Salzman <daniel.salzman@nic.cz>
References: <rt-5.0.3-225992-1713566832-1739.1362913-9-0@icann.org> <647558F8-2FEF-4418-AE1C-3BDC3B22A89B@nohats.ca>
Content-Language: en-US
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <647558F8-2FEF-4418-AE1C-3BDC3B22A89B@nohats.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/A90vHZgcDzN_enr5PY7TBCwSPSg>
Subject: Re: [DNSOP] [IANA #1362913] expert review for draft-ietf-dnsop-dnssec-bootstrapping (dns-parameters)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Apr 2024 10:13:30 -0000

Hi Paul,

The authors certainly don't insist, but we'd need to pick a suitable replacement for the "_signal" label.

John proposed "_dnssec-signal" elsewhere in this thread.

The authors would like to note that adding "_dnssec-" eats up 8 more bytes, increasing chances that bootstrapping will fail due to the _dsboot.<domain-name>._dnssec-signal.<nsname> length limitation. Other than this (unnecessary?) use case narrowing, this choice seems fine.

That said, does this choice address your concerns?

The main question then is to get implementations updated. I'm thus copying a few implementers so they can comment w.r.t. making this change in their implementation. I suppose that barring their objections, it's fine to go ahead?

Thanks,
Nils and Peter


On 4/20/24 01:18, Paul Wouters wrote:
> If the authors insist, then as DE of this registry, this entry is okay.
> 
> My point below still holds, but I will leave that up to the authors and IESG.
> 
> Paul
> 
> Sent using a virtual keyboard on a phone
> 
>> On Apr 19, 2024, at 18:47, David Dong via RT <drafts-expert-review-comment@iana.org> wrote:
>>
>> Hi Paul,
>>
>> Just a ping on this; thank you.
>>
>> Best regards,
>>
>> David Dong
>> IANA Services Sr. Specialist
>>
>>> On Sat Apr 13 01:24:13 2024, peter@desec.io wrote:
>>> Hi Paul,
>>>
>>>> On 4/12/24 22:36, Paul Wouters wrote:
>>>> However, I would urge the authors/WG to pick a less generic and more
>>>> specific name than "_signal", such as "_dnssec-bootstrap". Especially
>>>> because there is also the well known "Signal" message client. Also,
>>>> in case of future different signaling, the current name might become
>>>> confusing.
>>>
>>> The signaling record names actually have two underscore labels, and
>>> look like (taking nohats.ca as an example)
>>>
>>> _dsboot.nohats.ca._signal.ns2.foobar.fi.
>>>
>>> The specific type of signal is already indicated by the first label.
>>> Other signaling use cases would use a different first label. (draft-
>>> thomassen-dnsop-mske has an example.)
>>>
>>> The _signal label generically indicates that ns2.foobar.fi likes to
>>> signal something about nohats.ca. Its presence is needed to allow
>>> separating the object from the source without ambiguity.
>>>
>>> We could change _signal to something else, but not to _dnssec-
>>> bootstrap as that's not generic. Suggestions are welcome.
>>>
>>>
>>> I'd like to add some considerations:
>>>
>>> - The spec has quite a few production implementations (see Section 8),
>>> and changing them would come with significant costs.
>>>
>>> - I don't think the _signal label is in use for the Signal messenger.
>>> Even in case it's used in the future, a collision (in terms of prefix
>>> labels + rdtype) seems unlikely.
>>>
>>> As there would be significant costs, but no tangible benefit, perhaps
>>> we should not do this.
>>>
>>>
>>> Further context: The structure of the signaling name is the result of
>>> the DNSOP Interim [1]. Details on rejected alternatives can be found
>>> in [2].
>>>
>>> [1]: "Open Issue 3" in https://datatracker.ietf.org/meeting/interim-
>>> 2022-dnsop-01/materials/slides-interim-2022-dnsop-01-sessa-
>>> authenticated-dnssec-bootstrapping-00.pdf
>>> [2]:
>>> https://mailarchive.ietf.org/arch/msg/dnsop/FE5Sm5vzZtq9VgKxgkfmv4VuVI8/
>>>
>>> Thanks,
>>> Peter
>>
>> _______________________________________________
>> DNSOP mailin

-- 
Like our community service? đź’›
Please consider donating at

https://desec.io/

deSEC e.V.
Kyffhäuserstr. 5
10781 Berlin
Germany

Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525

v2.31.3 | Report a Bug | By Email | System Status