IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors

Warren Kumari <warren@kumari.net> Tue, 12 May 2015 09:44 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AEB81A7008 for <dnsop@ietfa.amsl.com>; Tue, 12 May 2015 02:44:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a2jsxxxfhdN5 for <dnsop@ietfa.amsl.com>; Tue, 12 May 2015 02:44:30 -0700 (PDT)
Received: from mail-wg0-f47.google.com (mail-wg0-f47.google.com [74.125.82.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A90A1A7020 for <dnsop@ietf.org>; Tue, 12 May 2015 02:44:30 -0700 (PDT)
Received: by wgic8 with SMTP id c8so2471915wgi.1 for <dnsop@ietf.org>; Tue, 12 May 2015 02:44:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=P5/iVDSw5CAapUObbA+oOzZPCa/kcw5UPW7DVKOx6P0=; b=JIopBSNtDaeWUVVTNAPszRU6Cp+M0lLUwCulupkkOuxojRNVkK/UYCL8OLV9xujPuQ xm7hX/xUUGpQzQuBsKeYfLWYjJ1YBzFKcSXPnZSscbKhG/XsqwDHgbBmxn8KibwiDByk pNtlxEsqn2SSJWmf7OBvD/Kz+ldNT2YcwfdQKHNX5d1Qodc0SvVCnYY/68GoGGJWhmL6 8GhJ9LLprJnnW+w06fdsNcgZ/yFF3JL1gf8GjAuV/6xY3If1EI5EWn8qkJZMpZa0MDcu A5JBx92hTBh7FUIYhDzb+fEmllvFk2O3FUKgZS9yrZUnQqrFJn7oOXI+LULX6iMQUgaZ dsoA==
X-Gm-Message-State: ALoCoQlGw7E61HV3qiMFkX3JYV2v2k62vPnrEAfu3+kO0jdX9Txb3KHcgcpdeJr5ZVP6wjOZlG8u
MIME-Version: 1.0
X-Received: by 10.180.210.171 with SMTP id mv11mr27807470wic.61.1431423869006; Tue, 12 May 2015 02:44:29 -0700 (PDT)
Received: by 10.194.47.36 with HTTP; Tue, 12 May 2015 02:44:28 -0700 (PDT)
In-Reply-To: <20150511172610.GB7209@isc.org>
References: <553EBF02.3050703@gmail.com> <CAJE_bqc-T75k3sQZKtAF1VHp49biGn+Es5v5FivNSz5e3oB-Cg@mail.gmail.com> <CAHw9_iL9RLp0jynT0m_D6dGZYhmdonvBC-5ifTdB63eh5gvBeg@mail.gmail.com> <CAJE_bqesFPG6d3UsFmtFRjUBQqfifHkaBMR0sXAaNKuN10HL4A@mail.gmail.com> <CAHw9_iLbx_soi1+LaSwMKarLcT1kBCrFdaX8diwMVZp70KeePA@mail.gmail.com> <20150509185028.GB74933@isc.org> <CAJE_bqcJN+RL8NF5NoLTL2y6-mpC1Maf8y_msie7MgYxkV4B3A@mail.gmail.com> <CA+nkc8A7SgQS6FNaXOGx1f4qKhSYTsGvR2keTWiksB6H47J=AQ@mail.gmail.com> <20150511172610.GB7209@isc.org>
Date: Tue, 12 May 2015 11:44:28 +0200
Message-ID: <CAHw9_iK+0HO13dFuaMppGFvtNbKHqRxF6AQDp9=fj6dQRAGuPg@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: Evan Hunt <each@isc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Bn9NL9O_lPk4SH8ep1s8T1o97qM>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, Bob Harold <rharolde@umich.edu>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-negative-trust-anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 09:44:32 -0000

On Mon, May 11, 2015 at 7:26 PM, Evan Hunt <each@isc.org> wrote:
> On Mon, May 11, 2015 at 12:19:19PM -0400, Bob Harold wrote:
>> I am not even sure there is a good reason for a warning.
>
> In BIND, NTA's are set by an rndc command, but in other implementations
> they might be set up in a config file. If you have both a TA and an NTA
> for the same node in the same configuration, that would be sensible to
> warn about; it's the sort of oddity that might have been unintentional.

"An NTA placed at a node where there is a configured positive trust
anchor MUST take precendence over that trust anchor, effectively
disabling it. Implementations SHOULD issue a warning or informational
message when this occurs, so that operators are not surprised when
this happens."

Just added. Seem good?

W


>
> --
> Evan Hunt -- each@isc.org
> Internet Systems Consortium, Inc.
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email