Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"

Bob Harold <rharolde@umich.edu> Tue, 05 May 2020 18:53 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46D253A00D4 for <dnsop@ietfa.amsl.com>; Tue, 5 May 2020 11:53:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0YCZN6ES5Vug for <dnsop@ietfa.amsl.com>; Tue, 5 May 2020 11:53:18 -0700 (PDT)
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4ACC93A00D5 for <dnsop@ietf.org>; Tue, 5 May 2020 11:53:12 -0700 (PDT)
Received: by mail-lf1-x12d.google.com with SMTP id t2so49824lfc.3 for <dnsop@ietf.org>; Tue, 05 May 2020 11:53:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=puWQhGXSRdessEMV64JuTmqj4sPOStNr9K3r6ch+Nb4=; b=HDwBkY+dJeiX9a56P2lylGX3oac3zTyVs1nREwIiK51PwYn1IMjTfvtqgkWqkXGBm7 Jc3jO8sD568MK/WyLF8m2Izn342RYcfziYYrww5nJ36Z7kp5Ox8ZNFi6X1VBF5LOZvHp JSIZd3IzufLYNdpRDFuFoVbOzA+E41DVkOs4TjV0yGGKnwWhMxEYzDFPuUxWNbcLgHAI M/bgMe/cdnvaIToPga4jRswQVkHHrd9Cv+gbq3fejblrveEqstEV6VnvE65g9QyzP+mG W/uaEHeu0FwyqzcIPzGPrgwUyEZw2B2lGj2luA0x7LZPx23VQ0EAe038HUaDWiINqGx8 16MA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=puWQhGXSRdessEMV64JuTmqj4sPOStNr9K3r6ch+Nb4=; b=RY0bIUHrQlgbuugbaMcVSTpVhrpJ0YNVKkxkEp1Mv2ERCYJkAy8WZsJUV9cJTavRhK WY+GqTUCkTHf10YdOyuhj7kw95CuNaBAR0OKxn2AiGn2I1U258CjGCO8c9Pdqwp0Z7u3 W0/vmb2689kfKn881XeITWY59ycitRt/tW2bnc3NY5i7b8JYDBnpt/tboNnrgoksKTjo SThWjV7ZRO0ycdqJzTuEE66KS0Cp39Wd3BOeFXkATXLUFujUXxvkQabEFC8tNG3KIEks eVr3BA2KwUr27u2rrigAsKO8EaObhcv39/Un7Zz+67Kl2OCE30SOKctW5vVA9FKaWWUS dwJQ==
X-Gm-Message-State: AGi0PuYI9+NJgY43K19J9rujbm1zZhCBjqCYkK+poQwtW5gv2Wg9D4rl SieE+ELgt1YgHp8oVAs25j9Tqh8QNV5y11RfqJUi7A==
X-Google-Smtp-Source: APiQypIuxRKrdOsXcKaqBK+mFAHtmzhKcjGl0z1/PRmYnQ6mP0HfZYLFSZhH269Rctho2YDOOOya8xF66wZDB4NEO6s=
X-Received: by 2002:ac2:531c:: with SMTP id c28mr2534105lfh.138.1588704790329; Tue, 05 May 2020 11:53:10 -0700 (PDT)
MIME-Version: 1.0
References: <158861946403.9316.9132034162941715598@ietfa.amsl.com> <CA+nkc8Bd+X9vfMq-Fzm6x1BbkiYGxh_TaxTwRXGj+2bXF+w-aw@mail.gmail.com> <CA+nkc8Bp_Js5_PF3PPPjtSuEetUwZpNxjJie5UXkD_3X-HRASg@mail.gmail.com> <SA0PR15MB379199F512D21F540C066464E3A70@SA0PR15MB3791.namprd15.prod.outlook.com> <CADZyTknCkTb9upGNLt-SF_13=Q-+P+D5vk_5uV61hBwGZttJJw@mail.gmail.com>
In-Reply-To: <CADZyTknCkTb9upGNLt-SF_13=Q-+P+D5vk_5uV61hBwGZttJJw@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
Date: Tue, 5 May 2020 14:52:59 -0400
Message-ID: <CA+nkc8Dk65zUgjUdmfvHK=WTzpAAfYdFEYKsVp8km5Lme=PMWw@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ae4eca05a4eb28c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/E6EuXlp6F0c8XGOqBfHLFJUfI9U>
Subject: Re: [DNSOP] The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption By WG Issued"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 18:53:20 -0000

On Tue, May 5, 2020 at 12:02 PM Daniel Migault <mglt.ietf@gmail.com> wrote:

> Hi Bob,
>
> I apology the previous email has just been sent unexpectedly.
>
> Thanks for the comments. The new version of the file is available here [1]
> and a diff is available at [2].
>
> I propose the following text for clarification. Feel free to let me know
> if that addresses your concern.
>
> OLD:
> Not updating the configuration file prevents a failed synchronization to
> to the absence of write permission that are hardly in the control of the
> software."
>
> NEW
> Avoiding the configuration file to be updated prevents old configuration
> file to survive to writing error on read-only file systems.
>

I understand that we do not want the system to fail due to missing write
permissions.  It seems like this could be handled two ways:
1. Just keep in memory, and do not try to write a new configuration.  That
works, until the old trust anchor is removed, then it fails if the service
is restarted.
2. Attempt to write a new configuration, but keep going even if that
fails.  If the write succeeds, then this works even after the old trust
anchor is removed.

I would prefer the second method.  I think that is what some software
already does.  (BIND?)

-- 
Bob Harold


>
> Please inline other comments.
>
> Yours,
> Daniel
>
> [1]
> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-mglt-dnsop-dnssec-validator-requirements.mkd
> [2]
> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/f8ab674b12442aff6ba3c72a3ca8f795f24b2df9#diff-c7cc8f0bdd4d7cce2082828d70d2bf35
>
>
> On Tue, May 5, 2020 at 11:52 AM Daniel Migault <daniel.migault=
> 40ericsson.com@dmarc.ietf.org> wrote:
>
>> Hi Bob,
>>
>> Thanks for the comments. The new version of the file is available here
>> [1] and diff can be seen at [2].
>>
>> I propose the following text. Does it clarify the concern ?
>> Avoiding the configuration file to be updated prevents old configuration
>> file to survive to writing error on read-only file systems.
>>
>>
>> "Not updating the configuration file prevents a failed
>>    synchronization to to the absence of write permission that are hardly
>>    in the control of the software."
>>
>> <mglt>
>> </mglt>
>>
>> [1]
>> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/blob/master/draft-mglt-dnsop-dnssec-validator-requirements.mkd
>> [2]
>> https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/commit/f8ab674b12442aff6ba3c72a3ca8f795f24b2df9#diff-c7cc8f0bdd4d7cce2082828d70d2bf35
>>
>> ------------------------------
>> *From:* Bob Harold <rharolde@umich.edu>
>> *Sent:* Monday, May 4, 2020 4:29 PM
>> *To:* Daniel Migault <daniel.migault@ericsson.com>
>> *Subject:* Fwd: [DNSOP] The DNSOP WG has placed
>> draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption
>> By WG Issued"
>>
>> Minor nits:
>>
>> 7.  Trust Anchor Related Recommendations
>>
>> Last sentence, last few words:
>> "in section Section 8" > "in Section 8"
>>
>> <mglt>
>> addressed
>> </mglt>
>>
>> 7.2.1.  Automated Updates to DNSSEC Trust Anchors
>>
>> "TA updates is" > "TA updates are"
>>
>> <mglt>
>> addressed
>> </mglt>
>>
>> "but due to human" > "due to human"
>>
>> <mglt>
>> addressed
>> </mglt>
>>
>> 7.2.2.  Automated Trust Anchor Check
>>
>> "Not updating the configuration file prevents a failed
>>    synchronization to to the absence of write permission that are hardly
>>    in the control of the software."
>>
>> <mglt>
>> I propose the following text. Does it clarify the concern ?
>> Avoiding the configuration file to be updated prevents old configuration
>> file to survive to writing error on read-only file systems.
>> </mglt>
>>
>> Seems confusing, please rewrite.
>>
>> "The TA can be queries" > "The TA can be queried"
>>
>> <mglt>
>> addressed
>> </mglt>
>>
>> "does not only concerns" > "does not only concern"
>> <mglt>
>> addressed
>> </mglt>
>> "if the mismatch result" > "if the mismatch resulted"
>> <mglt>
>> addressed
>> </mglt>
>>
>> 8.  Negative Trust Anchors Related Recommendations
>>
>> "disable the signature check for that key the time" > "disable the
>> signature check for that key until the time"
>> <mglt>
>> addressed
>> </mglt>
>>
>> "This does not prevents" > "This does not prevent"
>> <mglt>
>> addressed
>> </mglt>
>> "either an attack or a failure into" > "either an attack or a failure in"
>> <mglt>
>> addressed
>> </mglt>
>> 10.1.  Automated Reporting
>>
>> "will take the appropriated steps" > "will take the appropriate steps"
>> <mglt>
>> addressed
>> </mglt>
>> --
>> Bob Harold
>>
>>
>> ---------- Forwarded message ---------
>> From: *Bob Harold* <rharolde@umich.edu>
>> Date: Mon, May 4, 2020 at 4:28 PM
>> Subject: Re: [DNSOP] The DNSOP WG has placed
>> draft-mglt-dnsop-dnssec-validator-requirements in state "Call For Adoption
>> By WG Issued"
>> To: IETF DNSOP WG <dnsop@ietf.org>
>>
>>
>> Looks useful, I will review.
>>
>> --
>> Bob Harold
>>
>>
>> On Mon, May 4, 2020 at 3:13 PM IETF Secretariat <
>> ietf-secretariat-reply@ietf.org> wrote:
>>
>>
>> The DNSOP WG has placed draft-mglt-dnsop-dnssec-validator-requirements in
>> state Call For Adoption By WG Issued (entered by Tim Wicinski)
>>
>> The document is available at
>>
>> https://datatracker.ietf.org/doc/draft-mglt-dnsop-dnssec-validator-requirements/
>>
>>
>
> --
> Daniel Migault
> Ericsson
>