[DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.

Michael StJohns <msj@nthpermutation.com> Thu, 29 August 2024 22:21 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 003C5C180B50 for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2024 15:21:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NImppJAYorv7 for <dnsop@ietfa.amsl.com>; Thu, 29 Aug 2024 15:21:17 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15AC0C1654EF for <dnsop@ietf.org>; Thu, 29 Aug 2024 15:21:16 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id 46e09a7af769-70f5a9bf18bso599010a34.2 for <dnsop@ietf.org>; Thu, 29 Aug 2024 15:21:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1724970075; x=1725574875; darn=ietf.org; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=now5VQVKhKiyxeXM5pjN3MTy9KBgyKJJwG5iKxSEeFY=; b=aCT0bbgtMO+v0T5+MMPtnaNCSevf7EHP+fB70FMpJNB74yXzJWLoWKhdJETt4ZLo8a q9ORL+3lf3RHoNPQpu9Oye0tJwv3XeOMY8ndho7KR25T4PzffA1aYIYMKerWeDhif/eV z0eEx0Yt7I0VvstOTQpV3bX62lXlB+rnhqF8MVt+E/NMNBf+sDNZoJ0kLnBzm82N3o3P vzVVmR3IQBMXk6lGMNcfHGGwQq6nOojgo/FMaMkR53PXJbLj9iXuxWPpvblWmaGHSWyS UJM6l2rfkThYLgdo2tZoSEzKMPoCp1xvQvCHeYVLvH2cxdwQdVoLag/eSluKQ+2eX6r9 HAGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724970075; x=1725574875; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=now5VQVKhKiyxeXM5pjN3MTy9KBgyKJJwG5iKxSEeFY=; b=K13i3Omf0Q4iYkSqqaacGQL49fTr3Tmovh2+ZBG21w+4wJ36V+ZZHzG2zCLobtNkZs 4JuF5A3fhi7V+cXMNFtb0Bv5rqzO8dzbW/fBPMDtwfcvbpGIEd9zTIWSyGd2gh2do+xm 9Aw0yRW33QMgnSeh+d9hSz7Gth3uyfdDU4zTv2gjOolg+Od8Brav01qsG1KXnPRNtzZ4 v0oVSLFSNk4CFBXrXq08IKZcOfMqtVoYBLsEq9OPMSJP/qpQSdiHKOdlHZc00ZEn56H3 TpqdD/zS0712yZ8foiijUcenJjK5hTjZTkjUjnD8YG9QI7PU/iMm7YqjQETOmFryJYn/ srUg==
X-Gm-Message-State: AOJu0YxpUc8p+nW9F9dmPmcbb4ASQ1SNAAVgwc1qlUQPT0dmbaNqFppo yaQEh0kt90WTI1WfttRqZsz41HKzynXtjIwgxtxDgG9HDJMzFbqDZQo9Jh073x4D94UwRSF/cw9 G
X-Google-Smtp-Source: AGHT+IHqk7ka0I0Ty1Lp/gBn3pr2c+kNuc7R+uAkzq8Ijv+wOTN7XvdoyPKs0e2KHOwH4gAonMiKww==
X-Received: by 2002:a05:6830:6112:b0:709:4ef3:244 with SMTP id 46e09a7af769-70f5c4876edmr5783762a34.30.1724970075087; Thu, 29 Aug 2024 15:21:15 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6c340ca86f2sm9139756d6.125.2024.08.29.15.21.13 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 29 Aug 2024 15:21:14 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------vFnW607UINGFXrSek9Z8feaC"
Message-ID: <e220ce5e-7624-4ade-8be4-77685e20f3cf@nthpermutation.com>
Date: Thu, 29 Aug 2024 18:21:12 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: dnsop@ietf.org
References: <CAHw9_iL-ZwwA_pckR+=7SndOvqjfcNX9FjZ9Bim24uSYgTxkyw@mail.gmail.com> <98896B9D-259E-4E46-8DC7-E873D8B25F55@icann.org> <d9aed09d-b1c8-4ba1-9d4e-e83d504bfe40@nthpermutation.com> <65A596AD-1A4F-400A-9404-E2D60A54BE66@icann.org> <36118f44-d18d-443b-8aa8-007b8b62db3f@nthpermutation.com> <49523BCB-7747-44A2-97FA-8F46B238B4E0@icann.org> <cb326dc1-cee9-4369-9cb4-7ffc314e0eb3@isc.org> <CAHw9_iJ_xpJ4_WOPqkP6XjahiS01czO3=8fiAZbjUwTop7_zBA@mail.gmail.com> <3A844030-5C0A-4BB7-A56B-B6C8C159D9BC@icann.org>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <3A844030-5C0A-4BB7-A56B-B6C8C159D9BC@icann.org>
Message-ID-Hash: AS5GONG4LLCDP4YJCPKDNNBZ7LVLQXTI
X-Message-ID-Hash: AS5GONG4LLCDP4YJCPKDNNBZ7LVLQXTI
X-MailFrom: msj@nthpermutation.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/F1q2z5LFHzjmKEA7yL3dhji1jUo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On 8/29/2024 4:24 PM, Paul Hoffman wrote:
> On Aug 27, 2024, at 16:46, Warren Kumari<warren@kumari.net>  wrote:
>> Thank you very much for your comments. We've had some discussions, and the authors will be publishing a new version in the next few days addressing these.
> As you can see, we have turned in -05. We think this deals with the comments from Petr and Mike. In the diff, you can see that we moved all things that said what a relying party who accepts the trust anchor file MUST/SHOULD do to the Security Considerations; this puts them in one place and gives the context for them. We also added some text about how to do the comparison for the two fields (referring to the specific part of RFC 4034 that they need).
>
> Given that this is still in your (Warren's) two hands, not the WG's many hands, let us know if you need any more changes before the assigned telegchat.
>
> --Paul Hoffman (for the authors)
>
> _______________________________________________
> DNSOP mailing list --dnsop@ietf.org
> To unsubscribe send an email todnsop-leave@ietf.org

Hi -

Took a brief look at -05.  Still problems unaddressed.  Section 2.2 6th 
paragraph:

>     The validFrom and validUntil attributes in the KeyDigest element
>     specify the range of times that the KeyDigest element can be used as
>     a trust anchor.

"can be used as a trust anchor" is problematic as it appears to be 
directive on the recipient.   As I've said - now at least three times - 
please change this language so it represents what the IANA is doing, not 
what the recipient should do.  Among other things, specifying a 
"validUntil" date on a trust anchor and then NOT ceasing to use that 
trust anchor and not "replacing" it is problematic.

Instead replace this paragraph with:

"The validFrom attribute in the KeyDigest element indicates the first 
planned date that the IANA intends to start signing the root DNSKEY 
RRSet with this key.  Likewise, the validUntil attribute indicates the 
last planned date of such signing.  However, these are for planning 
purposes only and relying parties should not automatically invoke a 
state change on a trust anchor based on these dates as operational 
considerations may result in a delay past these dates."

Section 4 - nit - generally we don't have single entry subsections.

Delete section 4.1.1 - continues to be a problem if IANA fails to 
supercede a trust anchor on the planned schedule. It is directive on the 
relying party in a way that could cause operational difficulties - to 
wit - iana actually continuing to sign with the set of trust anchors 
past their validUntil dates.  There is also no such thing as "change to 
a trust anchor" in DNSSEC.  All trust anchors are equally valid until 
revoked or removed.

Delete the third paragraph of section 5.

In section 5, replace the first sentence with:

"The intent is for the IANA to publish trust anchors using this format 
at least <6> months before the first use of a new trust anchor.  The 
intent is also that the published document will include all DNSSEC trust 
anchors for the root zone that are currently under management (e.g. 
generated and loaded for use within a key signing ceremony but not 
revoked) by the IANA at the time of publication."

Second paragraph - lower case the "may" - people are mostly not protocol 
elements, although the DNS crowd seems to think so. Also, add "Also for 
operational reasons, IANA may delay taking any trust anchor key out of 
service past the dates indicated in the most recent publication of the 
trust anchor file."

Please - can we avoid moving the deck chairs around again without 
actually fixing anything?

Thanks - Mike