[DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
Michael StJohns <msj@nthpermutation.com> Wed, 21 August 2024 15:28 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D320AC151980 for <dnsop@ietfa.amsl.com>; Wed, 21 Aug 2024 08:28:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QBwvQ3zOe12d for <dnsop@ietfa.amsl.com>; Wed, 21 Aug 2024 08:28:48 -0700 (PDT)
Received: from mail-qv1-xf36.google.com (mail-qv1-xf36.google.com [IPv6:2607:f8b0:4864:20::f36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00FB0C151556 for <dnsop@ietf.org>; Wed, 21 Aug 2024 08:28:47 -0700 (PDT)
Received: by mail-qv1-xf36.google.com with SMTP id 6a1803df08f44-6bf7a2035d9so8701996d6.1 for <dnsop@ietf.org>; Wed, 21 Aug 2024 08:28:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20230601.gappssmtp.com; s=20230601; t=1724254126; x=1724858926; darn=ietf.org; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:from:to:cc:subject:date:message-id :reply-to; bh=/3eWS4ZEr84nzPeVcNIDY2DJnSMWcJNg/zmKa/GE6JY=; b=SkhH9i9SPbi+xJAt1m93fwG5QGXZhI/Kf7XnoImlROBrSAEbKV919ZWZf6N0c5PCzo Wri4ohWyTIUks1zKMFcV0QO9brYagpPNNZrcZPBXyYwf5nw8dXF6/mBVR42zvXOiYuAZ csUGXJt6O5tFDtw98zHmR8IzLSZjIPJkGoXyEiqexcKGgv3KEIamFYDf2imKJMAi6qeS 6dvngtsL+6y74d2yHdpsrnlNT5EWpIB83+taCudfBgOWz94fMhLNeJ93OqjFSUc0hT3y wg7Si7+p1k2921i1c6jzdgezl3xQYPZboDM7zNMeesk80HNX/3Eo7uKGI27xnlOktnS7 6lRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724254126; x=1724858926; h=in-reply-to:from:references:to:content-language:subject:user-agent :mime-version:date:message-id:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=/3eWS4ZEr84nzPeVcNIDY2DJnSMWcJNg/zmKa/GE6JY=; b=XvrkehZWLmVnP5LGo/AlMTRputb+HqT2XvHymZCOquDCoIeLv52cOFHY45IIpPWATE RrXDdWHaKSAGO/MSC6D4+MPlYVyrQOsBctZ4QpmMgTg3shRKPP//hOsBWEQwYdkc7aq5 N6MAPEJBCmZLTuzWAcm+DgUvwUSSg4Zm/TYYrP106+Fn9l4fspDrZP8PivqSKp2QZCpQ Ua5+TUMl+WfHaZRZHmQq0qHyLjBXUAmj3CnU3HqdUyjKbZHKvYMkcTlLGOYAFTUpzE5l iD1kZIBIypR6w93IDqR+n7Ok8vnRrAgWZt3LjlV6aQfaV8OhKfGJLzTLOlIJywuNR6pK +wYA==
X-Gm-Message-State: AOJu0Yz7m4vLlLA3y3JMRCAyiXHtukWuqPLRfJwtqUcsAFIywVxxAMM2 ES/iPtKRmUJEyzvEr7oJgFYQBRkwiqET+gtz1AS/mmglIV6yQ8Wpk4Ehxc4h1HFDjUInVLSDXVq 7
X-Google-Smtp-Source: AGHT+IGSPIKo4teYBWl9Wqd37J0YR+s6nLtPXjw4hKknXAbf+v34S6+FbitNwGKNVUk92AspMWmEpQ==
X-Received: by 2002:a05:6214:5711:b0:6bf:8318:30b8 with SMTP id 6a1803df08f44-6c160c71435mr64896d6.16.1724254125896; Wed, 21 Aug 2024 08:28:45 -0700 (PDT)
Received: from [192.168.1.23] (pool-108-31-156-76.washdc.fios.verizon.net. [108.31.156.76]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6bf6fec5c27sm62705876d6.81.2024.08.21.08.28.45 for <dnsop@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 21 Aug 2024 08:28:45 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------081WQOAkS3Pa6mn00cj0aWfp"
Message-ID: <1c45702d-decc-4f45-af1e-39d37a1cbd77@nthpermutation.com>
Date: Wed, 21 Aug 2024 11:28:43 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: dnsop@ietf.org
References: <CAHw9_iL-ZwwA_pckR+=7SndOvqjfcNX9FjZ9Bim24uSYgTxkyw@mail.gmail.com> <98896B9D-259E-4E46-8DC7-E873D8B25F55@icann.org> <d9aed09d-b1c8-4ba1-9d4e-e83d504bfe40@nthpermutation.com> <65A596AD-1A4F-400A-9404-E2D60A54BE66@icann.org> <36118f44-d18d-443b-8aa8-007b8b62db3f@nthpermutation.com> <49523BCB-7747-44A2-97FA-8F46B238B4E0@icann.org> <6b19942a-1392-47ac-8a50-1520713f2140@nthpermutation.com> <3ABBFB63-4953-4F9D-97C7-A31276496200@gmail.com>
From: Michael StJohns <msj@nthpermutation.com>
In-Reply-To: <3ABBFB63-4953-4F9D-97C7-A31276496200@gmail.com>
Message-ID-Hash: DMRHKJAJY2FEHDHJHXK6EE7B4RW5CTYU
X-Message-ID-Hash: DMRHKJAJY2FEHDHJHXK6EE7B4RW5CTYU
X-MailFrom: msj@nthpermutation.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] Request: Review changes - draft-ietf-dnsop-rfc7958bis-03 → 04.
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FOQm261mtjHp13QlU5VMcM3SOqw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
Hi Ed - Thanks for a thoughtful reply. Notes in line. On 8/21/2024 10:28 AM, Edward Lewis wrote: > On Aug 20, 2024, at 20:42, Michael StJohns<msj@nthpermutation.com> wrote: >> Hi Paul - >> >> I'm confused from your responses below - is this a WG document where the WG gets to decide, or is this an IANA document (like the one it was replacing) where IANA gets to decide? I *think* I saw you argue both ways in your response below. > .... > > IANA has addressed this for the DNS running on the global public Internet. Said in the sense that there is one DNS protocol and possibly many instantiations of a running DNS system. (I knew of a non-Internet DNS at one time, operating on a separate, private inter-network. It may not be around any more, on the other hand, when it comes to the inter-planetary work, there may be a DNS system per, say, planet.) This document is addressing how IANA is, has, and will be distributing the trust anchor for the root zone they manage. > > On the one hand, IANA wants to do what is in the best interests of the global public Internet and as such, seeks expert opinions of which this document is an example. The WG can’t materially change the document - without convincing IANA to alter something operational. This doesn’t make WG review futile, a “rubber stamp” step, IANA is listening to the feedback. OTOH, I wonder if this is truly a WG document or something that is best through the Independent stream but reviewed by the DNSOP WG. Yes. This document tries to be both a "here's how the IANA does it" and "here's what the receiving party MUST do with it" and does both less than completely successfully. I didn't look at the document when it first came out in the ISE stream and I missed it when it showed up in DNSOP. The older RFC is fairly benign, but still has some directive (to the recipient) language related to validFrom and validUntil. This version added additional directives - both to the relying party and to the IANA about validity periods of the keys. It moved further from a "here's how we do it" operational document to a protocol document with those changes. Unfortunately, the protocol has (and has had) a number of ambiguities. > I doubt there is enough energy for the WG to design a “standards based” means for root zone trust anchor management and distribution that is out of band, despite the gap, as there is only one working example (IANA’s) and IANA has its methods (including this document) in place. I don't actually think that's (write an OOB protocol for root TA management) what's needed here. Removing the validFrom/validUntil elements and language, removing the directive language to the IANA that requires it to add a validUntil tag to a superceded key, and adding text similar to what I suggested that states what this document is from the POV of the IANA only would turn this back into what I think it was intended to be: a secondary publication mechanism for trust anchors. Alternately, language about what validFrom and validUntil mean in terms of IANA operations instead of this directive of "don't use the key past the valid time, even if we keep signing with it" would alleviate some of my issues. > > ... >> Syntax is easy. Semantics are hard and this document has a bit too much ambiguity for a naive relying party. Strangely, if this were simply a signed file of hashes with a time associated with it indicating the IANA's current view (at time of publication) of the trust anchor set, I'd have a lot less to argue about. Someone tried to do too much I think. > Protocol-defining IETF documents are meant to spur implementations, seeing multiple independent implementations interoperate is the goal. As a result, the documents often leave details up to the reader/implementer. > > But this document is not a pure protocol-defining document, it is an operational process document. As such, it ought to be more concrete. That is, if the goal is to describe the entirety of distributing the trust anchors. The document could be here to just present the marshaling of the trust anchor materials - describing the syntax as it does - leaving the interpretation up to the writer (IANA) and reader (relying parties). > > Maybe this document ought to just describe what’s in the file. Maybe this document ought to expand to include rules for relying on the document as Mike suggests. I’m not decided on this, frankly I need to go over the thread again. But its going to be a debate over whether this document is only about marshaling the trust anchors or it is about managing the trust anchors. > Either "complete protocol" or "IANA operational process" would be correct. This half-complete middle state is problematic. Returning this to IANA to remove the directive language and then running it through the ISE might be the quickest path to publication. Last note - I don't know if there's any requirement for backwards compatibility here. The primary target groups for this are big ISPs and DNS software providers who mostly only look at this file when there's enough noise in the world indicating a change in the root TA store. If we do head in the protocol direction, let's do it right. If we stay in the operational space, perhaps suggesting that IANA reduce the hash process to a hash of just the key bytes instead of the contents of a DS record or DNSKEY record may simplify a number of the technical issues that were identified in this pass. Later, Mike
- [DNSOP] Request: Review changes - draft-ietf-dnso… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Re: Request: Review changes - d… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: Request: Review changes - draft-ietf-… Andres Pavez
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Peter Thomassen
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Edward Lewis
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Edward Lewis
- [DNSOP] Re: [Ext] Request: Review changes - draft… Petr Špaček
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Paul Hoffman
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns
- [DNSOP] Re: [Ext] Request: Review changes - draft… Warren Kumari
- [DNSOP] Re: [Ext] Request: Review changes - draft… Michael StJohns