Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dnssec-bcp-04.txt
Paul Hoffman <paul.hoffman@icann.org> Fri, 07 October 2022 18:02 UTC
Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF79FC14CF1B for <dnsop@ietfa.amsl.com>; Fri, 7 Oct 2022 11:02:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P03vcwqODT0d for <dnsop@ietfa.amsl.com>; Fri, 7 Oct 2022 11:02:12 -0700 (PDT)
Received: from ppa3.lax.icann.org (ppa3.lax.icann.org [192.0.33.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92450C14CF04 for <dnsop@ietf.org>; Fri, 7 Oct 2022 11:01:40 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa3.lax.icann.org (8.17.1.5/8.17.1.5) with ESMTPS id 297I1bZr026650 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 7 Oct 2022 18:01:37 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.12; Fri, 7 Oct 2022 11:01:36 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) by MBX112-W2-CO-1.pexch112.icann.org ([10.226.41.128]) with mapi id 15.02.1118.012; Fri, 7 Oct 2022 11:01:36 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Roy Arends <roy@dnss.ec>
CC: Paul Wouters <paul@nohats.ca>, dnsop <dnsop@ietf.org>
Thread-Topic: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dnssec-bcp-04.txt
Thread-Index: AQHY2ORjO0ixFHPIYkiPHR+2tw14EK4Ak0WAgAAC8oCAABdbgIACuvOAgAAphgCAAAM1gIAAF7aAgAAER4A=
Date: Fri, 07 Oct 2022 18:01:35 +0000
Message-ID: <AF31EA10-906E-4751-A526-CC5E4382ED9B@icann.org>
References: <166498153291.17224.2765366316934641960@ietfa.amsl.com> <2c32a0c2-cf1b-975f-5c5c-b035a5b499d7@sinodun.com> <C2CACF39-563F-4576-B953-0D398D9D4D12@icann.org> <a0c0b082-7ee9-8574-992b-99e41369c251@desec.io> <DC19D47C-F765-4C80-A880-5476A8F61538@icann.org> <b9ebbe17-1c8c-e586-07ed-c9ab8f7b820b@desec.io> <1A49E472-FE27-4167-9C37-82D797D4D795@icann.org> <CAHw9_i+vb6iwHJhzQ19iWs88T578mbg1Hka5rsSFYVOXw8F_Ow@mail.gmail.com> <C1A91271-44DC-44A5-862F-C5B6EF37029C@icann.org> <d4894280-85f3-6ef-50ba-d12d7696b48d@nohats.ca> <1E5B0B22-F612-4C53-8929-7326E21F3FEE@dnss.ec>
In-Reply-To: <1E5B0B22-F612-4C53-8929-7326E21F3FEE@dnss.ec>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: multipart/signed; boundary="Apple-Mail=_CB2CA898-BB47-4048-A2A6-6B43832AE61F"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1 definitions=2022-10-07_04,2022-10-07_01,2022-06-22_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Gkkz7eaC2IMGcCZHcloeYjESO7g>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dnssec-bcp-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2022 18:02:12 -0000
On Oct 7, 2022, at 10:46 AM, Roy Arends <roy@dnss.ec> wrote: > > > >> On 7 Oct 2022, at 17:21, Paul Wouters <paul@nohats.ca> wrote: >> >> On Fri, 7 Oct 2022, Paul Hoffman wrote: >> >>> On Monday, I'll do a new draft with: >>> >>> What we today call "DNSSEC" is the DNSSEC specification defined in {{RFC4033}}, {{RFC4034}}, and {{RFC4035}}. >>> However, earlier incarnations of DNSSEC were thinly deployed and significantly less >>> visible than the current DNSSEC specification. >> >> "s/and significantly less visible than the current DNSSEC specification/was never deployed beyond early adopter testing domains >> as it had no method of linking parent and child zones securely" > > The last (added) part is not correct. RFC2535 had a way of linking parent and child zones securely (chaining, see RFC2535 6.3). It was suboptimal, and an effort was initiated by NLNetLabs (Ted, Jaap, Miek at the time) to get “sig at parent” instead of “sig at child” (see [1]). This eventually lead to the creation of the DS record and the concept of zone- and key signing keys. > > Jakob Schlyter (Jakob’s Bug [2]) discovered that validating resolvers that read NXT record containing a DS bit, but not the KEY bit would treat delegations as not secure, despite the DS record being present, making the DS concept incompatible with RFC2535. This is why NXT SIG and KEY became NSEC, RRSIG and DNSKEY. > >> Wording could be changed, but the point is, it could never be >> "production deployments" as it required hardcoded keys to build >> a path of trust. >> >> Perhaps even: >> >> DNSSEC documents predating {{RFC4033}}, {{RFC4034}}, and {{RFC4035}} >> specify obsoleted DNS RRtypes that never saw deployment beyond early >> adopter testing, and haven't been deployed in nearly two decades, >> and are of no concern to implementers. > > This is not correct. SIG and KEY have not been obsoleted and have been in use for SIG(0). But I digress. > > Perhaps: > > What we refer to as "DNSSEC" is the third iteration of the DNSSEC specification; [RFC2065] being the first, [RFC2535] being the second. Earlier iterations have not been deployed on a significant scale. Throughout this document, "DNSSEC" means the protocol initially defined in [RFC4033], [RFC4034], and [RFC4035]. I like Roy's text more than PaulW's two suggestions. Saying things like "never" seems tricky. Naming the iterations seems good too. --Paul Hoffman
- [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-bcp-0… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dnssec-b… John Dickinson
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Peter Thomassen
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… John Dickinson
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Peter Thomassen
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Warren Kumari
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Peter Thomassen
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Wouters
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Vladimír Čunát
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Roy Arends
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Peter Thomassen
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Wouters
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Donald Eastlake