Re: [DNSOP] Last Call: <draft-ietf-dnsop-kskroll-sentinel-15.txt> (A Root Key Trust Anchor Sentinel for DNSSEC) to Proposed Standard

Warren Kumari <warren@kumari.net> Thu, 23 August 2018 16:14 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AF7A130E2A for <dnsop@ietfa.amsl.com>; Thu, 23 Aug 2018 09:14:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WtuggMcLpwwL for <dnsop@ietfa.amsl.com>; Thu, 23 Aug 2018 09:14:19 -0700 (PDT)
Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2971F130E28 for <dnsop@ietf.org>; Thu, 23 Aug 2018 09:14:19 -0700 (PDT)
Received: by mail-wr1-x442.google.com with SMTP id 20-v6so5091989wrb.12 for <dnsop@ietf.org>; Thu, 23 Aug 2018 09:14:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rCKNF+9b0BBE1ulGGSWm8MghPJwlvR4AVOammLf3GwY=; b=SyYRuROuPrzHAKXlSgx7RAYF2AjnYrgsVJF0Hhex94LqCn8OYKI7RrzafLiPrcVxSI Yn+efWwPLOhFj79ASdbw/S0SvC9SPJ2TAkz93J/eZGDP9+F6LhH8LVMzn+yn8Q5nP65R fxqKlBLpssaiD6xMi3i6EoHhAEvgu/gFmsAA/izdCCShsRnoDGyTAye/ckHMext64bWW 6F38Pi4zJE4gcaJNjHwCCDU/O/4C+yafcowG8W237PCu/5GM2Rh6VcJwMK1IDLeCCa1V bL62mxan6k4+6z9Eyvftcfj7qqMkcTCYOsj72LiPOB9XT1Ghywqil7k3mPffEkWtypyg LJLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rCKNF+9b0BBE1ulGGSWm8MghPJwlvR4AVOammLf3GwY=; b=tLrKadzWVUK20dSuZgdq/lXDy7B2Q6ECNdImJ8Y2ceMaM197RYj/Fp9iVEKh/GZ1QP MTjHECVRGuiJ0aO/FYisuAid1VxdYlGAE/92/ro88EIMm/knpoojLyN3hDcxQcDS0R4L UtSroumsyHsVmGzObuw5OG2I6KHPvjqlTQqtFftOkaoEKLuguK9PNtMzKtRVlREXPouy ko/vzohpdr/Ou9pR+MuY/3xf/eFoA1Wz/g36R3CTG59zeSFPhx1pvHJsHiNi5irA4WP5 trqjhbS0xVGuRNXMVsP/I22ND4B2kPZTGoPLmdUfv+1AImalEO/u+vR7Ohvbw4gM1KNc vnGA==
X-Gm-Message-State: APzg51BHnpCo4Ce3qiy6za5cr1XF0zYxtRYkDMmMk6xaZyeLvHRPKCI2 pGDyGn+xCTR/8J39FM8DqHWlkW+WNiWzDMw/BUGTcKNQcp8=
X-Google-Smtp-Source: ANB0VdYenvpoYBqI75JepGoXRXv91W2VM24PdlVwMYaFAXUWaV49UJuLpp8z87dZZ4MCE9UtzVImFwsIqcULZWo6AP0=
X-Received: by 2002:adf:c454:: with SMTP id a20-v6mr17839355wrg.20.1535040857284; Thu, 23 Aug 2018 09:14:17 -0700 (PDT)
MIME-Version: 1.0
References: <153502796185.11991.9427387634008946129.idtracker@ietfa.amsl.com> <63cb3712-a8ed-7a6e-36e4-f7442d612dea@nic.cz>
In-Reply-To: <63cb3712-a8ed-7a6e-36e4-f7442d612dea@nic.cz>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 23 Aug 2018 12:13:41 -0400
Message-ID: <CAHw9_iJC4Ag+O-Tc9O8VwaxCMPqgo1XKpneS0pSz8572kBee8g@mail.gmail.com>
To: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= <petr.spacek@nic.cz>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000003ac9105741c8d84"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Grv-ilqYE3h7L-ePc0p6zapDQKI>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-kskroll-sentinel-15.txt> (A Root Key Trust Anchor Sentinel for DNSSEC) to Proposed Standard
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Aug 2018 16:14:22 -0000

Thank you!

It is actually fixed in the repo already:
https://github.com/APNIC-Labs/draft-kskroll-sentinel/commit/c88c649242083510462b43fd1f945f7ec33f24b8

Not sure why that isn't the LC version, but this, and the "exactly as if
the mechanism described in this document was not implemented or disabled."
-> "exactly as if the mechanism described in this document was
not implemented or was disabled." were the only non-whitespace changes).

Thanks again,
W

On Thu, Aug 23, 2018 at 12:07 PM Petr Špaček <petr.spacek@nic.cz>; wrote:

> New version has a typo in table of contents:
>
> 4.  Sentinel Tests from Hosts with More than One Configured
>     Resolve . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
>
> IMHO it should end with "Resolvers".
>
> I would submit pull request but I don't see the latest version in repo
> referenced in abstract.
>
> Petr Špaček  @  CZ.NIC
>
>
> On 23.8.2018 14:39, The IESG wrote:
> >
> > The IESG has received a request from the Domain Name System Operations WG
> > (dnsop) to consider the following document: - 'A Root Key Trust Anchor
> > Sentinel for DNSSEC'
> >   <draft-ietf-dnsop-kskroll-sentinel-15.txt> as Proposed Standard
> >
> > The IESG plans to make a decision in the next few weeks, and solicits
> final
> > comments on this action. Please send substantive comments to the
> > ietf@ietf.org mailing lists by 2018-09-06. Exceptionally, comments may
> be
> > sent to iesg@ietf.org instead. In either case, please retain the
> beginning of
> > the Subject line to allow automated sorting.
> >
> > Abstract
> >
> >
> >    The DNS Security Extensions (DNSSEC) were developed to provide origin
> >    authentication and integrity protection for DNS data by using digital
> >    signatures.  These digital signatures can be verified by building a
> >    chain of trust starting from a trust anchor and proceeding down to a
> >    particular node in the DNS.  This document specifies a mechanism that
> >    will allow an end user and third parties to determine the trusted key
> >    state for the root key of the resolvers that handle that user's DNS
> >    queries.  Note that this method is only applicable for determining
> >    which keys are in the trust store for the root key.
> >
> >    [ This document is being collaborated on in Github at:
> >    https://github.com/APNIC-Labs/draft-kskroll-sentinel.  The most
> >    recent version of the document, open issues, etc should all be
> >    available here.  The authors (gratefully) accept pull requests.  RFC
> >    Editor, please remove text in square brackets before publication. ]
> >
> >
> >
> >
> > The file can be obtained via
> > https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/
> >
> > IESG discussion can be tracked via
> >
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-kskroll-sentinel/ballot/
> >
> >
> > No IPR declarations have been submitted directly on this I-D.
> >
> >
> >
> >
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf